registry  /  vaspera  /  2.17.0

vaspera@2.17.0

Enterprise security certification with deterministic scanners, cost tracking, and compliance mapping

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 49 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 321 file(s), 3.27 MB of source, external domains: adaptivecards.io, api.example.com, api.linear.app, api.vercel.com, app.com, app.example.com, aquasecurity.github.io, atlas.mitre.org, attacker.com, badges.vaspera.dev, bandit.readthedocs.io, brakemanscanner.org, cli.github.com, cloudkms.googleapis.com, company.atlassian.net, company.okta.com, company.service-now.com, cppcheck.sourceforge.io, custom-builder.com, custom.auth.com, custom.build, discord.com, docs.npmjs.com, eslint.org, eur-lex.europa.eu, evil.com, example.com, example.okta.com, github.com, hooks.example.com, hooks.slack.com, http-intake.logs.ap1.datadoghq.com, http-intake.logs.datadoghq.com, http-intake.logs.datadoghq.eu, http-intake.logs.ddog-gov.com, http-intake.logs.us3.datadoghq.com, http-intake.logs.us5.datadoghq.com, img.shields.io, in-toto.io, linear.app, metadata.google.internal, nuclei.projectdiscovery.io, opa.example.com, otel.example.com, outlook.office.com, owasp.org, raw.githubusercontent.com, registry.npmjs.org, reports.example.com, scim.example.com

Source & flagged code

41 flagged · loading source
dist/transcripts/redaction.test.jsView file
97patternName = github_pat severity = critical line = 97 matchedText = const re...x");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/transcripts/redaction.test.jsView on unpkg · L97
97patternName = github_pat severity = critical line = 97 matchedText = const re...x");
Critical
Secret Pattern

GitHub personal access token in dist/transcripts/redaction.test.js

dist/transcripts/redaction.test.jsView on unpkg · L97
107patternName = aws_access_key severity = critical line = 107 matchedText = const re...E");
Critical
Secret Pattern

AWS access key ID in dist/transcripts/redaction.test.js

dist/transcripts/redaction.test.jsView on unpkg · L107
163patternName = github_pat severity = critical line = 163 matchedText = const re...x");
Critical
Secret Pattern

GitHub personal access token in dist/transcripts/redaction.test.js

dist/transcripts/redaction.test.jsView on unpkg · L163
127patternName = generic_password severity = medium line = 127 matchedText = const re..."');
Medium
Secret Pattern

Hardcoded password in dist/transcripts/redaction.test.js

dist/transcripts/redaction.test.jsView on unpkg · L127
dist/util/subprocess.jsView file
10*/ L11: import { execFile } from "child_process"; L12: export class CommandError extends Error {
High
Child Process

Package source references child process execution.

dist/util/subprocess.jsView on unpkg · L10
dist/agents/adversary/tactics/injection.jsView file
144name: "Eval with User Input", L145: description: "eval() with potentially user-controlled input", L146: cwe: "CWE-94",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/agents/adversary/tactics/injection.jsView on unpkg · L144
dist/plugins/loader.jsView file
300// Dynamic import L301: const module = await import(modulePath); L302: const fn = exportName === "default" ? module.default : module[exportName];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/loader.jsView on unpkg · L300
dist/exporters/checkmarx.jsView file
1/** L2: * Checkmarx Exporter
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/exporters/checkmarx.jsView on unpkg · L1
dist/scanners/dast/zap.jsView file
14*/ L15: const ZAP_API_URL = process.env.ZAP_API_URL || "http://localhost:8080"; L16: const ZAP_API_KEY = process.env.ZAP_API_KEY || ""; ... L22: // Try docker first L23: const dockerChild = spawn("docker", ["images", "owasp/zap2docker-stable", "--format", "{{.Repository}}"], { L24: timeout: 10000,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/scanners/dast/zap.jsView on unpkg · L14
dist/enterprise/signing/kms.jsView file
28const digest = createHash("sha256").update(content).digest(); L29: const digestBase64 = digest.toString("base64"); L30: // Build AWS Signature Version 4 request ... L87: } L88: const url = `https://kms.${region}.amazonaws.com/`; L89: const host = `kms.${region}.amazonaws.com`; ... L201: }, L202: body: JSON.stringify(body), L203: }); ... L218: try { L219: const response = await fetch("http://metadata.google.[redacted]-accounts/default/token", { L220: headers: { "Metadata-Flavor": "Google" },
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/enterprise/signing/kms.jsView on unpkg · L28
dist/enterprise/signing/kms.test.jsView file
97patternName = aws_access_key severity = critical line = 97 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in dist/enterprise/signing/kms.test.js

dist/enterprise/signing/kms.test.jsView on unpkg · L97
dist/enterprise/auth/oidc.test.jsView file
177patternName = supabase_service_key severity = critical line = 177 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L177
203patternName = supabase_service_key severity = critical line = 203 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L203
222patternName = supabase_service_key severity = critical line = 222 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L222
233patternName = supabase_service_key severity = critical line = 233 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L233
276patternName = supabase_service_key severity = critical line = 276 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L276
281patternName = supabase_service_key severity = critical line = 281 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L281
286patternName = supabase_service_key severity = critical line = 286 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L286
291patternName = supabase_service_key severity = critical line = 291 matchedText = const mo...RE";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/enterprise/auth/oidc.test.js

dist/enterprise/auth/oidc.test.jsView on unpkg · L291
dist/__tests__/logger-redaction.test.jsView file
44patternName = github_pat severity = critical line = 44 matchedText = detail: ...aa",
Critical
Secret Pattern

GitHub personal access token in dist/__tests__/logger-redaction.test.js

dist/__tests__/logger-redaction.test.jsView on unpkg · L44
53patternName = github_pat severity = critical line = 53 matchedText = url: "ht...po",
Critical
Secret Pattern

GitHub personal access token in dist/__tests__/logger-redaction.test.js

dist/__tests__/logger-redaction.test.jsView on unpkg · L53
dist/scanners/secrets.test.jsView file
54patternName = aws_access_key severity = critical line = 54 matchedText = await wr...;`);
Critical
Secret Pattern

AWS access key ID in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L54
64patternName = github_pat severity = critical line = 64 matchedText = await wr...;`);
Critical
Secret Pattern

GitHub personal access token in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L64
73patternName = slack_bot_token severity = critical line = 73 matchedText = await wr...;`);
Critical
Secret Pattern

Slack bot token in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L73
82patternName = aws_access_key severity = critical line = 82 matchedText = await wr...pped
Critical
Secret Pattern

AWS access key ID in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L82
112patternName = private_key_rsa severity = critical line = 112 matchedText = await wr...----
Critical
Secret Pattern

RSA private key in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L112
127patternName = stripe_live_secret severity = critical line = 127 matchedText = await wr... key
Critical
Secret Pattern

Stripe live secret key in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L127
136patternName = stripe_live_secret severity = critical line = 136 matchedText = expect(f...c");
Critical
Secret Pattern

Stripe live secret key in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L136
144patternName = aws_access_key severity = critical line = 144 matchedText = const aw...LE";
Critical
Secret Pattern

AWS access key ID in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L144
145patternName = github_pat severity = critical line = 145 matchedText = const gi...xx";
Critical
Secret Pattern

GitHub personal access token in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L145
153patternName = slack_bot_token severity = critical line = 153 matchedText = await wr...;`);
Critical
Secret Pattern

Slack bot token in dist/scanners/secrets.test.js

dist/scanners/secrets.test.jsView on unpkg · L153
dist/scanners/deploy/index.jsView file
75patternName = generic_password severity = medium line = 75 matchedText = # pa...ass"
Medium
Secret Pattern

Hardcoded password in dist/scanners/deploy/index.js

dist/scanners/deploy/index.jsView on unpkg · L75
dist/scanners/runtime/golden-path-runner.jsView file
512patternName = generic_password severity = medium line = 512 matchedText = body: { ...g" }
Medium
Secret Pattern

Hardcoded password in dist/scanners/runtime/golden-path-runner.js

dist/scanners/runtime/golden-path-runner.jsView on unpkg · L512
520patternName = generic_password severity = medium line = 520 matchedText = body: { ...g" }
Medium
Secret Pattern

Hardcoded password in dist/scanners/runtime/golden-path-runner.js

dist/scanners/runtime/golden-path-runner.jsView on unpkg · L520
dist/commands/audits/secrets.jsView file
11patternName = private_key_rsa severity = critical line = 11 matchedText = - Privat...---)
Critical
Secret Pattern

RSA private key in dist/commands/audits/secrets.js

dist/commands/audits/secrets.jsView on unpkg · L11
dist/eval/fixtures.jsView file
255patternName = aws_access_key severity = critical line = 255 matchedText = export c...LE';
Critical
Secret Pattern

AWS access key ID in dist/eval/fixtures.js

dist/eval/fixtures.jsView on unpkg · L255
259patternName = stripe_live_secret severity = critical line = 259 matchedText = export c...dc';
Critical
Secret Pattern

Stripe live secret key in dist/eval/fixtures.js

dist/eval/fixtures.jsView on unpkg · L259
262patternName = github_pat severity = critical line = 262 matchedText = export c...xx';
Critical
Secret Pattern

GitHub personal access token in dist/eval/fixtures.js

dist/eval/fixtures.jsView on unpkg · L262
311patternName = private_key_rsa severity = critical line = 311 matchedText = export c...----
Critical
Secret Pattern

RSA private key in dist/eval/fixtures.js

dist/eval/fixtures.jsView on unpkg · L311
skills/vaspera-deploy/SKILL.mdView file
109patternName = generic_password severity = medium line = 109 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in skills/vaspera-deploy/SKILL.md

skills/vaspera-deploy/SKILL.mdView on unpkg · L109

Findings

30 Critical4 High9 Medium6 Low
CriticalCritical Secretdist/transcripts/redaction.test.js
CriticalSecret Patterndist/transcripts/redaction.test.js
CriticalSecret Patterndist/transcripts/redaction.test.js
CriticalSecret Patterndist/transcripts/redaction.test.js
CriticalSecret Patterndist/enterprise/signing/kms.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/enterprise/auth/oidc.test.js
CriticalSecret Patterndist/__tests__/logger-redaction.test.js
CriticalSecret Patterndist/__tests__/logger-redaction.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/scanners/secrets.test.js
CriticalSecret Patterndist/commands/audits/secrets.js
CriticalSecret Patterndist/eval/fixtures.js
CriticalSecret Patterndist/eval/fixtures.js
CriticalSecret Patterndist/eval/fixtures.js
CriticalSecret Patterndist/eval/fixtures.js
HighChild Processdist/util/subprocess.js
HighShell
HighSame File Env Network Executiondist/scanners/dast/zap.js
HighCloud Metadata Accessdist/enterprise/signing/kms.js
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/transcripts/redaction.test.js
MediumSecret Patterndist/scanners/deploy/index.js
MediumSecret Patterndist/scanners/runtime/golden-path-runner.js
MediumSecret Patterndist/scanners/runtime/golden-path-runner.js
MediumSecret Patternskills/vaspera-deploy/SKILL.md
LowScripts Present
LowEvaldist/agents/adversary/tactics/injection.js
LowWeak Cryptodist/exporters/checkmarx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings