Static Scan Results
scanned 5d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
3 flagged · loading sourcesrc/core/dev.tsView file
126console.log("🏗️ Building...");
L127: const proc = spawn(["bun", "run", BUILD_SCRIPT], {
L128: stdout: "inherit",
High
src/core/plugin.tsView file
13name: "bosia-resolver",
L14: setup(build: import("bun").PluginBuilder) {
L15: // bosia:routes → .bosia/routes.client.ts (browser) or .bosia/routes.ts (server)
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/core/plugin.tsView on unpkg · L13src/cli/registry.tsView file
184L185: /** Run `bun add` for deps and optionally `bun add --dev` for devDeps. */
L186: export async function bunAdd(
...
L193: console.log(`\n📥 npm: ${packages.join(", ")}`);
L194: const proc = spawn(["bun", "add", ...packages], {
L195: stdout: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/cli/registry.tsView on unpkg · L184Findings
3 High5 Medium4 Low
HighChild Processsrc/core/dev.ts
HighShell
HighRuntime Package Installsrc/cli/registry.ts
MediumDynamic Requiresrc/core/plugin.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings