Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
FilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/credential.jsView file
5* platform session. A static API key is one source; a workload's ambient OIDC
L6: * token (GCP metadata server, GitHub Actions) is another. `fetch()` is called
L7: * only on initial login + refresh-death — never per request — so a workload
...
L33: }
L34: const GCP_METADATA_ID_TOKEN_URL = "http://metadata.google.[redacted]-accounts/default/identity";
L35: /** GCP workload identity (Cloud Run / GKE / GCE) via the metadata server. */
...
L55: }
L56: const text = (await resp.text()).trim();
L57: if (!resp.ok || !text) {
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/credential.jsView on unpkg · L5Findings
1 High2 Medium5 Low
HighCloud Metadata Accessdist/credential.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings