Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcetooling/tests/ssr-safety.mjsView file
10* For each folder under `srcDir` (excluding `excludeDirs`), the helper resolves
L11: * `<srcDir>/<name>/<moduleEntry>` and `await import(...)` it. If the import
L12: * throws or the module accesses a missing global at top level, the test fails.
Medium
Dynamic Require
Package source references dynamic require/import behavior.
tooling/tests/ssr-safety.mjsView on unpkg · L10tooling/playwright/playwright.config.mjsView file
5Manifest entrypoint (manifest.exports) carries capability families absent from dist/build output: environment+network
L5: fullyParallel: true,
L6: forbidOnly: !!process.env.CI,
L7: retries: process.env.CI ? 2 : 0,
...
L10: use: {
L11: baseURL: process.env.PLAYWRIGHT_BASE_URL ?? 'http://localhost:3000',
L12: trace: 'on-first-retry',
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
tooling/playwright/playwright.config.mjsView on unpkg · L5tooling/semantic-release/index.mjsView file
11],
L12: repositoryUrl: `https://gitlab-ci-token:${process.env.GITLAB_TOKEN}@gitlab.com/${process.env.CI_PROJECT_NAMESPACE}/${process.env.CI_PROJECT_NAME}.git`,
L13: plugins: [
...
L43: {
L44: assets: ['dist/*.js', 'dist/*.js.map', 'CHANGELOG.md', 'package.json', 'README.md'],
L45: message: 'chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}',
...
L54: ],
L55: // npm publishing is opt-in via NPM_TOKEN: a repo that provides the token
L56: // publishes; one that doesn't (GitLab releases only) gets a green release
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
tooling/semantic-release/index.mjsView on unpkg · L11Findings
2 High3 Medium5 Low
HighEntrypoint Build Divergencetooling/playwright/playwright.config.mjs
HighSandbox Evasion Gated Capabilitytooling/semantic-release/index.mjs
MediumDynamic Requiretooling/tests/ssr-safety.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings