registry  /  @invarn/cibuild  /  2.3.0

@invarn/cibuild@2.3.0

⚠ Under review

CI Build CLI — local pipeline orchestration and validation

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 2.47 MB of source, external domains: 127.0.0.1, adoptium.net, api.qrserver.com, api.slack.com, appdistribution.firebase.dev, ci.example.com, cibuild.io, cli.github.com, developer.android.com, example.com, git-scm.com, github.com, gitlab.com, hooks.slack.com, my-ci.com, testflight.apple.com, www.apple.com

Source & flagged code

13 flagged · loading source
dist/src/yaml/steps/xcode.jsView file
289patternName = private_key_rsa severity = critical line = 289 matchedText = // Secre...ded.
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/yaml/steps/xcode.jsView on unpkg · L289
289patternName = private_key_rsa severity = critical line = 289 matchedText = // Secre...ded.
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/xcode.js

dist/src/yaml/steps/xcode.jsView on unpkg · L289
dist/src/yaml/fidelity-input-digest.test.jsView file
35const require = createRequire(import.meta.url); L36: const twin = new Function('require', RENDER_SCRIPT_SOURCE_DIGEST_STAGE + L37: '\nreturn { __fidSourceDigest: __fidSourceDigest, __fidIsHermetic: __fidIsHermetic };')(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/yaml/fidelity-input-digest.test.jsView on unpkg · L35
14function f(path, content) { L15: return { path, bytes: Buffer.from(content, 'utf8') }; L16: } ... L25: } L26: /** 4-byte big-endian length prefix — mirrors the module-private `len`. */ L27: function len(n) { ... L35: const require = createRequire(import.meta.url); L36: const twin = new Function('require', RENDER_SCRIPT_SOURCE_DIGEST_STAGE + L37: '\nreturn { __fidSourceDigest: __fidSourceDigest, __fidIsHermetic: __fidIsHermetic };')(require);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/yaml/fidelity-input-digest.test.jsView on unpkg · L14
dist/cli.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @invarn/cibuild@2.2.9 matchedIdentity = npm:QGludmFybi9jaWJ1aWxk:2.2.9 similarity = 0.974 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.cjsView on unpkg
1#!/usr/bin/env node L2: const _0x3f9354=_0xb505;(function(_0x3564b9,_0x14c37e){const _0x395893=_0xb505,_0x491980=_0x3564b9();while(!![]){try{const _0x31597e=-parseInt(_0x395893(0x38b))/0x1+-parseInt(_0x39... L3: // Write the helper into the harness dir once (idempotent across screens).
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x3f9354=_0xb505;(function(_0x3564b9,_0x14c37e){const _0x395893=_0xb505,_0x491980=_0x3564b9();while(!![]){try{const _0x31597e=-parseInt(_0x395893(0x38b))/0x1+-parseInt(_0x39... L3: // Write the helper into the harness dir once (idempotent across screens).
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.cjsView on unpkg · L1
dist/src/yaml/env-resolver.jsView file
8import * as path from 'path'; L9: import { execSync } from 'child_process'; L10: import { SecretsManager } from './secrets-manager.js'; ... L21: ' ┌────────────────────────────────────────────────────────┐\n' + L22: ' │ https://example.com/downloads/myapp-v1.0.0.apk │\n' + L23: ' │ https://appdistribution.firebase.dev/i/abc123 │\n' + ... L235: // Resolve relative path to absolute path L236: const absolutePath = path.resolve(process.cwd(), filePath); L237: // Check if file exists ... L261: // CI Build native variables (FR-9.2) L262: const buildNumber = process.env.BUILD_NUMBER || '1'; L263: const buildUrl = process.env.BUILD_URL || 'https://cibuild.io/builds/1';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/yaml/env-resolver.jsView on unpkg · L8
dist/src/yaml/steps/bitrise-ssh.test.jsView file
26patternName = private_key_rsa severity = critical line = 26 matchedText = SSH_RSA_...--',
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L26
39patternName = private_key_rsa severity = critical line = 39 matchedText = SSH_RSA_...--',
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L39
159patternName = private_key_rsa severity = critical line = 159 matchedText = SSH_RSA_...----
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.test.js

dist/src/yaml/steps/bitrise-ssh.test.jsView on unpkg · L159
dist/src/yaml/steps/bitrise-ssh.jsView file
39patternName = private_key_rsa severity = critical line = 39 matchedText = ' │ ---...n' +
Critical
Secret Pattern

RSA private key in dist/src/yaml/steps/bitrise-ssh.js

dist/src/yaml/steps/bitrise-ssh.jsView on unpkg · L39
45patternName = private_key_openssh severity = critical line = 45 matchedText = ' │ ---...n' +
Critical
Secret Pattern

OpenSSH private key in dist/src/yaml/steps/bitrise-ssh.js

dist/src/yaml/steps/bitrise-ssh.jsView on unpkg · L45

Findings

8 Critical3 High3 Medium7 Low
CriticalCritical Secretdist/src/yaml/steps/xcode.js
CriticalPrevious Version Dangerous Deltadist/cli.cjs
CriticalSecret Patterndist/src/yaml/steps/xcode.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.test.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.js
CriticalSecret Patterndist/src/yaml/steps/bitrise-ssh.js
HighSandbox Evasion Gated Capabilitydist/src/yaml/env-resolver.js
HighObfuscated Payload Loaderdist/cli.cjs
HighObfuscated
MediumDynamic Requiredist/cli.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/yaml/fidelity-input-digest.test.js
LowWeak Cryptodist/src/yaml/fidelity-input-digest.test.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings