registry  /  typekro  /  0.20.2

typekro@0.20.2

A control plane aware framework for orchestrating kubernetes resources like a programmer.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 430 file(s), 2.92 MB of source, external domains: api.github.com, charts.apiseven.com, charts.jetstack.io, cloudnative-pg.github.io, dagster-io.github.io, github.com, helm.cilium.io, hydra.localhost, identity.localhost, json-schema.org, jupyterhub.github.io, k8s.ory.sh, kratos.localhost, kubernetes-sigs.github.io, oathkeeper-api.localhost, typekro.dev

Source & flagged code

4 flagged · loading source
package.jsonView file
name = typekro; similarTo = typeorm
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg
dist/core/deployment/kro-factory.jsView file
1582* L1583: * Uses `angular-expressions` for safe AST-based evaluation instead of `new Function()` / `eval()`. L1584: * Spec field references (e.g., `schema.spec.name`, `spec.replicas`) are resolved by passing the
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/deployment/kro-factory.jsView on unpkg · L1582
dist/core/expressions/analysis/source-map.jsView file
124*/ L125: import(data) { L126: if (data.version !== '1.0') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/expressions/analysis/source-map.jsView on unpkg · L124
dist/core/yaml/path-resolver.jsView file
4*/ L5: import * as dns from 'node:dns/promises'; L6: import * as fs from 'node:fs'; ... L80: 'Verify the repository URL and path are correct', L81: 'For private repositories, ensure authentication is configured', L82: 'Try using a specific branch or tag: @main, @v1.0.0', ... L344: originalPath: filePath, L345: resolvedPath: path.isAbsolute(filePath) ? filePath : path.resolve(process.cwd(), filePath), L346: }; ... L474: // TODO: Add authentication support for private repositories L475: // 'Authorization': `token ${process.env.GITHUB_TOKEN}`, L476: },
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/core/yaml/path-resolver.jsView on unpkg · L4

Findings

1 High5 Medium6 Low
HighCloud Metadata Accessdist/core/yaml/path-resolver.js
MediumTyposquat Namepackage.json
MediumDynamic Requiredist/core/expressions/analysis/source-map.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/deployment/kro-factory.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings