registry  /  gforge  /  0.2.1

gforge@0.2.1

A git firewall: a global pre-commit hook that blocks commits containing secrets (passwords, keys, tokens, .env files) across macOS, Linux, and Windows.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package installs and updates a first-party global Git pre-commit secret-scanning hook, with postinstall limited to refreshing an already-active GForge setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit gforge install/update command, or npm postinstall only when GForge is already active
Impact
Modifies GForge-owned hook files and global git core.hooksPath; blocks commits containing suspected secrets without exfiltration
Mechanism
local Git hook secret scanner installation/update
Rationale
The risky primitives are package-aligned for a Git secret-scanning hook and are either explicit user commands or guarded postinstall refresh of an existing GForge installation. Source inspection found no credential exfiltration, remote payload loading, destructive behavior, or stealth persistence beyond the documented first-party Git hook setup.
Evidence
package.jsonscripts/postinstall.jssrc/installer.jssrc/scanner.jssrc/hooks.jssrc/git-config.jssrc/cli.jsbin/gforge.js~/.gforge/hooks/gforge-scan.mjs~/.gforge/hooks/pre-commit~/.gforge/state.jsonglobal git config core.hooksPath

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall script: node scripts/postinstall.js
  • scripts/postinstall.js can refresh managed hooks during npm install when global core.hooksPath already equals ~/.gforge/hooks
  • src/installer.js writes managed hook files and sets global git core.hooksPath for install/update commands
Evidence against
  • scripts/postinstall.js exits without action unless GForge is already active and supports GFORGE_SKIP_POSTINSTALL
  • src/scanner.js scans staged git content locally and reports paths/rules, not secret values
  • No fetch/http client or outbound network execution found in source
  • child_process usage is limited to git config/diff/show and optional local gitleaks invocation
  • bin/gforge.js and src/cli.js expose explicit install/update/uninstall/verify commands
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 41.1 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/scanner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = gforge@0.2.0 matchedIdentity = npm:Z2Zvcmdl:0.2.0 similarity = 0.778 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/scanner.jsView on unpkg

Findings

2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltasrc/scanner.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem