registry  /  @zenith-open/zenithcms-core  /  1.0.0-beta.10

@zenith-open/zenithcms-core@1.0.0-beta.10

Zenith CMS — headless engine with REST, GraphQL, and AI tools

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 377 file(s), 2.00 MB of source, external domains: accounts.google.com, api.github.com, api.openai.com, fonts.googleapis.com, fonts.gstatic.com, github.com, oauth2.googleapis.com, openrouter.ai, production.zenithcms.internal, www.googleapis.com, www.paypal.com, zenithcms.com

Source & flagged code

6 flagged · loading source
dist/packages/core/src/api/auth/sso.jsView file
36patternName = generic_password severity = medium line = 36 matchedText = password...nt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/packages/core/src/api/auth/sso.jsView on unpkg · L36
dist/index.jsView file
512const cmd = process.platform === 'win32' ? 'start' : process.platform === 'darwin' ? 'open' : 'xdg-open'; L513: require('child_process').exec(`${cmd} http://localhost:${port}/admin`); L514: }
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L512
dist/database/adapters/AotBridge.jsView file
30try { L31: // Convert absolute Windows paths to file:// URLs for ESM import() compatibility L32: const fileUrl = pathToFileURL(fileToLoad).href;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/database/adapters/AotBridge.jsView on unpkg · L30
dist/packages/core/src/services/flow-engine.jsView file
121status: 'running', L122: context: { payload, env: process.env }, L123: completedNodes: {}, ... L321: else { L322: const headers = config.headers ? JSON.parse(config.headers) : {}; L323: const body = config.body ? JSON.parse(config.body) : context.payload || context; L324: const method = config.method || 'POST'; L325: const res = await fetch(config.url, { L326: method, L327: headers: { 'Content-Type': 'application/json', ...headers }, L328: body: method !== 'GET' ? JSON.stringify(body) : undefined L329: });
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/packages/core/src/services/flow-engine.jsView on unpkg · L121
dist/packages/core/src/api/system/audit-logs.jsView file
183try { L184: execSync(`npx tsx "${scriptPath}"`, { stdio: 'inherit' }); L185: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/packages/core/src/api/system/audit-logs.jsView on unpkg · L183
dist/api/auth/sso.jsView file
36patternName = generic_password severity = medium line = 36 matchedText = password...nt',
Medium
Secret Pattern

Hardcoded password in dist/api/auth/sso.js

dist/api/auth/sso.jsView on unpkg · L36

Findings

2 High7 Medium5 Low
HighChild Processdist/index.js
HighRuntime Package Installdist/packages/core/src/api/system/audit-logs.js
MediumSecret Patterndist/packages/core/src/api/auth/sso.js
MediumDynamic Requiredist/database/adapters/AotBridge.js
MediumUnsafe Vm Contextdist/packages/core/src/services/flow-engine.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/api/auth/sso.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License