← Home

projen

npm Repository Homepage
1
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

mrgrainamzn-ossprojen-automation

Keywords

cdkcicdgeneratormanagementprojectscaffolding

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Task runner intentionally merges process.env with task-specific env vars; core design of projen. ai
semgrep semgrep:child-process-import AI (semgrep): CLI synth tool legitimately spawns child processes; expected for a project scaffolding tool. ai
semgrep semgrep:dynamic-require AI (semgrep): Plugin/module loader pattern; projen dynamically loads project modules by design. ai
phantom-deps phantom-dep:shx AI (phantom-deps): shx is listed in both dependencies and bundledDependencies; phantom-dep is a false positive here. ai

Versions (showing 1 of 1)

Version Deps Published
0.91.20 14 / 30

v0.91.20

6 findings
HIGH env-spread: lib/run-task.cjs:1706 semgrep

Spreading entire process.env into an object — may capture all secrets 1704 | return; 1705 | } > 1706 | const merged = { ...process.env, ...this.env }; 1707 | const missing = new Array(); 1708 | for (const name of task.requiredEnv ?? []) {

HIGH env-spread: lib/run-task.cjs:1884 semgrep

Spreading entire process.env into an object — may capture all secrets 1882 | shell: true, 1883 | stdio: "inherit", > 1884 | env: { 1885 | ...process.env, 1886 | ...this.env,

HIGH env-spread: lib/task-runtime.js:90 semgrep

Spreading entire process.env into an object — may capture all secrets 88 | } 89 | // verify we required environment variables are defined > 90 | const merged = { ...process.env, ...this.env }; 91 | const missing = new Array(); 92 | for (const name of task.requiredEnv ?? []) {

HIGH env-spread: lib/task-runtime.js:267 semgrep

Spreading entire process.env into an object — may capture all secrets 265 | shell: true, 266 | stdio: "inherit", > 267 | env: { 268 | ...process.env, 269 | ...this.env,

HIGH env-spread: lib/util.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets 54 | maxBuffer: MAX_BUFFER, 55 | cwd: options.cwd, > 56 | env: { 57 | ...process.env, 58 | ...options.modEnv,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.