registry  /  auditx  /  0.1.5

auditx@0.1.5

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a CLI that orchestrates local security scanners, downloads scanner binaries on first use, and can optionally install git hooks when requested.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs auditx CLI commands such as `auditx .`, `auditx install`, `auditx --ai`, or `auditx hook install`.
Impact
Runs local scanners, writes reports, downloads scanner binaries, optionally writes git hooks; no unauthorized exfiltration or install-time execution found.
Mechanism
User-invoked scanner orchestration and optional tool/bootstrap setup
Rationale
Static inspection shows a package-aligned security audit CLI with user-invoked network downloads, subprocess scanners, local report output, optional AI calls, and explicit hook installation. The suspicious primitives are expected for this tool category and no unconsented lifecycle execution, credential exfiltration, destructive behavior, or hidden payload was found.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.jssrc/rules/ai-patterns.ymlREADME.md~/.auditx/bin~/.auditx/config.jsonaudit-report.md.git/hooks/*.husky/*
Network endpoints3
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/auditx.js uses shell-form exec for scanner commands with target paths, a security hardening concern but user-invoked CLI behavior.
  • dist/hook-W4INEOTH.js writes .git/hooks or .husky hooks only via explicit `auditx hook install` command.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • dist/auditx.js bin is a security scanner CLI; child_process calls run Semgrep, Trivy, Gitleaks, npm audit, npx tools, git, tsc, lizard.
  • Tool downloads are explicit first-run/setup behavior from GitHub release URLs for gitleaks/trivy/semgrep into ~/.auditx/bin.
  • AI API keys are read from env or prompted and stored locally in ~/.auditx/config.json; no unsolicited credential harvesting found.
  • Network use is package-aligned: GitHub tool downloads and optional user-enabled AI provider calls.
  • No import-time execution beyond CLI startup, no persistence except user-invoked git hook install, no destructive payload found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 77.5 KB of source, external domains: github.com, semgrep.dev, trivy.dev

Source & flagged code

5 flagged · loading source
dist/auditx.jsView file
matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.4 matchedIdentity = npm:YXVkaXR4:0.1.4 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/auditx.jsView on unpkg
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L8
746import { randomUUID as randomUUID2 } from "crypto"; L747: var execAsync = promisify7(exec); L748: async function runJscpd(targetPath, stagedFiles) {
High
Shell

Package source references shell execution.

dist/auditx.jsView on unpkg · L746
754const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L755: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L756: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L754
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L50: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L51: import https from "https"; L52: import * as tar from "tar"; ... L69: async function getBinaryPathInternal(tool) { L70: const binDir = join2(homedir(), ".auditx", "bin"); L71: if (!existsSync2(binDir)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L8

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/auditx.js
HighChild Processdist/auditx.js
HighShelldist/auditx.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings