AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package installs and updates a first-party global Git pre-commit secret-scanning hook, with postinstall limited to refreshing an already-active GForge setup.
Decision evidence
public snapshot- package.json defines postinstall script: node scripts/postinstall.js
- scripts/postinstall.js can refresh managed hooks during npm install when global core.hooksPath already equals ~/.gforge/hooks
- src/installer.js writes managed hook files and sets global git core.hooksPath for install/update commands
- scripts/postinstall.js exits without action unless GForge is already active and supports GFORGE_SKIP_POSTINSTALL
- src/scanner.js scans staged git content locally and reports paths/rules, not secret values
- No fetch/http client or outbound network execution found in source
- child_process usage is limited to git config/diff/show and optional local gitleaks invocation
- bin/gforge.js and src/cli.js expose explicit install/update/uninstall/verify commands
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/scanner.jsView on unpkg