registry  /  caspian-security  /  10.7.3

caspian-security@10.7.3

Security scanner for VS Code AND a standalone `caspian` CLI you can run anywhere (PowerShell/cmd/bash, no VS Code needed) — 295+ rules covering code and infrastructure (Dockerfile, Terraform, Kubernetes), intra-file taint tracking, SSRF/XXE/SSTI/deseriali

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 84 file(s), 832 KB of source, external domains: aistudio.google.com, apache.org, console.anthropic.com, marketplace.visualstudio.com, osv.dev, platform.openai.com, raw.githubusercontent.com, telemetry.caspiansecurity.dev, www.w3.org, xml.org

Source & flagged code

8 flagged · loading source
out/rules/secretsRules.jsView file
42patternName = private_key_openssh severity = critical line = 42 matchedText = /-----BE...--/,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

out/rules/secretsRules.jsView on unpkg · L42
42patternName = private_key_openssh severity = critical line = 42 matchedText = /-----BE...--/,
Critical
Secret Pattern

OpenSSH private key in out/rules/secretsRules.js

out/rules/secretsRules.jsView on unpkg · L42
out/rules/frontendRules.jsView file
7code: 'FE001', L8: message: 'Unsafe eval() usage allows arbitrary code execution', L9: severity: types_1.SecuritySeverity.Error,
Low
Eval

Package source references a known benign dynamic code generation pattern.

out/rules/frontendRules.jsView on unpkg · L7
out/rules/ssrfRules.jsView file
13* Detection strategy: L14: * - Match each language's idiomatic HTTP sinks (fetch / axios / requests / L15: * httpx / RestTemplate / HttpClient / URLConnection / curl_exec / etc.). ... L41: const suggestion = 'Validate this URL against an explicit host allow-list BEFORE the request. ' + L42: 'Reject private IPs (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, ::1, fc00::/7), ' + L43: 'metadata endpoints (169.254.169.254, metadata.google.internal), and non-HTTPS schemes.';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

out/rules/ssrfRules.jsView on unpkg · L13
CHANGELOG.mdView file
768patternName = generic_password severity = medium line = 768 matchedText = - **Crit...D"`)
Medium
Secret Pattern

Hardcoded password in CHANGELOG.md

CHANGELOG.mdView on unpkg · L768
out/fixPatternMemory.jsView file
163patternName = generic_password severity = medium line = 163 matchedText = * Exampl...ING`
Medium
Secret Pattern

Hardcoded password in out/fixPatternMemory.js

out/fixPatternMemory.jsView on unpkg · L163
out/__tests__/rules.test.jsView file
115patternName = generic_password severity = medium line = 115 matchedText = const li...";`;
Medium
Secret Pattern

Hardcoded password in out/__tests__/rules.test.js

out/__tests__/rules.test.jsView on unpkg · L115
README.mdView file
287patternName = generic_password severity = medium line = 287 matchedText = | Critic..."` |
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L287

Findings

2 Critical1 High7 Medium5 Low
CriticalCritical Secretout/rules/secretsRules.js
CriticalSecret Patternout/rules/secretsRules.js
HighCloud Metadata Accessout/rules/ssrfRules.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternCHANGELOG.md
MediumSecret Patternout/fixPatternMemory.js
MediumSecret Patternout/__tests__/rules.test.js
MediumSecret PatternREADME.md
LowScripts Present
LowEvalout/rules/frontendRules.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings