registry  /  @harness-engineering/core  /  0.34.1

@harness-engineering/core@0.34.1

Core library for Harness Engineering toolkit

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 1.93 MB of source, external domains: api.github.com, api.linear.app, api.osv.dev, app.posthog.com, cwe.mitre.org, fetch.spec.whatwg.org, github.com, owasp.org, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
5238// src/validation/agent-configs/agnix-runner.ts L5239: var import_node_child_process = require("child_process"); L5240: var import_node_fs = require("fs");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5238
72} L73: async function findFiles(pattern, cwd = process.cwd(), extraIgnore = []) { L74: return (0, import_glob.glob)(pattern, { ... L226: type: "Program", L227: body: ast, L228: language: "typescript" ... L349: const require2 = createRequire(import_meta.url ?? __filename); L350: const pkgPath = require2.resolve("tree-sitter-wasms/package.json"); L351: const path55 = await import("path"); ... L1340: try { L1341: const pkg = JSON.parse(content.value); L1342: return extractPackageEntries(rootDir, pkg);
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L72
51"use strict"; L52: import_types = require("@harness-engineering/types"); L53: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L51
15536patterns: [/\beval\s*\(/, /new\s+Function\s*\(/], L15537: message: "eval() and Function constructor allow arbitrary code execution", L15538: remediation: "Use JSON.parse() for data, or a sandboxed interpreter for dynamic code",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L15536
dist/index.mjsView file
180Cross-file remote execution chain: dist/index.mjs spawns dist/index.js; helper contains network access plus dynamic code execution. L180: throw new Error( L181: `Refusing to bind ${label} to port ${port}: this port is on the WHATWG fetch bad-ports list, so browsers and Node's fetch() will reject every connection with "bad port". Choose a d... L182: ); ... L400: try { L401: parsed = JSON.parse(raw); L402: } catch (e) { ... L509: name: z2.enum([...REQUIRED_STRATEGY_SECTIONS2, ...OPTIONAL_STRATEGY_SECTIONS2]), L510: body: z2.string() L511: }); ... L703: // src/validation/agent-configs/agnix-runner.ts L704: import { spawn } from "child_process"; L705: import { existsSync } from "fs";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.mjsView on unpkg · L180

Findings

4 High4 Medium5 Low
HighChild Processdist/index.js
HighShell
HighObfuscated Payload Loaderdist/index.js
HighCross File Remote Execution Contextdist/index.mjs
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings