registry  /  auditx  /  0.1.0

auditx@0.1.0

One command. Every vulnerability. AI-ready markdown report.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 75.3 KB of source, external domains: github.com, semgrep.dev, trivy.dev

Source & flagged code

4 flagged · loading source
dist/auditx.jsView file
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L8
686import { randomUUID } from "crypto"; L687: var execAsync = promisify7(exec); L688: async function runJscpd(targetPath, stagedFiles) {
High
Shell

Package source references shell execution.

dist/auditx.jsView on unpkg · L686
694const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L695: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L696: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L694
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L50: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L51: import https from "https"; L52: import * as tar from "tar"; ... L60: async function getBinaryPath(tool) { L61: const binDir = join2(homedir(), ".auditx", "bin"); L62: if (!existsSync2(binDir)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L8

Findings

3 High3 Medium5 Low
HighChild Processdist/auditx.js
HighShelldist/auditx.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings