registry  /  @fabasoad/sarif-to-slack  /  1.4.2

@fabasoad/sarif-to-slack@1.4.2

TypeScript library to send results of SARIF file to Slack webhook URL.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time activity is package-local metadata generation; runtime network use is the library’s explicit Slack-webhook feature.

Static reason
One or more suspicious static signals were detected.
Trigger
Package install runs `preinstall`; a consumer must call `SarifToSlackClient.create()` and `send()` to read SARIF files and post a message.
Impact
Writes `src/metadata.json` during install and may transmit selected SARIF-derived findings to the caller-provided Slack webhook.
Mechanism
Package-local build metadata generation and explicit SARIF-to-Slack webhook delivery.
Rationale
The install hook performs only package-local metadata generation and has no observed exfiltration, payload execution, persistence, or foreign control-surface mutation. Runtime file and network behavior is explicit, package-aligned SARIF parsing and Slack webhook delivery.
Evidence
package.jsonscripts/save-metadata.shsrc/SarifToSlackClient.tssrc/model/SlackMessage.tssrc/utils/FileUtils.tssrc/metadata.json
Network endpoints1
hooks.slack.com

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` defines `preinstall`.
  • `scripts/save-metadata.sh` writes `src/metadata.json` during install.
  • Runtime reads caller-selected SARIF files and sends a caller-supplied webhook message.
Evidence against
  • `preinstall` only derives version, Git SHA, and timestamp; no network access or foreign-path mutation.
  • `src/SarifToSlackClient.ts` reads only configured SARIF paths.
  • `src/model/SlackMessage.ts` sends only when consumer explicitly calls `send()` with its webhook URL.
  • No child-process use in runtime source, dynamic evaluation, credential harvesting, persistence, or destructive file operations found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 110 file(s), 337 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = ./scripts/save-metadata.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = ./scripts/save-metadata.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
MakefileView file
path = Makefile kind = build_helper sizeBytes = 714 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

MakefileView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build HelperMakefile
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings