Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/providers/google-auth.tsView file
23L24: const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
L25: const METADATA_TOKEN_URL = "http://metadata.google.[redacted]-accounts/default/token";
L26: const CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
...
L36: client_email: string;
L37: private_key: string;
L38: private_key_id?: string;
...
L70: function userAdcPath(): string {
L71: return path.join(os.homedir(), ".config", "gcloud", "application_default_credentials.json");
L72: }
...
L75: try {
L76: return (await Bun.file(filePath).json()) as T;
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/providers/google-auth.tsView on unpkg · L23src/providers/__tests__/google-auth.test.tsView file
25patternName = private_key_rsa
severity = critical
line = 25
matchedText = return `...\n`;
Critical
Secret Pattern
RSA private key in src/providers/__tests__/google-auth.test.ts
src/providers/__tests__/google-auth.test.tsView on unpkg · L25Findings
1 Critical1 High3 Medium4 Low
CriticalSecret Patternsrc/providers/__tests__/google-auth.test.ts
HighCloud Metadata Accesssrc/providers/google-auth.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings