registry  /  @pipeline-builder/pipeline-manager  /  3.4.135

@pipeline-builder/pipeline-manager@3.4.135

CLI for Pipeline Builder self-service AWS CodePipeline platform with 125 reusable containerized plugins, per-org compliance enforcement, and per-organization (and team) isolation.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 1.22 MB of source, external domains: dl.k8s.io, github.com, registry.npmjs.org, storage.googleapis.com

Source & flagged code

2 flagged · loading source
dist/agent/tools.jsView file
7* so both the prereq checks (`has()` → `command -v`) and the deploy (`bash -lc`, L8: * which inherits process.env.PATH) find it. L9: */ L10: import { execSync } from 'child_process'; L11: import { existsSync, mkdirSync } from 'fs'; ... L14: /** Cache dir for fetched tool binaries (kept across runs so we fetch once). */ L15: export const TOOLS_DIR = path.join(os.homedir(), '.pipeline-manager', 'tools'); L16: /** ... L29: const FETCHABLE = { L30: yq: (osId, arch) => `https://github.[redacted]yq_${osId}_${arch}`, L31: minikube: (osId, arch) => `https://storage.googleapis.[redacted]-${osId}-${arch}`, ... L42: function hostOsArch() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/agent/tools.jsView on unpkg · L7
dist/agent/ai.jsView file
41package = @pipeline-builder/pipeline-manager; repositoryIdentity = pipeline-builder; dependency = @pipeline-builder/ai-core L41: try { L42: return await import('@pipeline-builder/ai-core'); L43: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/agent/ai.jsView on unpkg · L41

Findings

2 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/agent/tools.js
HighCopied Package Dependency Bridgedist/agent/ai.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings