{
  "rule_ids": [
    "raw_ip_url",
    "plain_http_to_sink",
    "private_network_access"
  ],
  "severity": "HIGH",
  "command_redacted": "curl -s http://192.168.192.5:8000/v1/models 2>&1",
  "findings": [
    {
      "rule_id": "raw_ip_url",
      "severity": "MEDIUM",
      "title": "URL uses raw IP address",
      "description": "URL points to IP address 192.168.192.5 instead of a domain name",
      "evidence": [
        {
          "type": "url",
          "raw": "192.168.192.5"
        }
      ]
    },
    {
      "rule_id": "plain_http_to_sink",
      "severity": "HIGH",
      "title": "Plain HTTP URL in execution context",
      "description": "URL 'http://192.168.192.5:8000/v1/models' uses unencrypted HTTP and is being passed to a command that downloads or executes content. An attacker on the network could modify the content.",
      "evidence": [
        {
          "type": "url",
          "raw": "http://192.168.192.5:8000/v1/models"
        }
      ]
    },
    {
      "rule_id": "private_network_access",
      "severity": "HIGH",
      "title": "Private network access: 192.168.192.5",
      "description": "Command accesses private network address 192.168.192.5, which may indicate SSRF or lateral movement",
      "evidence": [
        {
          "type": "url",
          "raw": "http://192.168.192.5:8000/v1/models"
        }
      ],
      "mitre_id": "T1046"
    }
  ],
  "timestamp": "2026-07-03T16:25:24.803525+00:00"
}