registry  /  rekor-cli  /  0.1.97

rekor-cli@0.1.97

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 171 KB of source, external domains: 127.0.0.1, api.rekor.pro, api.workos.com, engaging-tip-62.authkit.app, mcp.rekor.pro, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
2796import { Command as Command22 } from "commander"; L2797: import { execFileSync } from "child_process"; L2798:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2796
2880try { L2881: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim(); L2882: } catch {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L2880
3749if (opts.skill) touchCache(SKILL_CACHE_FILE); L3750: spawn(process.execPath, [entryPath, REFRESH_COMMAND], { L3751: detached: true, ... L3755: env: { L3756: ...process.env, L3757: [ENV_REFRESH_CLI]: opts.cli ? "1" : "", ... L3764: function refreshCliCache() { L3765: return new Promise((resolve4) => { L3766: execFile(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L3749
2880try { L2881: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim(); L2882: } catch { L2883: console.error(`Could not reach npm to check for updates.`); L2884: console.error(`Try manually: npm install -g ${NPM_PACKAGE}`); L2885: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L2880

Findings

4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License