registry  /  screwdriver-api  /  8.0.161

screwdriver-api@8.0.161

API server for the Screwdriver.cd service

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 191 file(s), 657 KB of source

Source & flagged code

8 flagged · loading source
config/default.yamlView file
7patternName = private_key_rsa severity = critical line = 7 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

config/default.yamlView on unpkg · L7
7patternName = private_key_rsa severity = critical line = 7 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in config/default.yaml

config/default.yamlView on unpkg · L7
200patternName = generic_password severity = medium line = 200 matchedText = # ...!!!"
Medium
Secret Pattern

Hardcoded password in config/default.yaml

config/default.yamlView on unpkg · L200
215patternName = generic_password severity = medium line = 215 matchedText = password...ORD"
Medium
Secret Pattern

Hardcoded password in config/default.yaml

config/default.yamlView on unpkg · L215
466patternName = generic_password severity = medium line = 466 matchedText = password...ORD"
Medium
Secret Pattern

Hardcoded password in config/default.yaml

config/default.yamlView on unpkg · L466
472patternName = generic_password severity = medium line = 472 matchedText = password...ORD"
Medium
Secret Pattern

Hardcoded password in config/default.yaml

config/default.yamlView on unpkg · L472
plugins/ratelimit.jsView file
2L3: const rateLimit = require('hapi-rate-limit'); L4: const config = require('config');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugins/ratelimit.jsView on unpkg · L2
package.jsonView file
Runtime dependency names matching Node built-ins: stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 Critical1 High7 Medium3 Low
CriticalCritical Secretconfig/default.yaml
CriticalSecret Patternconfig/default.yaml
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requireplugins/ratelimit.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternconfig/default.yaml
MediumSecret Patternconfig/default.yaml
MediumSecret Patternconfig/default.yaml
MediumSecret Patternconfig/default.yaml
LowScripts Present
LowFilesystem
LowHigh Entropy Strings