registry  /  overwire  /  1.0.2

overwire@1.0.2

Overwire — run, mock, and debug your GitHub Actions workflow files locally.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.59 MB of source, external domains: api.polar.sh, codeload.github.com, docs.github.com, docs.overwire.io, github.com, grpc.io, json-schema.org, overwire.io, overwire.local, raw.githubusercontent.com

Source & flagged code

10 flagged · loading source
overwire.cjsView file
161patternName = private_key_rsa severity = critical line = 161 matchedText = `,r)+1}r...--\r
Critical
Critical Secret

Package contains a critical-looking secret pattern.

overwire.cjsView on unpkg · L161
161patternName = private_key_rsa severity = critical line = 161 matchedText = `,r)+1}r...--\r
Critical
Secret Pattern

RSA private key in overwire.cjs

overwire.cjsView on unpkg · L161
166patternName = private_key_openssh severity = critical line = 166 matchedText = ${r}----...j}\r
Critical
Secret Pattern

OpenSSH private key in overwire.cjs

overwire.cjsView on unpkg · L166
174patternName = private_key_openssh severity = critical line = 174 matchedText = ${r}`}};...----
Critical
Secret Pattern

OpenSSH private key in overwire.cjs

overwire.cjsView on unpkg · L174
10(Did you mean one of ${n.join(", ")}?)`:n.length===1?` L11: (Did you mean ${n[0]}?)`:""}d4.suggestSimilar=Tee});var y4=P(g4=>{var Oee=require("node:events").EventEmitter,eR=require("node:child_process"),oa=require("node:path"),tR=require("n... L12: - specify the name in Command constructor or using .name()`);return r=r||{},r.isDefault&&(this._defaultCommandName=e._name),(r.noHelp||r.hidden)&&(e._hidden=!0),this._registerComma...
High
Child Process

Package source references child process execution.

overwire.cjsView on unpkg · L10
13Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(r):this._lifeCycleHooks[e]=[r],this}exitOverride(e){return e?this._exitCallback=e... L14: - already used by option '${r.flags}'`)}this.options.push(e)}_registerCommand(e){let r=i=>[i.name()].concat(i.aliases()),n=r(e).find(i=>this._findCommand(i));if(n){let i=r(this._f... L15: - if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead
High
Shell

Package source references shell execution.

overwire.cjsView on unpkg · L13
162[redacted]\r L163: -----END PRIVATE KEY-----`,e=Buffer.from("a"),r,n;try{r=Sa.sign(null,e,t),n=Sa.verify(null,e,t,r)}catch{}return Buffer.isBuffer(r)&&r.length===64&&n===!0}return!1})(),Y3=typeof Sa.... L164: `);return e.length&63&&(r+=` L165: `),`-----BEGIN ${t} KEY----- L166: ${r}-----END ${t} KEY-----`}function bg(t,e){let r=Buffer.allocUnsafe(t.length+e.length);return r.set(t,0),r.set(e,t.length),r}function u1(t,e){let r=t.length,n=t._pos||0;for(let i... L167: `),Wde=8192,Gde=1024,Z6=Buffer.from([je.GLOBAL_REQUEST,0,0,0,21,107,101,101,112,97,108,105,118,101,64,111,112,101,110,115,115,104,46,99,111,109,1]),zde=Buffer.from([P1.TTY_OP_END])... ... L177: `),a+=D}{let q=h.pub.base64Slice(0,h.pub.length);c=`${h.sshName} ${q}${o?` ${o}`:""}`}return a+=`-----END OPENSSH PRIVATE KEY----- L178: `,{private:a,public:c}}default:throw new Error("Invalid output key format")}}function Bhe(){}aH.exports={generateKeyPair:(t,e,r)=>{typeof e=="function"&&(r=e,e=void 0),typeof r!="f... L179: `).join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

