critical

terraform-mcp-server

v0.13.0

MCP server for Terraform Registry operations

npmthrashr888First seen Feb 22, 2026Source

143

Total

Critical

High

Medium

Findings

unknown

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    29: // Rate limiting configuration
    30: export const RATE_LIMIT_ENABLED = process.env.RATE_LIMIT_ENABLED === "true";
>>> 31: export const RATE_LIMIT_REQUESTS = parseInt(process.env.RATE_LIMIT_REQUESTS || "60", 10);
    32: export const RATE_LIMIT_WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);
    33: // Request timeouts in milliseconds

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    28: };
    29: // Rate limiting configuration
>>> 30: export const RATE_LIMIT_ENABLED = process.env.RATE_LIMIT_ENABLED === "true";
    31: export const RATE_LIMIT_REQUESTS = parseInt(process.env.RATE_LIMIT_REQUESTS || "60", 10);
    32: export const RATE_LIMIT_WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    21: };
    22: // Default compatibility info
>>> 23: export const DEFAULT_TERRAFORM_COMPATIBILITY = process.env.DEFAULT_TERRAFORM_COMPATIBILITY || "Terraform 0.12 and later";
    24: // Response statuses
    25: export const RESPONSE_STATUS = {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13: export const DEFAULT_NAMESPACE = process.env.DEFAULT_PROVIDER_NAMESPACE || "hashicorp";
    14: // Logging configuration
>>> 15: export const LOG_LEVEL = process.env.LOG_LEVEL || "info"; // Default log level
    16: export const LOG_LEVELS = {
    17:     ERROR: "error",

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    11: export const TFC_TOKEN = process.env.TFC_TOKEN;
    12: // Default namespace for providers when not specified
>>> 13: export const DEFAULT_NAMESPACE = process.env.DEFAULT_PROVIDER_NAMESPACE || "hashicorp";
    14: // Logging configuration
    15: export const LOG_LEVEL = process.env.LOG_LEVEL || "info"; // Default log level

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    9: // Terraform Cloud API configuration
    10: export const TF_CLOUD_API_BASE = "https://app.terraform.io/api/v2";
>>> 11: export const TFC_TOKEN = process.env.TFC_TOKEN;
    12: // Default namespace for providers when not specified
    13: export const DEFAULT_NAMESPACE = process.env.DEFAULT_PROVIDER_NAMESPACE || "hashicorp";

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: export const SERVER_NAME = "terraform-registry-mcp";
    5: // Terraform Registry API URLs
>>> 6: export const REGISTRY_API_BASE = process.env.TERRAFORM_REGISTRY_URL || "https://registry.terraform.io";
    7: export const REGISTRY_API_V1 = `${REGISTRY_API_BASE}/v1`;
    8: export const REGISTRY_API_V2 = `${REGISTRY_API_BASE}/v2`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    26: // For specific levels: DEBUG=terraform-mcp:error,terraform-mcp:warn node dist/index.js
    27: // Enable appropriate log levels based on LOG_LEVEL if DEBUG is not set
>>> 28: if (!process.env.DEBUG) {
    29:     const enableDebug = (namespace) => {
    30:         debug.enable(`${BASE_NAMESPACE}:${namespace}`);

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    112:     describe("Terraform Cloud Tools", () => {
    113:         // Skip this describe block if TFC_TOKEN is not set
>>> 114:         const hasTfcToken = !!process.env.TFC_TOKEN;
    115:         const conditionalTest = hasTfcToken ? test : test.skip;
    116:         conditionalTest("should list organizations", async () => {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    11:     let runId;
    12:     beforeAll(() => {
>>> 13:         if (!process.env.TFC_TOKEN) {
    14:             throw new Error("TFC_TOKEN should be set for these tests to run");
    15:         }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: jest.setTimeout(15000); // Longer timeout for Terraform Cloud operations
    5: // Skip entire suite if TFC_TOKEN is missing
>>> 6: const hasTfcToken = !!process.env.TFC_TOKEN;
    7: const describeWithToken = hasTfcToken ? describe : describe.skip;
    8: describeWithToken("Terraform Cloud Tools Integration Tests", () => {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    53:     describe("Terraform Cloud Resources", () => {
    54:         // Skip this describe block if TFC_TOKEN is not set
>>> 55:         const hasTfcToken = !!process.env.TFC_TOKEN;
    56:         const conditionalTest = hasTfcToken ? test : test.skip;
    57:         conditionalTest("should list organizations", async () => {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    254:  */
    255: export function getOrganization() {
>>> 256:     return process.env.TEST_ORG || TEST_ORG;
    257: }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    248:  */
    249: export function getWorkspaceId() {
>>> 250:     return process.env.TEST_WORKSPACE_ID || TEST_WORKSPACE;
    251: }
    252: /**

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    32: export const RATE_LIMIT_WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);
    33: // Request timeouts in milliseconds
>>> 34: export const REQUEST_TIMEOUT_MS = parseInt(process.env.REQUEST_TIMEOUT_MS || "10000", 10);
    35: // Algolia search configuration for Terraform Registry
    36: export const ALGOLIA_CONFIG = {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    30: export const RATE_LIMIT_ENABLED = process.env.RATE_LIMIT_ENABLED === "true";
    31: export const RATE_LIMIT_REQUESTS = parseInt(process.env.RATE_LIMIT_REQUESTS || "60", 10);
>>> 32: export const RATE_LIMIT_WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);
    33: // Request timeouts in milliseconds
    34: export const REQUEST_TIMEOUT_MS = parseInt(process.env.REQUEST_TIMEOUT_MS || "10000", 10);

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��xq�_��]�o��:孺ׯz

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: .+->�&��z��Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��K�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��ը�K)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��ը�K)iǑz�.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^��q�zjej׬.+-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^��q��&�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z��ױ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��j׌�ۥx7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: .+->�&��z��Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��(��^��Z��?�+-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^��q�zjej׬.+-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^��q��&�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��K�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��j׌�ۥx7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��ը�K)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��ը�K)iǑz�.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

>>> 1: import { spawn } from "child_process";
    2: import { createInterface } from "readline";
    3: // Timeout values

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��j׌�ۥx7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��j׌�ۥx7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��v�^��j�!

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��v�^��j�!

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڦ/��+��ͫb�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �V�z�v�,��u�?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��z��K�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��b��z�h�ǔ�)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: {ki�O��ު謊׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��/�׫��Z��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: {ki�O��ު謊׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��r��x��W�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    47:         };
    48:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules/private/${input.namespace}/${input.name}/${input.provider}`;
>>> 49:         const res = await fetch(url, {
    50:             headers: {
    51:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    70:         };
    71:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules/private/${input.namespace}/${input.name}/${input.provider}`;
>>> 72:         await expect(fetch(url, {
    73:             headers: {
    74:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    102:         };
    103:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules/private/${input.namespace}/${input.name}/${input.provider}/versions/${input.version}`;
>>> 104:         const res = await fetch(url, {
    105:             headers: {
    106:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    43:         };
    44:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules`;
>>> 45:         const res = await fetch(url, {
    46:             headers: {
    47:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    61:         const input = { organization: "nonexistent-org" };
    62:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules`;
>>> 63:         await expect(fetch(url, {
    64:             headers: {
    65:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    89:         };
    90:         const url = `https://app.terraform.io/api/v2/organizations/${input.organization}/registry-modules?page[number]=2&page[size]=10`;
>>> 91:         const res = await fetch(url, {
    92:             headers: {
    93:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    21:         // Make the request to the API
    22:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}`;
>>> 23:         const res = await fetch(url);
    24:         const data = await res.json();
    25:         // Verify the request was made correctly

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    44:         // Make the request and expect it to fail
    45:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}`;
>>> 46:         await expect(fetch(url)).rejects.toThrow("Provider not found");
    47:     });
    48:     test("should use namespace default when not provided", async () => {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    60:         // Make the request to the API
    61:         const url = `https://registry.terraform.io/v1/providers/${namespace}/${input.provider}`;
>>> 62:         await fetch(url);
    63:         // Verify the request was made with default namespace
    64:         const calls = getFetchCalls();

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    28:         // Make the request to the API
    29:         const url = `https://registry.terraform.io/providers/${input.provider ? "hashicorp" : ""}/${input.provider || "aws"}/latest/docs/resources/${input.resource || "aws_instance"}`;
>>> 30:         const resp = await fetch(url);
    31:         const html = await resp.text();
    32:         // Verify the request was made correctly

