Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
NoLicense
Source & flagged code
3 flagged · loading sourcebin/cli.jsView file
18import fs from "node:fs";
L19: import { spawnSync } from "node:child_process";
L20:
High
18Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network
L18: import fs from "node:fs";
L19: import { spawnSync } from "node:child_process";
L20:
L21: const cmd = process.argv[2];
L22: const cwd = process.cwd();
L23:
L24: function runVite(args) {
L25: const bin = path.join(cwd, "node_modules", ".bin", process.platform === "win32" ? "vite.cmd" : "vite");
L26: const exec = fs.existsSync(bin) ? bin : "vite";
...
L36: function readEnv(name) {
L37: if (process.env[name]) return process.env[name];
L38: const envPath = path.join(cwd, ".env");
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
bin/cli.jsView on unpkg · L1818import fs from "node:fs";
L19: import { spawnSync } from "node:child_process";
L20:
...
L29: console.error("Falha ao executar vite:", r.error.message);
L30: console.error("Instale o vite no projeto da Central: npm i -D vite");
L31: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L18Findings
4 High3 Medium4 Low
HighChild Processbin/cli.js
HighShell
HighEntrypoint Build Divergencebin/cli.js
HighRuntime Package Installbin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License