registry  /  @pipeline-builder/pipeline-manager  /  3.4.139

@pipeline-builder/pipeline-manager@3.4.139

CLI for Pipeline Builder self-service AWS CodePipeline platform with 125 reusable containerized plugins, per-org compliance enforcement, and per-organization (and team) isolation.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 1.22 MB of source, external domains: dl.k8s.io, github.com, registry.npmjs.org, storage.googleapis.com

Source & flagged code

3 flagged · loading source
dist/agent/tools.jsView file
7* so both the prereq checks (`has()` → `command -v`) and the deploy (`bash -lc`, L8: * which inherits process.env.PATH) find it. L9: */ L10: import { execSync } from 'child_process'; L11: import { existsSync, mkdirSync } from 'fs'; ... L14: /** Cache dir for fetched tool binaries (kept across runs so we fetch once). */ L15: export const TOOLS_DIR = path.join(os.homedir(), '.pipeline-manager', 'tools'); L16: /** ... L29: const FETCHABLE = { L30: yq: (osId, arch) => `https://github.[redacted]yq_${osId}_${arch}`, L31: minikube: (osId, arch) => `https://storage.googleapis.[redacted]-${osId}-${arch}`, ... L42: function hostOsArch() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/agent/tools.jsView on unpkg · L7
dist/agent/ai.jsView file
41package = @pipeline-builder/pipeline-manager; repositoryIdentity = pipeline-builder; dependency = @pipeline-builder/ai-core L41: try { L42: return await import('@pipeline-builder/ai-core'); L43: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/agent/ai.jsView on unpkg · L41
dist/utils/cdk-utils.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pipeline-builder/pipeline-manager@3.4.137 matchedIdentity = npm:[redacted]:3.4.137 similarity = 0.836 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/utils/cdk-utils.jsView on unpkg

Findings

3 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/agent/tools.js
HighCopied Package Dependency Bridgedist/agent/ai.js
HighPrevious Version Dangerous Deltadist/utils/cdk-utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings