registry  /  sdlc-agent-4-enterprise-server  /  1.8.0

sdlc-agent-4-enterprise-server@1.8.0

Code Intelligence MCP Server — multi-agent SDLC pipeline with semantic memory, code graph, and draw.io integration

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 47 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,172 file(s), 8.29 MB of source, external domains: 127.0.0.1, api-inference.huggingface.co, api.302.ai, api.abacus.ai, api.abliteration.ai, api.aihubmix.com, api.ambient.ai, api.anthropic.com, api.anyapi.io, api.atomic.chat, api.auriko.com, api.bailing.ai, api.berget.ai, api.cerebras.ai, api.chutes.ai, api.clarifai.com, api.claudinio.com, api.cohere.com, api.cortecs.ai, api.crofai.com, api.d.run, api.deepinfra.com, api.deepseek.com, api.digitalocean.com, api.dinference.com, api.duckduckgo.com, api.evroc.com, api.fastrouter.ai, api.fireworks.ai, api.freemodel.ai, api.frogbot.ai, api.github.com, api.gmi.ai, api.groq.com, api.hpc-ai.com, api.hunyuan.cloud.tencent.com, api.hyperbolic.xyz, api.iflow.ai, api.inception.ai, api.inceptron.ai, api.inference.net, api.io.net, api.jiekou.ai, api.kenari.ai, api.kuae.cloud, api.lilac.ai, api.llama-api.com, api.llmtr.com, api.longcat.ai, api.lucidquery.com

Source & flagged code

37 flagged · loading source
dist/modules/memory/masking/__tests__/CredentialDetector.test.jsView file
11patternName = github_pat severity = critical line = 11 matchedText = const r ...x');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/modules/memory/masking/__tests__/CredentialDetector.test.jsView on unpkg · L11
11patternName = github_pat severity = critical line = 11 matchedText = const r ...x');
Critical
Secret Pattern

GitHub personal access token in dist/modules/memory/masking/__tests__/CredentialDetector.test.js

dist/modules/memory/masking/__tests__/CredentialDetector.test.jsView on unpkg · L11
32patternName = private_key_rsa severity = critical line = 32 matchedText = const r ...-');
Critical
Secret Pattern

RSA private key in dist/modules/memory/masking/__tests__/CredentialDetector.test.js

dist/modules/memory/masking/__tests__/CredentialDetector.test.jsView on unpkg · L32
extension/scripts/gen-checksums.jsView file
10const crypto = require("crypto"); L11: const { execSync } = require("child_process"); L12:
High
Child Process

Package source references child process execution.

extension/scripts/gen-checksums.jsView on unpkg · L10
tests/e2e/setup/global-setup.tsView file
60stdio: ['ignore', 'pipe', 'pipe'], L61: shell: true, L62: });
High
Shell

Package source references shell execution.

tests/e2e/setup/global-setup.tsView on unpkg · L60
48const serverEntry = path.resolve(__dirname, '../../../src/index.ts'); L49: serverProcess = spawn('npx', ['tsx', serverEntry], { L50: cwd: path.resolve(__dirname, '../../..'),
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

tests/e2e/setup/global-setup.tsView on unpkg · L48
extension/webview-assets/3d-force-graph.min.jsView file
1// Version 1.80.0 3d-force-graph - https://github.com/vasturiano/3d-force-graph L2: !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:... L3: // <http://www.w3.org/TR/2008/REC-WCAG20-20081211/#contrast-ratiodef (WCAG Version 2) L4: // Analyze the 2 colors and returns the color contrast defined by (WCAG Version 2) L5: op.readability=function(e,t){var n=op(e),i=op(t);return(Math.max(n.getLuminance(),i.getLuminance())+.05)/(Math.min(n.getLuminance(),i.getLuminance())+.05)},op.isReadable=function(e...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

extension/webview-assets/3d-force-graph.min.jsView on unpkg · L1
1// Version 1.80.0 3d-force-graph - https://github.com/vasturiano/3d-force-graph L2: !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:... L3: // <http://www.w3.org/TR/2008/REC-WCAG20-20081211/#contrast-ratiodef (WCAG Version 2)
Low
Eval

Package source references a known benign dynamic code generation pattern.

extension/webview-assets/3d-force-graph.min.jsView on unpkg · L1
extension/tests/mcp-bridge.test.jsView file
35Object.defineProperty(exports, "__esModule", { value: true }); L36: const vitest_1 = require("vitest"); L37: const fs = __importStar(require("fs"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

extension/tests/mcp-bridge.test.jsView on unpkg · L35
dist/engine/tools/drawio-renderers.jsView file
1import * as fs from 'fs'; L2: import { execSync } from 'child_process'; L3: let _cachedDrawioCliPath = null; ... L13: const candidates = []; L14: if (process.platform === 'win32') { L15: candidates.push('C:\\Program Files\\draw.io\\draw.io.exe', `${process.env.LOCALAPPDATA || ''}\\Programs\\draw.io\\draw.io.exe`, `${process.env.PROGRAMFILES || ''}\\draw.io\\draw.io... L16: } ... L43: const xml = fs.readFileSync(inputPath, 'utf-8'); L44: const encoded = Buffer.from(xml).toString('base64'); L45: const viewerUrl = `https://viewer.diagrams.net/?lightbox=1&nav=0#R${encoded}`; L46: await orchestrationEngine.executeUpstreamTool('chrome-devtools-mcp', 'navigate_page', {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/engine/tools/drawio-renderers.jsView on unpkg · L1
src/engine/parsers/grammars/tree-sitter-go.wasmView file
path = [redacted]-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/engine/parsers/grammars/tree-sitter-go.wasmView on unpkg
extension/scripts/capture-screenshots.pyView file
path = extension/scripts/capture-screenshots.py kind = build_helper sizeBytes = 1578 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

extension/scripts/capture-screenshots.pyView on unpkg
src/engine/parsers/languages/__tests__/fixtures/simple-function.pyView file
path = src/engine/parsers/languages/__tests__/fixtures/simple-function.py kind = payload_in_excluded_dir sizeBytes = 1514 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

src/engine/parsers/languages/__tests__/fixtures/simple-function.pyView on unpkg
dist/admin/__tests__/admin-db.test.jsView file
24patternName = generic_password severity = medium line = 24 matchedText = const pa...s!';
Medium
Secret Pattern

Hardcoded password in dist/admin/__tests__/admin-db.test.js

dist/admin/__tests__/admin-db.test.jsView on unpkg · L24
dist/modules/memory/masking/detectors/CredentialDetector.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = password...,}',
Medium
Secret Pattern

Hardcoded password in dist/modules/memory/masking/detectors/CredentialDetector.js

dist/modules/memory/masking/detectors/CredentialDetector.jsView on unpkg · L4
tests/integration/auth.test.tsView file
81patternName = generic_password severity = medium line = 81 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L81
147patternName = generic_password severity = medium line = 147 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L147
159patternName = generic_password severity = medium line = 159 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L159
166patternName = generic_password severity = medium line = 166 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L166
209patternName = generic_password severity = medium line = 209 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L209
227patternName = generic_password severity = medium line = 227 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L227
251patternName = generic_password severity = medium line = 251 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L251
262patternName = generic_password severity = medium line = 262 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L262
279patternName = generic_password severity = medium line = 279 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L279
287patternName = generic_password severity = medium line = 287 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/integration/auth.test.ts

tests/integration/auth.test.tsView on unpkg · L287
tests/e2e/admin-api.e2e.test.tsView file
83patternName = generic_password severity = medium line = 83 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/e2e/admin-api.e2e.test.ts

tests/e2e/admin-api.e2e.test.tsView on unpkg · L83
122patternName = generic_password severity = medium line = 122 matchedText = password...3!',
Medium
Secret Pattern

Hardcoded password in tests/e2e/admin-api.e2e.test.ts

tests/e2e/admin-api.e2e.test.tsView on unpkg · L122
257patternName = generic_password severity = medium line = 257 matchedText = password...3!',
Medium
Secret Pattern

Hardcoded password in tests/e2e/admin-api.e2e.test.ts

tests/e2e/admin-api.e2e.test.tsView on unpkg · L257
tests/e2e/multi-tenant.e2e.test.tsView file
124patternName = generic_password severity = medium line = 124 matchedText = password...ss',
Medium
Secret Pattern

Hardcoded password in tests/e2e/multi-tenant.e2e.test.ts

tests/e2e/multi-tenant.e2e.test.tsView on unpkg · L124
140patternName = generic_password severity = medium line = 140 matchedText = password...ss',
Medium
Secret Pattern

