registry  /  @fjall/components-infrastructure  /  2.29.0

@fjall/components-infrastructure@2.29.0

Published fjall infrastructure components and utilities.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed package-install or import-time attack surface. AWS API calls, secret writes, and the optional CodeBuild download are infrastructure behaviors activated only when consumers synthesize and deploy the corresponding CDK constructs.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and explicitly instantiates CDK constructs, then deploys the generated AWS resources.
Impact
No credential harvesting, arbitrary local execution, exfiltration, persistence, or AI-agent control-surface mutation was found.
Mechanism
User-directed AWS CDK custom resources and CodeBuild configuration.
Rationale
The flagged primitives are package-aligned AWS infrastructure provisioning and run only through explicit CDK deployment paths. Static inspection found no malicious execution chain.
Evidence
package.jsondist/index.jsdist/lib/resources/aws/networking/hostedZone.jsdist/lib/lambda-assets/cert-generator/asset/index.jsdist/lib/lambda-assets/identity-store-user/asset/index.jsdist/lib/config/aws/ecrDefaultImage.js
Network endpoints3
github.compublic.ecr.awsfjall.io

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or other lifecycle hook.
    • dist/index.js only re-exports library modules; no import-time execution found.
    • dist/lib/resources/aws/networking/hostedZone.js contains only static ESM imports, so the dynamic-require hint is a false positive.
    • dist/lib/lambda-assets/cert-generator/asset/index.js generates TLS keys and writes only supplied AWS Secrets Manager ARNs during CloudFormation lifecycle events.
    • dist/lib/lambda-assets/identity-store-user/asset/index.js performs scoped Identity Store user CRUD as a CDK custom-resource handler.
    • dist/lib/config/aws/ecrDefaultImage.js downloads Docker buildx only inside an explicitly synthesized/deployed CodeBuild project.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 242 file(s), 1.66 MB of source, external domains: 127.0.0.1, clickhouse.com, github.com

    Source & flagged code

    3 flagged · loading source
    dist/lib/lambda-assets/cert-generator/asset/index.jsView file
    18022patternName = private_key_rsa severity = critical line = 18022 matchedText = return `...----
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/lib/lambda-assets/cert-generator/asset/index.jsView on unpkg · L18022
    18022patternName = private_key_rsa severity = critical line = 18022 matchedText = return `...----
    Critical
    Secret Pattern

    RSA private key in dist/lib/lambda-assets/cert-generator/asset/index.js

    dist/lib/lambda-assets/cert-generator/asset/index.jsView on unpkg · L18022
    dist/lib/resources/aws/networking/hostedZone.jsView file
    9export class HostedZoneFactory { L10: static import(stack, hostedZoneId, zoneName, opts) { L11: const safeZone = toPascalCase(getSafeZoneName(zoneName));
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/lib/resources/aws/networking/hostedZone.jsView on unpkg · L9

    Findings

    2 Critical3 Medium5 Low
    CriticalCritical Secretdist/lib/lambda-assets/cert-generator/asset/index.js
    CriticalSecret Patterndist/lib/lambda-assets/cert-generator/asset/index.js
    MediumDynamic Requiredist/lib/resources/aws/networking/hostedZone.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License