registry  /  @invarn/cibuild  /  2.2.9

@invarn/cibuild@2.2.9

CI Build CLI — local pipeline orchestration and validation

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 2.45 MB of source, external domains: 127.0.0.1, adoptium.net, api.qrserver.com, api.slack.com, appdistribution.firebase.dev, ci.example.com, cibuild.io, cli.github.com, developer.android.com, example.com, git-scm.com, github.com, gitlab.com, hooks.slack.com, my-ci.com, testflight.apple.com, www.apple.com

Source & flagged code

12 flagged · loading source
dist/src/yaml/steps/xcode.jsView file
289patternName = private_key_rsa severity = critical line = 289 matchedText = // Secre...ded.
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/yaml/steps/xcode.jsView on unpkg · L289
289patternName = private_key_rsa severity = critical line = 289 matchedText = // Secre...ded.
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/xcode.js

dist/src/yaml/steps/xcode.jsView on unpkg · L289
dist/src/yaml/fidelity-input-digest.test.jsView file
35const require = createRequire(import.meta.url); L36: const twin = new Function('require', RENDER_SCRIPT_SOURCE_DIGEST_STAGE + L37: '\nreturn { __fidSourceDigest: __fidSourceDigest, __fidIsHermetic: __fidIsHermetic };')(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/yaml/fidelity-input-digest.test.jsView on unpkg · L35
14function f(path, content) { L15: return { path, bytes: Buffer.from(content, 'utf8') }; L16: } ... L25: } L26: /** 4-byte big-endian length prefix — mirrors the module-private `len`. */ L27: function len(n) { ... L35: const require = createRequire(import.meta.url); L36: const twin = new Function('require', RENDER_SCRIPT_SOURCE_DIGEST_STAGE + L37: '\nreturn { __fidSourceDigest: __fidSourceDigest, __fidIsHermetic: __fidIsHermetic };')(require);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/yaml/fidelity-input-digest.test.jsView on unpkg · L14
dist/cli.cjsView file
1#!/usr/bin/env node L2: const _0x273201=_0x57cb;(function(_0xcb28cb,_0x4e2821){const _0x58189d=_0x57cb,_0x3faada=_0xcb28cb();while(!![]){try{const _0x23c877=parseInt(_0x58189d(0xcab))/0x1+parseInt(_0x5818... L3: // Write the helper into the harness dir once (idempotent across screens).
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x273201=_0x57cb;(function(_0xcb28cb,_0x4e2821){const _0x58189d=_0x57cb,_0x3faada=_0xcb28cb();while(!![]){try{const _0x23c877=parseInt(_0x58189d(0xcab))/0x1+parseInt(_0x5818... L3: // Write the helper into the harness dir once (idempotent across screens).
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.cjsView on unpkg · L1
dist/src/yaml/env-resolver.jsView file
8import * as path from 'path'; L9: import { execSync } from 'child_process'; L10: import { SecretsManager } from './secrets-manager.js'; ... L21: ' ┌────────────────────────────────────────────────────────┐\n' + L22: ' │ https://example.com/downloads/myapp-v1.0.0.apk │\n' + L23: ' │ https://appdistribution.firebase.dev/i/abc123 │\n' + ... L235: // Resolve relative path to absolute path L236: const absolutePath = path.resolve(process.cwd(), filePath); L237: // Check if file exists ... L261: // CI Build native variables (FR-9.2) L262: const buildNumber = process.env.BUILD_NUMBER || '1'; L263: const buildUrl = process.env.BUILD_URL || 'https://cibuild.io/builds/1';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/yaml/env-resolver.jsView on unpkg · L8
dist/src/yaml/steps/bitrise-ssh.test.jsView file
26patternName = private_key_rsa severity = critical line = 26 matchedText = SSH_RSA_...--',
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L26
39patternName = private_key_rsa severity = critical line = 39 matchedText = SSH_RSA_...--',
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L39
159patternName = private_key_rsa severity = critical line = 159 matchedText = SSH_RSA_...----
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L159
dist/src/yaml/steps/bitrise-ssh.jsView file
39patternName = private_key_rsa severity = critical line = 39 matchedText = ' │ ---...n' +
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.js

dist/src/yaml/steps/bitrise-ssh.jsView on unpkg · L39
45patternName = private_key_openssh severity = critical line = 45 matchedText = ' │ ---...n' +
Critical
Secret Pattern

OpenSSH private key in dist/src/yaml/steps/bitrise-ssh.js

dist/src/yaml/steps/bitrise-ssh.jsView on unpkg · L45

Findings

7 Critical3 High3 Medium7 Low
CriticalCritical Secretdist/src/yaml/steps/xcode.js
CriticalSecret Patterndist/src/yaml/steps/xcode.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.js
HighSandbox Evasion Gated Capabilitydist/src/yaml/env-resolver.js
HighObfuscated Payload Loaderdist/cli.cjs
HighObfuscated
MediumDynamic Requiredist/cli.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/yaml/fidelity-input-digest.test.js
LowWeak Cryptodist/src/yaml/fidelity-input-digest.test.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings