@cdktn/cli-core
CDK Terrain CLI Core, meant for internal use only
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passes process.env to subprocess (pipenv) with one override — standard pattern for build orchestration. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Filters process.env to exclude TF_VAR_ keys before passing to synth — intentional and documented behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads cdktf.json config file via require(path) — standard config-loading pattern for CLI tools. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI/build tool; child_process use in scaffold hooks is expected and benign. | ai | |
| phantom-deps | phantom-dep:execa | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:log4js | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:cross-fetch | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:detect-port | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:extract-zip | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:jsii-pacmak | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:jsii-rosetta | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:tunnel-agent | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:lodash.isequal | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:stream-buffers | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@cdktn/hcl2json | AI (phantom-deps): Same-org dep used in templates/config; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:parse-gitignore | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:follow-redirects | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:cli-spinners | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:jsii | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): CLI tool; deps referenced in config/template files, not direct imports — stable FP for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.23.3 | 24 / 10 | |
| 0.23.2 | 24 / 10 | |
| 0.23.1 | 24 / 13 | |
| 0.23.0 | 48 / 32 | |
| 0.22.1 | 49 / 42 | |
| 0.22.0 | 49 / 42 | |
| 0.21.0 | 49 / 42 |
v0.23.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.23.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.23.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.1
2 findingsSpreading entire process.env into an object — may capture all secrets 215 | await (0, commons_1.exec)("pipenv", ["install", `${packageName}~=${packageVersion}`], { 216 | cwd: this.workingDirectory, > 217 | env: { 218 | ...process.env, 219 | PIPENV_QUIET: "1",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.0
2 findingsSpreading entire process.env into an object — may capture all secrets 215 | await (0, commons_1.exec)("pipenv", ["install", `${packageName}~=${packageVersion}`], { 216 | cwd: this.workingDirectory, > 217 | env: { 218 | ...process.env, 219 | PIPENV_QUIET: "1",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.0
2 findingsSpreading entire process.env into an object — may capture all secrets 215 | await (0, commons_1.exec)("pipenv", ["install", `${packageName}~=${packageVersion}`], { 216 | cwd: this.workingDirectory, > 217 | env: { 218 | ...process.env, 219 | PIPENV_QUIET: "1",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.