registry  /  auditx  /  0.1.10

auditx@0.1.10

One command. Every vulnerability. AI-ready markdown report.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 79.1 KB of source, external domains: github.com, semgrep.dev, trivy.dev

Source & flagged code

4 flagged · loading source
dist/auditx.jsView file
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L8
773import { randomUUID as randomUUID2 } from "crypto"; L774: var execAsync = promisify7(exec); L775: async function runJscpd(targetPath, stagedFiles) {
High
Shell

Package source references shell execution.

dist/auditx.jsView on unpkg · L773
781const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L782: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L783: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L781
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L50: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L51: import https from "https"; L52: import * as tar from "tar"; ... L61: function getSemgrepEnv() { L62: const semgrepHome = join2(homedir(), ".auditx", "semgrep-home"); L63: if (!existsSync2(semgrepHome)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L8

Findings

3 High3 Medium5 Low
HighChild Processdist/auditx.js
HighShelldist/auditx.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings