registry  /  auditx  /  0.1.16

auditx@0.1.16

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a security-audit CLI that downloads and executes scanner tools during user-invoked scans, and can optionally install git hooks when explicitly commanded.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs auditx CLI commands such as scan, install, hook install, --ai, or --fix
Impact
Runs external security tools, downloads scanner binaries, writes reports/config/hooks when requested; no stealth persistence or unconsented exfiltration found
Mechanism
user-invoked scanner orchestration and report generation
Rationale
Static inspection shows dangerous primitives are aligned with the advertised audit CLI: downloading scanners, running local audit tools, optional AI summary, optional git hooks, and report output. There is no lifecycle execution, hidden credential collection, unauthorized network endpoint, or stealth persistence indicating malicious intent.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.jsaudit-report.mdaudit-report.json~/.auditx/bin~/.auditx/semgrep-home/settings.yml~/.auditx/config.json.git/hooks/pre-commit.git/hooks/pre-push.husky/pre-commit.husky/pre-push
Network endpoints3
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only CLI bin dist/auditx.js
    • dist/auditx.js network downloads target scanner release URLs for gitleaks/trivy/semgrep as part of first-run scanner setup
    • dist/auditx.js child_process use runs declared security tools: semgrep, trivy, npm audit, gitleaks, eslint, jscpd, depcheck, license-checker, tsc, git, lizard
    • dist/hook-W4INEOTH.js writes git hooks only via explicit `auditx hook install` command, with marker and uninstall path
    • AI API keys are read from env or ~/.auditx config only for explicit --ai/setup flows; no credential harvesting loop or exfiltration found
    • No import-time execution beyond commander CLI parsing; default behavior scans target and writes reports
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 87.8 KB of source, external domains: github.com, semgrep.dev, trivy.dev

    Source & flagged code

    5 flagged · loading source
    dist/auditx.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.13 matchedIdentity = npm:YXVkaXR4:0.1.13 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/auditx.jsView on unpkg
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
    High
    Child Process

    Package source references child process execution.

    dist/auditx.jsView on unpkg · L8
    869import { randomUUID as randomUUID2 } from "crypto"; L870: var execAsync = promisify7(exec); L871: async function runJscpd(targetPath, stagedFiles) {
    High
    Shell

    Package source references shell execution.

    dist/auditx.jsView on unpkg · L869
    877const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L878: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L879: } catch (e) {
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/auditx.jsView on unpkg · L877
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L16: var TARGET_FILES = /* @__PURE__ */ new Set([ L17: "package.json", L18: "package-lock.json", ... L74: try { L75: const pkg = JSON.parse(readFileSync(pkgPath, "utf-8")); L76: if (pkg.dependencies) Object.keys(pkg.dependencies).forEach((d) => allDeps.add(d)); ... L132: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L133: import https from "https"; L134: import * as tar from "tar";
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/auditx.jsView on unpkg · L8

    Findings

    1 Critical3 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/auditx.js
    HighChild Processdist/auditx.js
    HighShelldist/auditx.js
    HighRuntime Package Installdist/auditx.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/auditx.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings