registry  /  sfdx-hardis  /  7.19.1

sfdx-hardis@7.19.1

French-army-knife Toolbox for Salesforce. Orchestrates base commands and assist users with interactive wizards to make much more than native Salesforce CLI + Allows you to define a complete CI/CD Pipeline and Schedule a daily Metadata backup & monitoring

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 351 file(s), 3.90 MB of source, external domains: api.atlassian.com, api.status.salesforce.com, appexchange.salesforce.com, bitbucket.org, cdnjs.cloudflare.com, cloudity.com, define.jira, dev.azure.com, developer.salesforce.com, dora.dev, frenchtouchdreamin.com, github.com, help.salesforce.com, help.sfdmu.com, learn.microsoft.com, leblog.hardis-group.com, login.salesforce.com, marketplace.visualstudio.com, mermaid.live, myclient--preprod.sandbox.lightning.force.com, myclient.lightning.force.com, mycompany.atlassian.net, mycompany.my.salesforce.com, myorg.salesforce.com, nicolas.vuillamy.fr, raw.githubusercontent.com, salesforce.stackexchange.com, schemas.xmlsoap.org, sfdx-hardis.cloudity.com, soap.sforce.com, squidfunk.github.io, status.salesforce.com, test.salesforce.com, www.cloudity.com, www.googletagmanager.com, www.linkedin.com, www.python.org, www.sfdcpoint.com, www.w3.org, www.youtube.com, your-instance.service-now.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = yarn husky install || echo "Unable to install Husky. If you are in a CI/CD job, that's ok !"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = yarn husky install || echo "Unable to install Husky. If you are in a CI/CD job, that's ok !"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/common/websocketClient.jsView file
248const fileUrl = 'file://' + commandPath.replace(/\\/g, '/'); L249: const imported = await import(fileUrl); L250: const CommandClass = imported.default;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/common/websocketClient.jsView on unpkg · L248
lib/common/utils/filesUtils.jsView file
17import { getApiVersion, getReportDirectory } from '../../config/index.js'; L18: import { WebSocketClient } from '../websocketClient.js'; L19: import { FileDownloader } from './fileDownloader.js'; ... L446: const folderPath = path.dirname(outputFile) L447: .replace(process.cwd(), '') L448: .replace(this.exportedFilesFolder, '') ... L546: fileSizeKB = Math.round(stats.size / 1024); // Convert bytes to KB L547: // Validate existing file (always have validation data: checksum for ContentVersion, size for Attachment) L548: const validation = await this.validateDownloadedFile(outputFile, expectedSize, expectedChecksum); ... L905: PathOnClient: file, L906: VersionData: fileData.toString('base64'), L907: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/common/utils/filesUtils.jsView on unpkg · L17
lib/common/gitProvider/bitbucket.jsView file
3import fs from "fs-extra"; L4: import FormData from 'form-data'; L5: import * as path from "path"; ... L13: bitbucket; L14: serverUrl = 'https://bitbucket.org'; L15: token; ... L17: super(); L18: this.token = process.env.CI_SFDX_HARDIS_BITBUCKET_TOKEN || ''; L19: // A Bitbucket repository/workspace Access Token authenticates as a Bearer
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/common/gitProvider/bitbucket.jsView on unpkg · L3
defaults/empty.tgzView file
path = defaults/empty.tgz kind = compressed_blob sizeBytes = 0
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

defaults/empty.tgzView on unpkg
path = defaults/empty.tgz kind = nested_archive_needs_inspection sizeBytes = 0
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

defaults/empty.tgzView on unpkg

Findings

2 High6 Medium8 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitylib/common/gitProvider/bitbucket.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirelib/common/websocketClient.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdefaults/empty.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptolib/common/utils/filesUtils.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondefaults/empty.tgz
LowCopyleft License