Hardcoded password in tests/e2e/multi-tenant.e2e.test.ts

tests/e2e/multi-tenant.e2e.test.tsView on unpkg · L140
155patternName = generic_password severity = medium line = 155 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/e2e/multi-tenant.e2e.test.ts

tests/e2e/multi-tenant.e2e.test.tsView on unpkg · L155
171patternName = generic_password severity = medium line = 171 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in tests/e2e/multi-tenant.e2e.test.ts

tests/e2e/multi-tenant.e2e.test.tsView on unpkg · L171
341patternName = generic_password severity = medium line = 341 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in tests/e2e/multi-tenant.e2e.test.ts

tests/e2e/multi-tenant.e2e.test.tsView on unpkg · L341
src/admin/__tests__/admin-db.test.tsView file
58patternName = generic_password severity = medium line = 58 matchedText = const pa...s!';
Medium
Secret Pattern

Hardcoded password in src/admin/__tests__/admin-db.test.ts

src/admin/__tests__/admin-db.test.tsView on unpkg · L58
src/modules/memory/masking/__tests__/CredentialDetector.test.tsView file
14patternName = github_pat severity = critical line = 14 matchedText = const r ...x');
Critical
Secret Pattern

GitHub personal access token in src/modules/memory/masking/__tests__/CredentialDetector.test.ts

src/modules/memory/masking/__tests__/CredentialDetector.test.tsView on unpkg · L14
39patternName = private_key_rsa severity = critical line = 39 matchedText = const r ...-');
Critical
Secret Pattern

RSA private key in src/modules/memory/masking/__tests__/CredentialDetector.test.ts

src/modules/memory/masking/__tests__/CredentialDetector.test.tsView on unpkg · L39
src/modules/memory/masking/detectors/CredentialDetector.tsView file
7patternName = generic_password severity = medium line = 7 matchedText = password...,}',
Medium
Secret Pattern

Hardcoded password in src/modules/memory/masking/detectors/CredentialDetector.ts

src/modules/memory/masking/detectors/CredentialDetector.tsView on unpkg · L7

Findings

5 Critical6 High29 Medium7 Low
CriticalCritical Secretdist/modules/memory/masking/__tests__/CredentialDetector.test.js
CriticalSecret Patterndist/modules/memory/masking/__tests__/CredentialDetector.test.js
CriticalSecret Patterndist/modules/memory/masking/__tests__/CredentialDetector.test.js
CriticalSecret Patternsrc/modules/memory/masking/__tests__/CredentialDetector.test.ts
CriticalSecret Patternsrc/modules/memory/masking/__tests__/CredentialDetector.test.ts
HighChild Processextension/scripts/gen-checksums.js
HighShelltests/e2e/setup/global-setup.ts
HighSame File Env Network Executionextension/webview-assets/3d-force-graph.min.js
HighSandbox Evasion Gated Capabilitydist/engine/tools/drawio-renderers.js
HighRuntime Package Installtests/e2e/setup/global-setup.ts
HighPayload In Excluded Dirsrc/engine/parsers/languages/__tests__/fixtures/simple-function.py
MediumDynamic Requireextension/tests/mcp-bridge.test.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Modulesrc/engine/parsers/grammars/tree-sitter-go.wasm
MediumShips Build Helperextension/scripts/capture-screenshots.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/admin/__tests__/admin-db.test.js
MediumSecret Patterndist/modules/memory/masking/detectors/CredentialDetector.js
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/integration/auth.test.ts
MediumSecret Patterntests/e2e/admin-api.e2e.test.ts
MediumSecret Patterntests/e2e/admin-api.e2e.test.ts
MediumSecret Patterntests/e2e/admin-api.e2e.test.ts
MediumSecret Patterntests/e2e/multi-tenant.e2e.test.ts
MediumSecret Patterntests/e2e/multi-tenant.e2e.test.ts
MediumSecret Patterntests/e2e/multi-tenant.e2e.test.ts
MediumSecret Patterntests/e2e/multi-tenant.e2e.test.ts
MediumSecret Patterntests/e2e/multi-tenant.e2e.test.ts
MediumSecret Patternsrc/admin/__tests__/admin-db.test.ts
MediumSecret Patternsrc/modules/memory/masking/detectors/CredentialDetector.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalextension/webview-assets/3d-force-graph.min.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings