registry  /  auditx  /  0.1.4

auditx@0.1.4

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package has broad scanner-style execution, downloads, hook installation, and optional AI API calls, but these are user-invoked and documented for a security audit CLI.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `auditx`, `auditx install`, `auditx hook install`, or `auditx --ai`.
Impact
Runs local security tools against the chosen project and writes audit reports; no install-time execution or covert data theft found.
Mechanism
security scanner orchestration with optional tool installation, git hooks, and AI summary
Rationale
Static inspection shows a security-auditing CLI with expected child_process, network download, report-writing, and optional hook/AI features, but no lifecycle execution, covert credential harvesting, persistence, destructive behavior, or unconsented AI-agent control-surface mutation. Scanner hints are explained by package-aligned runtime behavior.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.jsREADME.mdsrc/rules/ai-patterns.yml~/.auditx/bin~/.auditx/config.jsonaudit-report.mdaudit-report.json.git/hooks/pre-commit.git/hooks/pre-push.git/hooks/post-merge.git/hooks/post-checkout.husky/pre-commit.husky/pre-push
Network endpoints6
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/OpenAI API via openai SDK when --ai provider is openaiAnthropic API via @anthropic-ai/sdk when --ai provider is claudeGoogle Gemini API via @google/genai when --ai provider is gemini

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; bin is dist/auditx.js only.
    • dist/auditx.js is a user-invoked security scanner CLI orchestrating Semgrep, Trivy, Gitleaks, npm audit, eslint, knip, and related tools.
    • Network use is package-aligned: downloads scanner releases from GitHub and optionally calls configured AI providers only with --ai.
    • Git hook writes are only reached via explicit `auditx hook install/install-all`; hooks run auditx and include bypass/uninstall support.
    • Credential reads are limited to OPENAI_API_KEY/GEMINI_API_KEY/ANTHROPIC_API_KEY or ~/.auditx/config.json for optional AI summaries; no exfiltration path outside selected provider APIs.
    • Report writes target audit-report.md/json or user-specified output; temp files are scanner reports under tmp and removed.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 76.7 KB of source, external domains: github.com, semgrep.dev, trivy.dev

    Source & flagged code

    5 flagged · loading source
    dist/auditx.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.2 matchedIdentity = npm:YXVkaXR4:0.1.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/auditx.jsView on unpkg
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
    High
    Child Process

    Package source references child process execution.

    dist/auditx.jsView on unpkg · L8
    724import { randomUUID as randomUUID2 } from "crypto"; L725: var execAsync = promisify7(exec); L726: async function runJscpd(targetPath, stagedFiles) {
    High
    Shell

    Package source references shell execution.

    dist/auditx.jsView on unpkg · L724
    732const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L733: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L734: } catch (e) {
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/auditx.jsView on unpkg · L732
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L50: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L51: import https from "https"; L52: import * as tar from "tar"; ... L60: async function getBinaryPath(tool) { L61: const binDir = join2(homedir(), ".auditx", "bin"); L62: if (!existsSync2(binDir)) {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/auditx.jsView on unpkg · L8

    Findings

    1 Critical3 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/auditx.js
    HighChild Processdist/auditx.js
    HighShelldist/auditx.js
    HighRuntime Package Installdist/auditx.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/auditx.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings