{
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "SPARTAN",
          "informationUri": "https://github.com/KamHiggs/higgs-platform",
          "semanticVersion": "1.2.0-higgs",
          "rules": [
            {
              "id": "hardcoded_secrets",
              "name": "hardcoded_secrets",
              "shortDescription": {
                "text": "Detector for known-pattern secret material in source code."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            },
            {
              "id": "vulnerable_dependencies",
              "name": "vulnerable_dependencies",
              "shortDescription": {
                "text": "Detector for dependency manifest entries matching known-vulnerable ranges."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            },
            {
              "id": "unsafe_deserialization_patterns",
              "name": "unsafe_deserialization_patterns",
              "shortDescription": {
                "text": "Detector for unsafe deserialization call patterns in source code."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            },
            {
              "id": "missing_auth_on_declared_routes",
              "name": "missing_auth_on_declared_routes",
              "shortDescription": {
                "text": "Detector for declared routes that lack an authorization check."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            },
            {
              "id": "sql_string_interpolation",
              "name": "sql_string_interpolation",
              "shortDescription": {
                "text": "Detector for SQL strings constructed via string interpolation."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            },
            {
              "id": "path_traversal_patterns",
              "name": "path_traversal_patterns",
              "shortDescription": {
                "text": "Detector for path-traversal call patterns in source code."
              },
              "defaultConfiguration": {
                "level": "note"
              }
            }
          ]
        }
      },
      "automationDetails": {
        "id": "run_2026-05-04T04-36-01.158Z_60156b4c"
      },
      "results": [
        {
          "ruleId": "hardcoded_secrets",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Deterministic secret detector confirmed a redacted secret marker in executable code at src/app.ts:6."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/app.ts"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_6f836709847f"
          },
          "properties": {
            "spartan_finding_id": "finding_6f836709847f",
            "spartan_finding_type": "hardcoded_secrets",
            "spartan_risk_class": "CRITICAL",
            "spartan_evidence_tier": "EVIDENCE_BACKED",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9002-707a-9d58-116f215cfefb",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "vulnerable_dependencies",
          "ruleIndex": 1,
          "level": "note",
          "message": {
            "text": "Dependency manifest entry lodash@4.17.20 falls inside the local demonstration vulnerable range < 4.17.21."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "package.json"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_5d970445aef7"
          },
          "properties": {
            "spartan_finding_id": "finding_5d970445aef7",
            "spartan_finding_type": "vulnerable_dependencies",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "EVIDENCE_BACKED",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9003-7759-8848-d1132ad9abda",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "unsafe_deserialization_patterns",
          "ruleIndex": 2,
          "level": "note",
          "message": {
            "text": "Static rule hit found yaml.load at src/server.py:12, and the corresponding module import confirms an unsafe deserialization pattern in pinned source."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_626ec6aa0ed5"
          },
          "properties": {
            "spartan_finding_id": "finding_626ec6aa0ed5",
            "spartan_finding_type": "unsafe_deserialization_patterns",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9004-7047-96c8-41d696d3f681",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "missing_auth_on_declared_routes",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Declared route <REDACTED:ABSOLUTE_PATH>:id is unprotected and the file contains no auth signals, so SPARTAN cannot find any route-level protection cues in the same module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/app.ts"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_8da1796b4962"
          },
          "properties": {
            "spartan_finding_id": "finding_8da1796b4962",
            "spartan_finding_type": "missing_auth_on_declared_routes",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9004-7103-aae3-10368108ab4d",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "missing_auth_on_declared_routes",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Declared route <REDACTED:ABSOLUTE_PATH>:name is unprotected and the file contains no auth signals, so SPARTAN cannot find any route-level protection cues in the same module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/app.ts"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_1d0c68f0ec53"
          },
          "properties": {
            "spartan_finding_id": "finding_1d0c68f0ec53",
            "spartan_finding_type": "missing_auth_on_declared_routes",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9004-723e-ada0-98c025086f2d",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "missing_auth_on_declared_routes",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Declared route <REDACTED:ABSOLUTE_PATH> is unprotected and the file contains no auth signals, so SPARTAN cannot find any route-level protection cues in the same module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_17fe99ca832e"
          },
          "properties": {
            "spartan_finding_id": "finding_17fe99ca832e",
            "spartan_finding_type": "missing_auth_on_declared_routes",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9004-7bef-80d7-dcb6a79f0dcc",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "missing_auth_on_declared_routes",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Declared route <REDACTED:ABSOLUTE_PATH><report_id> is unprotected and the file contains no auth signals, so SPARTAN cannot find any route-level protection cues in the same module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_781289d0a1ae"
          },
          "properties": {
            "spartan_finding_id": "finding_781289d0a1ae",
            "spartan_finding_type": "missing_auth_on_declared_routes",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9005-7515-af69-85e3eb5060c1",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "missing_auth_on_declared_routes",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Declared route <REDACTED:ABSOLUTE_PATH><filename> is unprotected and the file contains no auth signals, so SPARTAN cannot find any route-level protection cues in the same module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_f81e4795845f"
          },
          "properties": {
            "spartan_finding_id": "finding_f81e4795845f",
            "spartan_finding_type": "missing_auth_on_declared_routes",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9005-7ab9-92f4-6d71c70cd990",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "sql_string_interpolation",
          "ruleIndex": 4,
          "level": "note",
          "message": {
            "text": "Deterministic AST scan found interpolated SQL flowing into cursor.execute at src/server.py:21."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_4ea7beb87904"
          },
          "properties": {
            "spartan_finding_id": "finding_4ea7beb87904",
            "spartan_finding_type": "sql_string_interpolation",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9005-7714-82df-1ff359c296f4",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "path_traversal_patterns",
          "ruleIndex": 5,
          "level": "note",
          "message": {
            "text": "Static source-to-sink scan found filename flowing into os.path.join -> open at src/server.py:33 without an allowlisted sanitization step."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_44a9d33b1c31"
          },
          "properties": {
            "spartan_finding_id": "finding_44a9d33b1c31",
            "spartan_finding_type": "path_traversal_patterns",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9005-7d84-bb6b-05d7bd788723",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        },
        {
          "ruleId": "path_traversal_patterns",
          "ruleIndex": 5,
          "level": "note",
          "message": {
            "text": "Static source-to-sink scan found filename flowing into os.path.join at src/server.py:33 without an allowlisted sanitization step."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/server.py"
                }
              }
            }
          ],
          "partialFingerprints": {
            "spartan_finding_id": "finding_86b3f17afeae"
          },
          "properties": {
            "spartan_finding_id": "finding_86b3f17afeae",
            "spartan_finding_type": "path_traversal_patterns",
            "spartan_risk_class": "HIGH",
            "spartan_evidence_tier": "ANALYST_HYPOTHESIS",
            "spartan_reproducer_class": "STATIC_PATH",
            "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
            "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
            "spartan_v2_finding_id": "019df145-9005-7d00-a680-8fbd9df585ac",
            "spartan_commit_ref": "snapshot:demo-repo-v1"
          }
        }
      ],
      "properties": {
        "spartan_capsule_schema": "spartan.evidence_capsule.v0.1",
        "spartan_capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
        "spartan_source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
        "spartan_redaction_policy_version": "1",
        "spartan_capsule_created_at": "2026-05-04T04:36:17.868Z",
        "spartan_verify_levels": [
          {
            "level": "STRUCTURE",
            "outcome": "PASS"
          },
          {
            "level": "REDACTION",
            "outcome": "PASS"
          },
          {
            "level": "AUDIT_DIGEST",
            "outcome": "PASS"
          },
          {
            "level": "SIGNATURE",
            "outcome": "NOT_PRESENT"
          },
          {
            "level": "REPLAY",
            "outcome": "NOT_PRESENT"
          }
        ],
        "spartan_non_claims": {
          "signed": false,
          "replay_bearing": false,
          "hermetic_execution": false,
          "compliance_certification": false,
          "production_gating": false
        },
        "spartan_commit_ref": "snapshot:demo-repo-v1",
        "spartan_commit_sha": "b42163c792cb51a8cc6ea778fad6bc267269ed6c"
      }
    }
  ]
}