Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli-info.jsView file
1import { execFileSync, spawnSync } from "node:child_process";
L2: import { resolveForstBinary, } from "./resolve.js";
...
L4: /**
L5: * Prints `@forst/cli` npm version, resolved native binary path, and `forst version` stdout.
L6: * Intended for diagnostics (`npx forst --forst-cli-info`).
...
L33: const bin = await resolveForstBinary(resolveOptions);
L34: const env = resolveOptions?.env ?? process.env;
L35: const go = process.platform === "win32" ? "go.exe" : "go";
L36: const r = spawnSync(go, ["version", "-m", bin], {
...
L42: if (code === "ENOENT") {
L43: throw new Error("go: not found on PATH. Install Go from https://go.dev/dl/ to use `go version -m` on the Forst binary.");
L44: }
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli-info.jsView on unpkg · L1Findings
1 High2 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/cli-info.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings