@aws-cdk/integ-runner
CDK Integration Testing Tool
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/engines/proxy-agent.js | AI (source-diff): Readable compiled TS with inline sourcemap; implements a proxy agent cache, no malicious content. | ai | |
| source-diff | obfuscated-file:lib/engines/cdk-interface.js | AI (source-diff): File contains TypeScript-compiled JS with base64 inline sourcemap — not malicious obfuscation, standard TS build output. | ai | |
| source-diff | obfuscated-file:lib/engines/toolkit-lib.js | AI (source-diff): Legitimate bundled toolkit-lib engine code; long lines from bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/unstable-features.js | AI (source-diff): Readable feature-flag registry code; long-line flag from inline sourcemap, not obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): AWS CDK migrated to GitHub Actions CI publishing with SLSA provenance; consistent with org-wide pipeline change. | ai | |
| phantom-deps | phantom-dep:aws-cdk | AI (phantom-deps): aws-cdk is a peer/runtime dep referenced in config; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard subprocess env forwarding in CDK CLI runner; not exfiltration. | ai | |
| phantom-deps | phantom-dep:@aws-cdk/aws-service-spec | AI (phantom-deps): Same-org dep used indirectly; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Bundled workerpool requireFoolWebpack pattern; well-known library internals. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): workerpool worker.run() pattern for dynamic function dispatch; stable library behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in bundled workerpool/CDK plugin loader; expected for this tool. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI integration runner inherently uses child_process to spawn CDK commands. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 2.197.19 | 2 / 45 | |
| 2.197.18 | 2 / 45 | |
| 2.197.17 | 2 / 45 | |
| 2.197.16 | 2 / 45 | |
| 2.197.15 | 2 / 45 | |
| 2.197.14 | 2 / 45 | |
| 2.197.13 | 2 / 44 | |
| 2.197.12 | 2 / 44 | |
| 2.197.11 | 2 / 43 | |
| 2.187.3 | 2 / 42 | |
| 2.187.2 | 2 / 42 | |
| 2.187.1 | 2 / 41 | |
| 2.187.0 | 2 / 41 | |
| 2.186.11 | 2 / 41 | |
| 2.186.10 | 2 / 41 | |
| 2.186.9 | 2 / 41 | |
| 2.186.8 | 2 / 41 | |
| 2.186.7 | 2 / 41 | |
| 2.186.6 | 2 / 41 |
v2.197.19
2 findingsSpreading entire process.env into an object — may capture all secrets 17 | const proc = (0, child_process_1.spawnSync)(commandLine[0], commandLine.slice(1), { 18 | stdio: ['ignore', 'pipe', options.verbose ? 'inherit' : 'pipe'], // inherit STDERR in verbose mode > 19 | env: { 20 | ...process.env, 21 | ...options.env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.18
6 findingsThis version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.17
6 findingsThis version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.16
6 findingsThis version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.15
6 findingsThis version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.14
6 findingsThis version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.13
6 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.12
6 findingsThis version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.197.11
5 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.187.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.187.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.187.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.187.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.186.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.