registry  /  rekor-cli  /  0.1.96

rekor-cli@0.1.96

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 167 KB of source, external domains: 127.0.0.1, api.rekor.pro, api.workos.com, engaging-tip-62.authkit.app, mcp.rekor.pro, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
2750import { Command as Command21 } from "commander"; L2751: import { execFileSync } from "child_process"; L2752:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2750
2834try { L2835: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim(); L2836: } catch {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L2834
3677if (opts.skill) touchCache(SKILL_CACHE_FILE); L3678: spawn(process.execPath, [entryPath, REFRESH_COMMAND], { L3679: detached: true, ... L3683: env: { L3684: ...process.env, L3685: [ENV_REFRESH_CLI]: opts.cli ? "1" : "", ... L3692: function refreshCliCache() { L3693: return new Promise((resolve4) => { L3694: execFile(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L3677
2834try { L2835: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim(); L2836: } catch { L2837: console.error(`Could not reach npm to check for updates.`); L2838: console.error(`Try manually: npm install -g ${NPM_PACKAGE}`); L2839: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L2834

Findings

4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License