af-cicd

v0.1.7 suspicious
5.0
Medium Risk

shared cicd tooling

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of potential misuse with its approach to handling environment variables and executing shell commands, though it lacks clear malicious intent.

  • Environment variable access for credentials poses a moderate risk.
  • Execution of shell commands without proper sanitization increases operational risk.
Per-check LLM notes
  • Network: The network calls to GitHub are likely for version control or dependency checks, which is normal for many packages.
  • Shell: The use of subprocess execution can be legitimate but increases risk if commands are not properly sanitized or controlled.
  • Obfuscation: No obfuscation patterns detected in the provided code snippets.
  • Credentials: The code appears to be accessing environment variables for credentials which could pose a risk if not properly secured and managed.
  • Metadata: The author has only one package and no linked GitHub repository, which raises some suspicion but not enough to conclusively determine malice.

🔬 Heuristic Checks

Outbound Network Calls score 3.0

Found 2 network call pattern(s)

  • i.github.com{path}" req = urllib.request.Request( url, headers={ "Authori
  • 8", }, ) with urllib.request.urlopen(req) as resp: return json.loads(resp.read().
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

  • env.update(os.environ) subprocess.run(shlex.split(command), check=True, env=env) def run_checked
  • _output: result = subprocess.run( shlex.split(command), check
  • out else: subprocess.run(shlex.split(command), check=check, env=env) retu
  • the console """ ps = subprocess.check_output(shlex.split(command)) ps = ps.replace(b'\n', b'').decode
  • ode(command: str): return subprocess.run( shlex.split(command), check=False,
Credential Harvesting score 10.0

Found 6 credential access pattern(s)

  • """ aws_profile = os.environ.get('AWS_PROFILE', None) stdout(f"AWS_PROFILE is set to: {aws
  • _branch=target, token=os.environ.get("GITHUB_TOKEN"), ) sanitized_source_branch = config.get_sanitize
  • md(): github_whoami(token=os.environ.get("GITHUB_TOKEN")) @app.command(help='Say Hello') def hello(): run_sh
  • self.builds_channel = os.environ.get('SLACK_BUILDS_CHANNEL') self.releases_channel = os.environ.
  • self.releases_channel = os.environ.get('SLACK_RELEASES_CHANNEL') print(self.builds_channel)
  • channel) self.token = os.environ.get('SLACK_BOT_TOKEN') if not self.token: raise Exc
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: allfly.io

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "hello" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with af-cicd 
Create a fully-functional Continuous Integration and Continuous Deployment (CI/CD) mini-app using the Python package 'af-cicd'. This app will serve as a simplified version of a CI/CD pipeline management tool designed to streamline the process of setting up, managing, and monitoring pipelines for different projects. Your task is to design and implement a web-based UI alongside backend services that integrate with 'af-cicd' to perform the following actions:

1. **Project Management**: Allow users to create, edit, and delete projects. Each project can have multiple pipelines associated with it.
2. **Pipeline Configuration**: Users should be able to configure pipelines for their projects. This includes specifying the stages (build, test, deploy), triggers (manual, schedule, webhook), and actions (shell scripts, Docker builds, etc.) within each stage.
3. **Execution and Monitoring**: Implement functionality to start pipeline executions manually or according to predefined schedules. Provide real-time status updates on pipeline runs including logs and notifications.
4. **Notifications**: Integrate notification systems such as email or Slack to alert users about the completion of pipeline runs or failures.
5. **Security**: Ensure that user authentication and authorization are implemented to protect access to sensitive configurations and data.

The 'af-cicd' package should be utilized throughout the development process to handle the core functionalities related to CI/CD operations. Specifically, use 'af-cicd' to manage pipeline definitions, trigger executions, monitor statuses, and manage logs. Additionally, explore how 'af-cicd' can enhance security measures within your CI/CD processes.

Your final deliverables should include a comprehensive documentation guide detailing setup instructions, API references, and usage examples. Also, ensure that your codebase is well-structured, modular, and follows best practices for web application development.