registry  /  auditx  /  0.1.11

auditx@0.1.11

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a security-auditing CLI that runs scanners, optionally downloads scanner binaries, writes reports, configures AI summaries, and installs git hooks only when requested.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes auditx CLI commands such as scan, install, hook install, --ai, or --fix.
Impact
Expected local scanning/reporting side effects; no hidden credential harvesting or exfiltration found.
Mechanism
User-invoked scanner orchestration with optional tool download, report writing, AI summary, and git hook setup.
Rationale
Static inspection shows risky primitives, but they are aligned with a documented security scanner CLI and are activated by explicit user commands rather than install/import-time behavior. No concrete malicious behavior, hidden exfiltration, persistence, or reviewer/prompt manipulation was found.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.jsREADME.mdsrc/rules/ai-patterns.yml~/.auditx/bin~/.auditx/semgrep-home~/.auditx/config.jsonaudit-report.md<target>.json.git/hooks/*.husky/*
Network endpoints3
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/auditx.js uses child_process and shell-based scanner invocations during CLI scans.
  • dist/auditx.js downloads Semgrep/Trivy/Gitleaks binaries from GitHub into ~/.auditx/bin on first run.
  • dist/hook-W4INEOTH.js writes git hooks, but only through explicit auditx hook commands.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin is user-invoked dist/auditx.js.
  • Network endpoints are package-aligned scanner/AI provider usage, not hidden exfiltration.
  • AI API keys are read from env or ~/.auditx/config only for explicit --ai/setup flows.
  • No import-time execution beyond CLI startup; destructive/persistence behavior not found.
  • README documents auto-downloads, scanner execution, hook install, and AI features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 79.6 KB of source, external domains: github.com, semgrep.dev, trivy.dev

Source & flagged code

5 flagged · loading source
dist/auditx.jsView file
matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.10 matchedIdentity = npm:YXVkaXR4:0.1.10 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/auditx.jsView on unpkg
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L8
773import { randomUUID as randomUUID2 } from "crypto"; L774: var execAsync = promisify7(exec); L775: async function runJscpd(targetPath, stagedFiles) {
High
Shell

Package source references shell execution.

dist/auditx.jsView on unpkg · L773
781const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L782: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L783: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L781
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L50: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L51: import https from "https"; L52: import * as tar from "tar"; ... L61: function getSemgrepEnv() { L62: const semgrepHome = join2(homedir(), ".auditx", "semgrep-home"); L63: if (!existsSync2(semgrepHome)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L8

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/auditx.js
HighChild Processdist/auditx.js
HighShelldist/auditx.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings