Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/lib/github.jsView file
1import { spawnSync } from "node:child_process";
L2: export function ensureGhInstalled(logger) {
High
dist/lib/digitalocean.jsView file
4import { homedir } from "node:os";
L5: const DO_API = "https://api.digitalocean.com/v2";
L6: function readDoctlToken() {
L7: const configPath = process.platform === "darwin"
L8: ? join(homedir(), "Library", "Application Support", "doctl", "config.yaml")
L9: : join(homedir(), ".config", "doctl", "config.yaml");
...
L19: function getToken() {
L20: const token = process.env.DIGITALOCEAN_ACCESS_TOKEN ??
L21: process.env.DIGITALOCEAN_TOKEN ??
...
L39: return undefined;
L40: const body = await res.text();
L41: if (!res.ok) {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/lib/digitalocean.jsView on unpkg · L4dist/commands/deploy/functions.jsView file
32try {
L33: const version = exec("bunx supabase --version", { silent: true, cwd });
L34: logger.info(`Supabase CLI found: ${version?.trim() ?? "unknown"}`);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/deploy/functions.jsView on unpkg · L32Findings
4 High3 Medium5 Low
HighChild Processdist/lib/github.js
HighShell
HighSandbox Evasion Gated Capabilitydist/lib/digitalocean.js
HighRuntime Package Installdist/commands/deploy/functions.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings