registry  /  @codacy/verity-cli  /  0.28.0

@codacy/verity-cli@0.28.0

CLI for Verity quality gate service

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 619 KB of source, external domains: api.github.com, git-scm.com, github.com, nodejs.org

Source & flagged code

2 flagged · loading source
bin/verity.jsView file
960var EventEmitter = require("node:events").EventEmitter; L961: var childProcess = require("node:child_process"); L962: var path = require("node:path");
High
Child Process

Package source references child process execution.

bin/verity.jsView on unpkg · L960
16657try { L16658: (0, import_node_child_process11.execSync)("npm install -g @codacy/analysis-cli", { encoding: "utf-8", stdio: "pipe", timeout: 12e4 }); L16659: printInfo(" @codacy/analysis-cli installed \u2713");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/verity.jsView on unpkg · L16657

Findings

2 High3 Medium6 Low
HighChild Processbin/verity.js
HighRuntime Package Installbin/verity.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License