overwire.cjsView on unpkg · L162
156`?yield*this.pushCount(1):e==="\r"&&this.charAt(1)===` L157: `?yield*this.pushCount(2):0}*pushSpaces(e){let r=this.pos-1,n;do n=this.buffer[++r];while(n===" "||e&&n===" ");let i=r-this.pos;return i>0&&(yield this.buffer.substr(this.pos,i),th... L158: `)+1;for(;r!==0;)this.onNewLine(this.offset+r),r=this.source.indexOf(` ... L160: `)+1;for(;r!==0;)this.onNewLine(this.offset+r),r=this.source.indexOf(` L161: `,r)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L162: [redacted]\r L163: -----END PRIVATE KEY-----`,e=Buffer.from("a"),r,n;try{r=Sa.sign(null,e,t),n=Sa.verify(null,e,t,r)}catch{}return Buffer.isBuffer(r)&&r.length===64&&n===!0}return!1})(),Y3=typeof Sa.... L164: `);return e.length&63&&(r+=` L165: `),`-----BEGIN ${t} KEY----- L166: ${r}-----END ${t} KEY-----`}function bg(t,e){let r=Buffer.allocUnsafe(t.length+e.length);return r.set(t,0),r.set(e,t.length),r}function u1(t,e){let r=t.length,n=t._pos||0;for(let i... L167: `),Wde=8192,Gde=1024,Z6=Buffer.from([je.GLOBAL_REQUEST,0,0,0,21,107,101,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

overwire.cjsView on unpkg · L156
173`;this.message=e===void 0?r:`${e} L174: ${r}`}};var tfe=2**32,uj=(()=>{try{return new Function("return 2n ** 32n")()}catch{}})();Ig.ERR_OUT_OF_RANGE=class fj extends RangeError{constructor(e,r,n,i){super(),Error.captureS... L175: `,c,l=Buffer.from(s?s.cipherName:"none"),u=Buffer.from(s?s.kdfName:"none"),d=s?s.kdfOptions:Buffer.alloc(0),f=s?s.cipher.blockLen:8,h=Mhe(t,e,r),m=iH(4),p=Buffer.from(o),y=8+h.priv...
Low
Eval

Package source references a known benign dynamic code generation pattern.

overwire.cjsView on unpkg · L173
1#!/usr/bin/env node L2: "use strict";var gee=Object.create;var Hk=Object.defineProperty;var yee=Object.getOwnPropertyDescriptor;var vee=Object.getOwnPropertyNames;var wee=Object.getPrototypeOf,bee=Object.... L3: `).replace(/^/gm," ".repeat(s))}let l=[`Usage: ${r.commandUsage(e)}`,""],u=r.commandDescription(e);u.length>0&&(l=l.concat([r.wrap(u,i,0),""]));let d=r.visibleArguments(e).map(m=>a... ... L10: (Did you mean one of ${n.join(", ")}?)`:n.length===1?` L11: (Did you mean ${n[0]}?)`:""}d4.suggestSimilar=Tee});var y4=P(g4=>{var Oee=require("node:events").EventEmitter,eR=require("node:child_process"),oa=require("node:path"),tR=require("n... L12: - specify the name in Command constructor or using .name()`);return r=r||{},r.isDefault&&(this._defaultCommandName=e._name),(r.noHelp||r.hidden)&&(e._hidden=!0),this._registerComma... ... L72: `;return`${m} L73: ${i}${h}`}else return`${f}${o}${d.join(" ")}${o}${h}`}function Fw({indent:t,options:{commentString:e}},r,n,i){if(n&&i&&(n=n.replace(/^\n+/,"")),n){let s=$w.indentComment(e(n),t);r.... L74: `:" ")}return xre.stringifyString({comment:t,type:e,value:a},n,i,s)}};Oq.binary=Ire});var Jw=P(Yw=>{"use strict";var Vw=Ot(),UR=sc(),Tre=Gr()
Low
Weak Crypto

Package source references weak cryptographic algorithms.

overwire.cjsView on unpkg · L1

Findings

4 Critical5 High3 Medium6 Low
CriticalCritical Secretoverwire.cjs
CriticalSecret Patternoverwire.cjs
CriticalSecret Patternoverwire.cjs
CriticalSecret Patternoverwire.cjs
HighChild Processoverwire.cjs
HighShelloverwire.cjs
HighSame File Env Network Executionoverwire.cjs
HighCommand Output Exfiltrationoverwire.cjs
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaloverwire.cjs
LowWeak Cryptooverwire.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License