registry  /  @rulebricks/cli  /  2.3.6

@rulebricks/cli@2.3.6

CLI for deploying and managing private Rulebricks instances

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 1.04 MB of source, external domains: abcdefghijkl.supabase.co, acme-v02.api.letsencrypt.org, api.github.com, aps-workspaces.us-east-1.amazonaws.com, aps.example.com, awscli.amazonaws.com, bucket.s3.amazonaws.com, cdn.jsdelivr.net, cloud.google.com, docs.aws.amazon.com, docs.microsoft.com, eastus-1.in.applicationinsights.azure.com, elasticsearch.example.com, example.com, example.eastus-1.ingest.monitor.azure.com, example.eastus.metrics.ingest.monitor.azure.com, example.monitor.azure.com, example.okta.com, fonts.googleapis.com, fonts.gstatic.com, github.com, hub.docker.com, jslib.k6.io, k6.io, keycloak.example.com, login.microsoftonline.com, logs.example.com, loki.example.com, metrics.example.com, otlp-gateway.example.com, platform.openai.com, prefix-files.s3.us-west-2.amazonaws.com, prometheus-prod-01.grafana.net, raw.githubusercontent.com, rb-deployment.apm.us-east-1.aws.elastic-cloud.com, rb-deployment.es.us-east-1.aws.elastic-cloud.com, rulebricks.com, splunk.example.com, xxxxx.supabase.co, your-instance.com, your-org.okta.com, your-project.projects.oryapis.com

Source & flagged code

11 flagged · loading source
dist/lib/configFixtures.jsView file
417patternName = generic_password severity = medium line = 417 matchedText = password...rd",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/lib/configFixtures.jsView on unpkg · L417
526patternName = generic_password severity = medium line = 526 matchedText = password...ss",
Medium
Secret Pattern

Hardcoded password in dist/lib/configFixtures.js

dist/lib/configFixtures.jsView on unpkg · L526
dist/lib/benchmark.jsView file
3*/ L4: import { execa } from "execa"; L5: import { promises as fs } from "fs"; ... L10: // Directory for benchmark scripts and results L11: const RULEBRICKS_DIR = path.join(os.homedir(), ".rulebricks"); L12: const BENCHMARKS_DIR = path.join(RULEBRICKS_DIR, "benchmarks"); ... L17: const execaError = error; L18: const output = execaError.stderr || execaError.stdout || ""; L19: if (output) { ... L53: export function getK6InstallInstructions() { L54: const platform = process.platform; L55: switch (platform) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/benchmark.jsView on unpkg · L3
benchmarks/run-qps-test.shView file
path = benchmarks/run-qps-test.sh kind = build_helper sizeBytes = 2603 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

benchmarks/run-qps-test.shView on unpkg
dist/lib/cloudCli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rulebricks/cli@2.3.2 matchedIdentity = npm:QHJ1bGVicmlja3MvY2xp:2.3.2 similarity = 0.463 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/cloudCli.jsView on unpkg
dist/lib/helmValues.test.jsView file
783patternName = generic_password severity = medium line = 783 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/lib/helmValues.test.js

dist/lib/helmValues.test.jsView on unpkg · L783
793patternName = generic_password severity = medium line = 793 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/lib/helmValues.test.js

dist/lib/helmValues.test.jsView on unpkg · L793
dist/lib/helmValues.jsView file
1988patternName = generic_password severity = medium line = 1988 matchedText = password...D}",
Medium
Secret Pattern

Hardcoded password in dist/lib/helmValues.js

dist/lib/helmValues.jsView on unpkg · L1988
2408patternName = generic_password severity = medium line = 2408 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/lib/helmValues.js

dist/lib/helmValues.jsView on unpkg · L2408
2435patternName = generic_password severity = medium line = 2435 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/lib/helmValues.js

dist/lib/helmValues.jsView on unpkg · L2435
cluster-setup/gcp/README.mdView file
92patternName = generic_password severity = medium line = 92 matchedText = - **DB p...>'`.
Medium
Secret Pattern

Hardcoded password in cluster-setup/gcp/README.md

cluster-setup/gcp/README.mdView on unpkg · L92

Findings

2 High12 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/lib/benchmark.js
HighPrevious Version Dangerous Deltadist/lib/cloudCli.js
MediumSecret Patterndist/lib/configFixtures.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbenchmarks/run-qps-test.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/lib/configFixtures.js
MediumSecret Patterndist/lib/helmValues.test.js
MediumSecret Patterndist/lib/helmValues.test.js
MediumSecret Patterndist/lib/helmValues.js
MediumSecret Patterndist/lib/helmValues.js
MediumSecret Patterndist/lib/helmValues.js
MediumSecret Patterncluster-setup/gcp/README.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings