registry  /  create-zenithcms-app  /  1.0.0-beta.36

create-zenithcms-app@1.0.0-beta.36

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 72.8 KB of source, external domains: console.cloud.google.com, dashboard.stripe.com, github.com, pub-xxx.r2.dev, resend.com, xxx.r2.cloudflarestorage.com, xxxxxxxxxxxxxxxxx.r2.cloudflarestorage.com, your-cms-url.com, your-idp.okta.com

Source & flagged code

7 flagged · loading source
dist/index.jsView file
1598patternName = aws_access_key severity = critical line = 1598 matchedText = AWS_ACCE...MPLE
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L1598
1598patternName = aws_access_key severity = critical line = 1598 matchedText = AWS_ACCE...MPLE
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L1598
1599patternName = aws_secret_key severity = critical line = 1599 matchedText = AWS_SECR...EKEY
Critical
Secret Pattern

AWS secret access key in dist/index.js

dist/index.jsView on unpkg · L1599
1817patternName = stripe_live_secret severity = critical line = 1817 matchedText = STRIPE_S...xxxx
Critical
Secret Pattern

Stripe live secret key in dist/index.js

dist/index.jsView on unpkg · L1817
6import crypto from "crypto"; L7: import { execSync } from "child_process"; L8: import readline from "readline";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6
2060try { L2061: execSync("npm install --no-audit --no-fund", { stdio: "inherit", cwd: projectPath }); L2062: console.log(chalk.green('✔ Dependencies installed successfully!\n'));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L2060
1818patternName = stripe_webhook_secret severity = high line = 1818 matchedText = STRIPE_W...xxxx
High
Secret Pattern

Stripe webhook signing secret in dist/index.js

dist/index.jsView on unpkg · L1818

Findings

4 Critical4 High3 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
HighSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License