aws-cdk
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:aws-sdk | AI (typosquat): aws-cdk is the official AWS CDK CLI by Amazon; not a typosquat of aws-sdk — distinct, well-known packages. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing env to child processes is expected behavior for CDK app execution. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CDK CLI legitimately spawns child processes to execute CDK apps and run init commands. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Expected for a CLI tool that runs user commands and initializes CDK projects. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading env keys to detect sandbox environments (CODEX_*) is benign config detection. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of package.json to read version number is a standard, safe pattern. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 2.1120.0 | 0 / 100 | |
| 2.1119.0 | 0 / 99 | |
| 2.1118.4 | 0 / 99 | |
| 2.1118.3 | 0 / 99 | |
| 2.1118.2 | 0 / 99 | |
| 2.1118.1 | 0 / 99 | |
| 2.1118.0 | 0 / 96 | |
| 2.1117.0 | 0 / 96 | |
| 2.1116.0 | 0 / 96 | |
| 2.1115.1 | 0 / 99 | |
| 2.1115.0 | 0 / 99 |
v2.1120.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1119.0
3 findingsPackage name 'aws-cdk' is 1 edit(s) away from popular package 'aws-sdk'.
Spreading entire process.env into an object — may capture all secrets 93 | try { 94 | return await (0, api_1.execInChildProcess)(commandAndArgs, { > 95 | env: { 96 | ...process.env, 97 | ...env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1118.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1118.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1118.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1118.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1118.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1117.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1116.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1115.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1115.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.