registry  /  cs-devtest  /  1.1.6

cs-devtest@1.1.6

Automatic Husky + Gitleaks + SonarQube setup for any JS/TS project

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 86.1 KB of source, external domains: 34.100.239.232, github.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/index.js install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/index.js install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/index.jsView file
8// npm does NOT guarantee our own node_modules exists before running postinstall. L9: // We must bootstrap ourselves using only fs, path, child_process (always available). L10: // ─────────────────────────────────────────────────────────────────────────────
High
Child Process

Package source references child process execution.

bin/index.jsView on unpkg · L8
10// ───────────────────────────────────────────────────────────────────────────── L11: const fs = require('fs'); L12: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/index.jsView on unpkg · L10
lib/gitleaks.jsView file
4const path = require('path'); L5: const execa = require('execa'); L6: const https = require('https');
High
Shell

Package source references shell execution.

lib/gitleaks.jsView on unpkg · L4
lib/sonarqube.jsView file
6const { installDevDependency } = require('./packageManager'); L7: const { execSync } = require('child_process'); L8: L9: const SONAR_PROPS_FILE = 'sonar-project.properties'; L10: const DEFAULT_SONAR_HOST = process.env.SONAR_HOST_URL || 'http://34.100.239.232:9000'; L11: const DEFAULT_SONAR_TOKEN = process.env.SONAR_TOKEN || 'squ_76811d68e795b642385b1de37dc97fb41a13c252';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/sonarqube.jsView on unpkg · L6
lib/packageManager.jsView file
203const cmdArgs = getPackageManagerCommand(manager, 'install', pkg); L204: await execa(manager, cmdArgs, { L205: stdio: 'inherit', ... L210: } catch (err) { L211: const installCmd = manager === 'npm' ? 'npm install --save-dev' : L212: manager === 'yarn' ? 'yarn add -D' :
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/packageManager.jsView on unpkg · L203
templates/github-template/scripts/run-all-scans.shView file
path = templates/github-template/scripts/run-all-scans.sh kind = build_helper sizeBytes = 25265 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/github-template/scripts/run-all-scans.shView on unpkg

Findings

5 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/index.js
HighShelllib/gitleaks.js
HighSame File Env Network Executionlib/sonarqube.js
HighRuntime Package Installlib/packageManager.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/github-template/scripts/run-all-scans.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings