Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/esm/server/workloadIdentity.jsView file
1var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
L2: if (kind === "m") throw new TypeError("Private method is not writable");
...
L70: : discoveryEnvVars;
L71: const found = envNames.find((name) => process.env[name]);
L72: if (!found || !process.env[found]) {
...
L121: _FileTokenSource_tokenFilePath = new WeakMap();
L122: const DEFAULT_GCP_METADATA_URL = "http://metadata.google.internal";
L123: const DEFAULT_GCP_TIMEOUT_MS = 5000;
...
L153: });
L154: body = await response.text();
L155: }
...
L231: });
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/esm/server/workloadIdentity.jsView on unpkg · L1Findings
1 High3 Medium4 Low
HighCloud Metadata Accessdist/esm/server/workloadIdentity.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings