Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/providers/google-auth.tsView file
20L21: const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
L22: const METADATA_TOKEN_URL = "http://metadata.google.[redacted]-accounts/default/token";
L23: const CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
...
L33: client_email: string;
L34: private_key: string;
L35: private_key_id?: string;
...
L60: function userAdcPath(): string {
L61: return path.join(os.homedir(), ".config", "gcloud", "application_default_credentials.json");
L62: }
...
L65: try {
L66: return (await Bun.file(filePath).json()) as T;
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/providers/google-auth.tsView on unpkg · L20Findings
1 High3 Medium4 Low
HighCloud Metadata Accesssrc/providers/google-auth.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings