AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed package-install or import-time attack surface. AWS API calls, secret writes, and the optional CodeBuild download are infrastructure behaviors activated only when consumers synthesize and deploy the corresponding CDK constructs.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and explicitly instantiates CDK constructs, then deploys the generated AWS resources.
Impact
No credential harvesting, arbitrary local execution, exfiltration, persistence, or AI-agent control-surface mutation was found.
Mechanism
User-directed AWS CDK custom resources and CodeBuild configuration.
Rationale
The flagged primitives are package-aligned AWS infrastructure provisioning and run only through explicit CDK deployment paths. Static inspection found no malicious execution chain.
Evidence
package.jsondist/index.jsdist/lib/resources/aws/networking/hostedZone.jsdist/lib/lambda-assets/cert-generator/asset/index.jsdist/lib/lambda-assets/identity-store-user/asset/index.jsdist/lib/config/aws/ecrDefaultImage.js
Network endpoints3
github.compublic.ecr.awsfjall.io
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, postinstall, or other lifecycle hook.
- dist/index.js only re-exports library modules; no import-time execution found.
- dist/lib/resources/aws/networking/hostedZone.js contains only static ESM imports, so the dynamic-require hint is a false positive.
- dist/lib/lambda-assets/cert-generator/asset/index.js generates TLS keys and writes only supplied AWS Secrets Manager ARNs during CloudFormation lifecycle events.
- dist/lib/lambda-assets/identity-store-user/asset/index.js performs scoped Identity Store user CRUD as a CDK custom-resource handler.
- dist/lib/config/aws/ecrDefaultImage.js downloads Docker buildx only inside an explicitly synthesized/deployed CodeBuild project.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/lib/lambda-assets/cert-generator/asset/index.jsView file
18022patternName = private_key_rsa
severity = critical
line = 18022
matchedText = return `...----
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/lib/lambda-assets/cert-generator/asset/index.jsView on unpkg · L1802218022patternName = private_key_rsa
severity = critical
line = 18022
matchedText = return `...----
Critical
Secret Pattern
RSA private key in dist/lib/lambda-assets/cert-generator/asset/index.js
dist/lib/lambda-assets/cert-generator/asset/index.jsView on unpkg · L18022dist/lib/resources/aws/networking/hostedZone.jsView file
9export class HostedZoneFactory {
L10: static import(stack, hostedZoneId, zoneName, opts) {
L11: const safeZone = toPascalCase(getSafeZoneName(zoneName));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/lib/resources/aws/networking/hostedZone.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCritical Secretdist/lib/lambda-assets/cert-generator/asset/index.js
CriticalSecret Patterndist/lib/lambda-assets/cert-generator/asset/index.js
MediumDynamic Requiredist/lib/resources/aws/networking/hostedZone.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License