registry  /  @testomatio/reporter  /  2.9.4

@testomatio/reporter@2.9.4

Testomatio Reporter Client

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Reporting sends user-configured test results to Testomatio and, when explicitly configured, posts CI report comments or uploads selected artifacts to configured S3 storage.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit reporter/CLI use with TESTOMATIO, CI, pipe, or S3 configuration.
Impact
No install-time execution, secret harvesting, covert endpoint, persistence, destructive action, or AI-agent control-surface mutation found.
Mechanism
User-configured test reporting, CI comments, artifact upload, and explicit test-command orchestration.
Rationale
Static source inspection shows a test-reporting client with network behavior gated by user-provided credentials and explicit CLI/CI configuration. The flagged dynamic import and process execution are package-aligned extension loading and user-invoked test/Git commands, not a concrete malicious chain.
Evidence
package.jsonsrc/reporter.jssrc/bin/cli.jssrc/pipe/index.jssrc/pipe/testomatio.jssrc/pipe/gitlab.jssrc/uploader.jssrc/utils/utils.jssrc/pipe/bitbucket.jssrc/config.jssrc/pipe/coverage.js
Network endpoints3
app.testomat.iogitlab.com/api/v4api.bitbucket.org/2.0

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare lifecycle hook.
    • src/reporter.js only exports reporter APIs; import does not start network or child processes.
    • src/pipe/testomatio.js enables reporting only when a TESTOMATIO API key is supplied.
    • src/pipe/gitlab.js requires GitLab CI merge-request variables and GITLAB_PAT before posting a report comment.
    • src/bin/cli.js spawns only the explicit command passed to its CLI.
    • src/pipe/index.js dynamic-imports only user-configured testomatio.pipes from the invoking project's package.json.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 117 file(s), 913 KB of source, external domains: api.bitbucket.org, app.testomat.io, avatars.githubusercontent.com, bit.ly, bitbucket.org, github.com, gitlab.com, testomat.io

    Source & flagged code

    3 flagged · loading source
    lib/constants.jsView file
    7exports.getCreateRunRequestTimeout = getCreateRunRequestTimeout; L8: const picocolors_1 = __importDefault(require("picocolors")); L9: const os_1 = __importDefault(require("os"));
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    lib/constants.jsView on unpkg · L7
    src/data-storage.jsView file
    54if (!context) { L55: // debug(`No context provided for "${dataType}" data:`, data); L56: return; ... L195: const hash = md5.digest('hex'); L196: return `${process.env.runId || 'run'}_${hash}`; L197: }
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    src/data-storage.jsView on unpkg · L54
    lib/pipe/gitlab.jsView file
    6const debug_1 = __importDefault(require("debug")); L7: const gaxios_1 = require("gaxios"); L8: const picocolors_1 = __importDefault(require("picocolors")); ... L26: this.isEnabled = false; L27: this.ENV = process.env; L28: this.store = store; ... L32: this.description = params.description || process.env.TESTOMATIO_DESCRIPTION; L33: this.hiddenCommentData = `<!--- testomat.io report ${process.env.CI_JOB_NAME || ''} -->`; L34: debug(picocolors_1.default.yellow('GitLab Pipe:'), this.token ? 'TOKEN passed' : '*no token*', `Project id: ${this.ENV.CI_PROJECT_ID}, MR id: ${this.ENV.CI_MERGE_REQUEST_IID}`); ... L102: text += `\`\`\`diff\n${t.stack.replace((0, utils_js_1.ansiRegExp)(), '').trim()}\n\`\`\`\n`; L103: if (t.artifacts && t.artifacts.length && !this.ENV.TESTOMATIO_PRIVATE_ARTIFACTS) { L104: t.artifacts
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    lib/pipe/gitlab.jsView on unpkg · L6

    Findings

    1 High3 Medium5 Low
    HighSandbox Evasion Gated Capabilitylib/pipe/gitlab.js
    MediumDynamic Requirelib/constants.js
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptosrc/data-storage.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings