← Home

@pipeline-builder/pipeline-manager

npm Repository Homepage

CLI for Pipeline Builder — self-service AWS CodePipeline platform with 124 reusable containerized plugins, per-org compliance enforcement, and multi-tenant isolation.

4
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mwashburn160

Keywords

ci-cdcicdcontinuous-deliverydevopsself-serviceplatform-engineeringinternal-developer-platformdeveloper-platformawsaws-cdkcdkcodepipelinecodebuildcloudformationpipelinepipeline-as-codeinfrastructure-as-codeiaccompliancepolicy-as-codegovernancegolden-pathsmulti-tenantrbacaiai-pipeline-generationllmbedrockpluginsplugin-marketplacecontainerizeddockerkubernetestypescriptcli

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/utils/platform-secret.js AI (source-diff): Readable compiled TypeScript/ESM; long lines from bundling, not obfuscation. ai
phantom-deps phantom-dep:@aws-sdk/client-sts AI (phantom-deps): AWS SDK STS is a legitimate transitive/peer dep for an AWS CLI tool; stable false positive. ai
source-diff obfuscated-file:dist/agent/ports.js AI (source-diff): Readable compiled TypeScript/ESM; long lines from bundling, not obfuscation. ai
source-diff obfuscated-file:dist/agent/bootstrap.js AI (source-diff): Compiled TypeScript ESM with full comments; long lines from bundler output, not obfuscation. ai
source-diff obfuscated-file:dist/agent/tools.js AI (source-diff): Compiled TypeScript ESM; long lines from bundler output, not obfuscation. ai
source-diff obfuscated-file:dist/agent/post-steps.js AI (source-diff): Compiled TypeScript ESM with full comments; long lines from bundler output, not obfuscation. ai
source-diff obfuscated-file:dist/agent/env-file.js AI (source-diff): Compiled TypeScript ESM with full comments; long lines from bundler output, not obfuscation. ai
source-diff obfuscated-file:dist/agent/health.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/agent/ai.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. Stable pattern for this package. ai
source-diff obfuscated-file:dist/agent/executor.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/agent/prereqs.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/commands/provision.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/agent/targets.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/agent/troubleshoot.js AI (source-diff): Readable compiled TS output; long lines from bundler, not obfuscation. ai
source-diff obfuscated-file:dist/commands/org-export.js AI (source-diff): File is standard tsc-compiled JS output, not obfuscated; long lines are TypeScript helper boilerplate. ai
source-diff obfuscated-file:dist/commands/store-registry-credentials.js AI (source-diff): Standard TypeScript compiler output with __importStar helpers; not obfuscated. ai
source-diff obfuscated-file:dist/utils/plugin-resolver.js AI (source-diff): Readable TypeScript-compiled output; long lines from bundled JS, not obfuscation. ai
source-diff obfuscated-file:dist/commands/register.js AI (source-diff): Readable TypeScript-compiled output with full JSDoc; not obfuscated. ai
source-diff obfuscated-file:dist/utils/registry.js AI (source-diff): Readable TypeScript-compiled output; STS/crypto usage is consistent with documented AWS registration flow. ai
source-diff obfuscated-file:dist/commands/audit-tokens.js AI (source-diff): Readable compiled TypeScript output; long lines are bundled AWS SDK code, not obfuscation. ai
source-diff obfuscated-file:dist/commands/audit-stacks.js AI (source-diff): Readable compiled TypeScript output; long lines are bundled AWS SDK code, not obfuscation. ai
phantom-deps phantom-dep:typescript AI (phantom-deps): typescript is declared in both devDependencies and dependencies (unusual but not malicious); phantom-dep fires because it's a build tool not directly imported in source. ai
source-diff obfuscated-file:dist/commands/validate-templates.js AI (source-diff): File is standard TypeScript compiler output (tsc CommonJS), not obfuscated. Long lines are from generated type-checking code, not malicious encoding. ai
phantom-deps phantom-dep:progress AI (phantom-deps): progress is a legitimate runtime dependency for CLI progress bars; phantom-dep heuristic fires because it may not be directly imported at the top level. ai

Versions (showing 4 of 146)

Version Deps Published
3.1.3 15 / 15
3.1.2 15 / 15
3.1.1 15 / 15
3.1.0 15 / 15

v3.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.