registry  /  @venturekit/cli  /  0.0.2

@venturekit/cli@0.0.2

⚠ Under review

CLI for VentureKit - scaffolding and deploy orchestration

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 459 KB of source, external domains: app.example.com, doc.venturekit.dev, github.com, schema.getpostman.com, token.actions.githubusercontent.com, venturekit.dev, www.npmjs.com

Source & flagged code

6 flagged · loading source
dist/commands/generate.jsView file
443patternName = generic_password severity = medium line = 443 matchedText = " // ...',",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/generate.jsView on unpkg · L443
dist/utils/docker.jsView file
3*/ L4: import { execSync } from 'child_process'; L5: import { existsSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/utils/docker.jsView on unpkg · L3
dist/utils/typecheck.jsView file
9* L10: * `tsc` is invoked through `npx` (with `shell: true`, matching the L11: * `npx cdk` invocation in `deploy.ts`). npx resolves the project's
High
Shell

Package source references shell execution.

dist/utils/typecheck.jsView on unpkg · L9
9* L10: * `tsc` is invoked through `npx` (with `shell: true`, matching the L11: * `npx cdk` invocation in `deploy.ts`). npx resolves the project's L12: * locally-installed `typescript` before fetching, so the check uses
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/typecheck.jsView on unpkg · L9
dist/utils/config-loader.jsView file
28}); L29: const mod = await jiti.import(configPath); L30: const config = mod?.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/utils/config-loader.jsView on unpkg · L28
dist/commands/init.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @venturekit/cli@0.0.1 matchedIdentity = npm:QHZlbnR1cmVraXQvY2xp:0.0.1 similarity = 0.939 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/init.jsView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/init.js
HighChild Processdist/utils/docker.js
HighShelldist/utils/typecheck.js
HighRuntime Package Installdist/utils/typecheck.js
MediumSecret Patterndist/commands/generate.js
MediumDynamic Requiredist/utils/config-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings