Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/src/providers.jsView file
372patternName = generic_password
severity = medium
line = 372
matchedText = url.pass...t]";
Medium
dist/src/cli.jsView file
1#!/usr/bin/env node
L2: import { spawnSync } from "node:child_process";
L3: import { fileURLToPath } from "node:url";
...
L35: import { parsePositiveInteger } from "./cli-args.js";
L36: const LAUNCHCTL_TIMEOUT_MS = 15_000;
L37: const PLUTIL_TIMEOUT_MS = 5_000;
...
L52: if (!result.ok)
L53: process.exitCode = 1;
L54: return;
...
L244: const status = collectReleaseStatus({
L245: cwd: process.cwd(),
L246: configPath: args.config,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/src/cli.jsView on unpkg · L1dist/src/config.jsView file
1import { existsSync, readFileSync } from "node:fs";
L2: import { isIP } from "node:net";
L3: import { dirname, join } from "node:path";
...
L126: publicReposFree: true,
L127: privateReposRequireEntitlement: true,
L128: [redacted]: true
...
L257: export function loadConfig(configPath) {
L258: const fromFile = configPath && existsSync(configPath) ? JSON.parse(readFileSync(configPath, "utf8")) : {};
L259: return loadConfigFromObject(fromFile);
...
L262: const merged = deepMerge(DEFAULT_CONFIG, fromFile);
L263: merged.github.appId = process.env.EVAOS_REVIEW_BOT_APP_ID ?? merged.github.appId;
L264: merged.github.privateKeyPath = process.env.EVAOS_REVIEW_BOT_PRIVATE_KEY_PATH ?? merged.github.privateKeyPath;
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/src/config.jsView on unpkg · L1Findings
1 High5 Medium5 Low
HighCloud Metadata Accessdist/src/config.js
MediumSecret Patterndist/src/providers.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License