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    61:         // Make the request to the API
    62:         const url = `https://registry.terraform.io/providers/${input.provider ? "hashicorp" : ""}/${input.provider || "aws"}/latest/docs/resources/${input.resource || "nonexistent_resource"}`;
>>> 63:         const resp = await fetch(url);
    64:         // Verify the response
    65:         expect(resp.ok).toBe(false);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    86:         // Make the request to the API
    87:         const url = `https://registry.terraform.io/providers/${input.provider}/latest/docs/resources/${input.resource}`;
>>> 88:         const resp = await fetch(url);
    89:         const html = await resp.text();
    90:         // Verify the request was made correctly

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    109:             });
    110:             // Make the request to the API
>>> 111:             const response = await fetch(url);
    112:             // Verify the request was made correctly
    113:             const calls = getFetchCalls();

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    118:         };
    119:         test("should handle aws_s3_bucket resource", async () => {
>>> 120:             const response = await testResourceFetch("aws", "aws_s3_bucket");
    121:             expect(response.ok).toBe(true);
    122:             expect(response.url).toContain("aws_s3_bucket");

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    123:         });
    124:         test("should handle google_compute_instance resource", async () => {
>>> 125:             const response = await testResourceFetch("google", "google_compute_instance");
    126:             expect(response.ok).toBe(true);
    127:             expect(response.url).toContain("google_compute_instance");

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    20:         const versionsUrl = `${REGISTRY_API_BASE}/v2/providers/${namespace}/${provider}?include=provider-versions`;
    21:         logger.info("Fetching versions from:", versionsUrl);
>>> 22:         const versionsResponse = await fetch(versionsUrl);
    23:         if (!versionsResponse.ok) {
    24:             throw new Error(`Failed to fetch provider versions: ${versionsResponse.status} ${versionsResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    112:                 provider: { type: "string", description: "Provider name (e.g. 'aws')" },
    113:                 namespace: { type: "string", description: "Provider namespace (e.g. 'hashicorp')" },
>>> 114:                 guide: { type: "string", description: "Specific guide to fetch (by slug or title)" },
    115:                 search: { type: "string", description: "Search term to filter guides" }
    116:             }

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    37:         const docIdUrl = `${REGISTRY_API_BASE}/v2/provider-docs?filter%5Bprovider-version%5D=${versionId}&filter%5Bcategory%5D=data-sources&filter%5Blanguage%5D=hcl&page%5Bsize%5D=100`;
    38:         logger.info("Fetching doc IDs from:", docIdUrl);
>>> 39:         const docIdResponse = await fetch(docIdUrl);
    40:         if (!docIdResponse.ok) {
    41:             logger.error("Failed to fetch documentation:", {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    56:         const contentUrl = `${REGISTRY_API_BASE}/v2/provider-docs/${docId}`;
    57:         logger.info("Fetching content from:", contentUrl);
>>> 58:         const contentResponse = await fetch(contentUrl);
    59:         if (!contentResponse.ok) {
    60:             logger.error("Failed to fetch content:", {

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    313:         const docUrl = `https://raw.githubusercontent.com/${owner}/${repo}/v${latestVersion}/docs/resources/${resource}.md`;
    314:         logger.debug(`Fetching documentation from: ${docUrl}`);
>>> 315:         const docResponse = await fetch(docUrl);
    316:         if (!docResponse.ok) {
    317:             // Try alternative path

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    23:         const docIdUrl = `${REGISTRY_API_BASE}/v2/provider-docs?filter[provider-version]=${versionId}&filter[category]=functions&filter[slug]=${functionName}&filter[language]=hcl&page[size]=1`;
    24:         logger.info("Fetching doc IDs from:", docIdUrl);
>>> 25:         const docIdResponse = await fetch(docIdUrl);
    26:         if (!docIdResponse.ok) {
    27:             logger.error("Failed to fetch documentation:", {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    42:         const contentUrl = `${REGISTRY_API_BASE}/v2/provider-docs/${docId}`;
    43:         logger.info("Fetching content from:", contentUrl);
>>> 44:         const contentResponse = await fetch(contentUrl);
    45:         if (!contentResponse.ok) {
    46:             logger.error("Failed to fetch content:", {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    318:             const altDocUrl = `https://raw.githubusercontent.com/${owner}/${repo}/v${latestVersion}/website/docs/r/${resource}.html.markdown`;
    319:             logger.debug(`Trying alternative URL: ${altDocUrl}`);
>>> 320:             const altDocResponse = await fetch(altDocUrl);
    321:             if (!altDocResponse.ok) {
    322:                 logger.warn(`No documentation found for resource ${resource}, returning basic info`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    21:             signal: controller.signal
    22:         };
>>> 23:         const response = await fetch(url, fetchOptions);
    24:         if (!response.ok) {
    25:             throw new Error(`HTTP Error: ${response.status} ${response.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    8:         // Fetch policy details
    9:         const policyUrl = `${REGISTRY_API_V2}/policies/${namespace}/${name}?include=versions,categories,providers,latest-version`;
>>> 10:         const policyResponse = await fetch(policyUrl);
    11:         if (!policyResponse.ok) {
    12:             throw new Error(`Failed to fetch policy details: ${policyResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    16:         searchParams.append("facetFilters", `[["provider-name:${provider}"]]`);
    17:     }
>>> 18:     const response = await fetch(`https://${config.applicationId}-dsn.algolia.net/1/indexes/${config.indexName}?${searchParams.toString()}`, {
    19:         headers: {
    20:             "Content-Type": "application/json",

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    18:         const guidesUrl = `${REGISTRY_API_BASE}/v2/provider-docs?filter[provider-version]=${versionId}&filter[category]=guides&filter[language]=hcl`;
    19:         logger.info("Fetching guides from:", guidesUrl);
>>> 20:         const guidesResponse = await fetch(guidesUrl);
    21:         if (!guidesResponse.ok) {
    22:             throw new Error(`Failed to fetch guides: ${guidesResponse.status} ${guidesResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    41:             const guideUrl = `${REGISTRY_API_BASE}/v2/provider-docs/${targetGuide.id}`;
    42:             logger.info("Fetching guide content from:", guideUrl);
>>> 43:             const guideResponse = await fetch(guideUrl);
    44:             if (!guideResponse.ok) {
    45:                 throw new Error(`Failed to fetch guide content: ${guideResponse.status} ${guideResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    18:                 signal: controller.signal
    19:             };
>>> 20:             const response = await fetch(url, fetchOptions);
    21:             if (!response.ok) {
    22:                 throw new Error(`HTTP Error: ${response.status} ${response.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    52:         const filterUrl = `${REGISTRY_API_V2}/provider-docs?filter%5Bcategory%5D=resources&filter%5Bslug%5D=${resource}&filter%5Blanguage%5D=hcl&page%5Bsize%5D=1`;
    53:         logger.debug(`Fetching document ID from: ${filterUrl}`);
>>> 54:         const filterResponse = await fetch(filterUrl, { signal: controller.signal });
    55:         if (!filterResponse.ok) {
    56:             logger.error(`Failed to fetch document ID: ${filterResponse.status} ${filterResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    21:         // Fetch provider info from v2 API
    22:         const providerUrl = `https://registry.terraform.io/v2/providers/${namespaceStr}/${providerStr}`;
>>> 23:         const providerResponse = await fetch(providerUrl);
    24:         const providerData = await providerResponse.json();
    25:         // Fetch version info from v2 API with included versions

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    25:         // Fetch version info from v2 API with included versions
    26:         const versionsUrl = `https://registry.terraform.io/v2/providers/${namespaceStr}/${providerStr}?include=provider-versions`;
>>> 27:         const versionsResponse = await fetch(versionsUrl);
    28:         const versionsData = await versionsResponse.json();
    29:         // Sort versions by published date

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    30: }
    31: // Mock fetch globally
>>> 32: global.fetch = function mockFetch(input, init) {
    33:     const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
    34:     fetchCalls.push({ url, options: init });

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    66:         const docUrl = `${REGISTRY_API_V2}/provider-docs/${docId}`;
    67:         logger.debug(`Fetching documentation content from: ${docUrl}`);
>>> 68:         const docResponse = await fetch(docUrl, { signal: controller.signal });
    69:         if (!docResponse.ok) {
    70:             logger.error(`Failed to fetch documentation content: ${docResponse.status} ${docResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    288:         const providerUrl = `${REGISTRY_API_BASE}/v2/providers/${namespace}/${provider}`;
    289:         logger.debug(`Fetching provider info from: ${providerUrl}`);
>>> 290:         const providerResponse = await fetch(providerUrl);
    291:         if (!providerResponse.ok) {
    292:             throw new Error(`Failed to fetch provider info: ${providerResponse.status} ${providerResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    19:         const versionsUrl = `${REGISTRY_API_BASE}/v2/providers/${params.namespace}/${params.provider}?include=provider-versions`;
    20:         logger.info("Fetching versions from:", versionsUrl);
>>> 21:         const versionsResponse = await fetch(versionsUrl);
    22:         if (!versionsResponse.ok) {
    23:             throw new Error(`Failed to fetch provider versions: ${versionsResponse.status} ${versionsResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    44:         const docIdUrl = `${REGISTRY_API_BASE}/v2/provider-docs?filter[provider-version]=${versionId}&filter[category]=resources&filter[slug]=${params.resource}&filter[language]=hcl&page[size]=1`;
    45:         logger.info("Fetching doc ID from:", docIdUrl);
>>> 46:         const docIdResponse = await fetch(docIdUrl);
    47:         if (!docIdResponse.ok) {
    48:             throw new Error(`Failed to fetch documentation ID: ${docIdResponse.status} ${docIdResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    20:         const input = { provider: "aws", namespace: "hashicorp", resource: "aws_instance" };
    21:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}/resources/${input.resource}`;
>>> 22:         const response = await fetch(url);
    23:         const data = await response.json();
    24:         const calls = getFetchCalls();

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    46:         const input = { namespace: "terraform-aws-modules", module: "vpc", provider: "aws" };
    47:         const url = `https://registry.terraform.io/v1/modules/${input.namespace}/${input.module}/${input.provider}`;
>>> 48:         const response = await fetch(url);
    49:         const data = await response.json();
    50:         const calls = getFetchCalls();

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    73:         const input = { provider: "aws", namespace: "hashicorp", resource: "aws_instance" };
    74:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}/resources/${input.resource}`;
>>> 75:         const response = await fetch(url);
    76:         const schema = await response.json();
    77:         const calls = getFetchCalls();

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    22:         // Make the request
    23:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}/data-sources`;
>>> 24:         const response = await fetch(url);
    25:         const data = await response.json();
    26:         // Verify the request was made

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    47:         // Make the request
    48:         const url = `https://registry.terraform.io/v1/providers/${input.namespace}/${input.provider}/data-sources`;
>>> 49:         const response = await fetch(url);
    50:         // Verify response
    51:         expect(response.ok).toBe(false);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    47:         // Make the request to the API
    48:         const url = `https://app.terraform.io/api/v2/organizations/${params.organization}/explorer?${queryParams.toString()}`;
>>> 49:         const res = await fetch(url, {
    50:             headers: {
    51:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    105:         // Make the request to the API
    106:         const url = `https://app.terraform.io/api/v2/organizations/${params.organization}/explorer?${queryParams.toString()}`;
>>> 107:         const res = await fetch(url, {
    108:             headers: {
    109:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    151:         // Make the request to the API
    152:         const url = `https://app.terraform.io/api/v2/organizations/${params.organization}/explorer?${queryParams.toString()}`;
>>> 153:         const res = await fetch(url, {
    154:             headers: {
    155:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    173:         // Make the request to the API and expect it to fail
    174:         const url = `https://app.terraform.io/api/v2/organizations/${params.organization}/explorer?${queryParams.toString()}`;
>>> 175:         await expect(fetch(url, {
    176:             headers: {
    177:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    213:         // Make the request to the API
    214:         const url = `https://app.terraform.io/api/v2/organizations/${params.organization}/explorer?${queryParams.toString()}`;
>>> 215:         await fetch(url, {
    216:             headers: {
    217:                 Authorization: `Bearer ${TFC_TOKEN}`,

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    58:         const contentUrl = `${REGISTRY_API_BASE}/v2/provider-docs/${docId}`;
    59:         logger.info("Fetching content from:", contentUrl);
>>> 60:         const contentResponse = await fetch(contentUrl);
    61:         if (!contentResponse.ok) {
    62:             throw new Error(`Failed to fetch documentation content: ${contentResponse.status} ${contentResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    297:         const versionsUrl = `${providerUrl}/versions`;
    298:         logger.debug(`Fetching provider versions from: ${versionsUrl}`);
>>> 299:         const versionsResponse = await fetch(versionsUrl);
    300:         if (!versionsResponse.ok) {
    301:             throw new Error(`Failed to fetch provider versions: ${versionsResponse.status} ${versionsResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    263:         const versionsUrl = `${REGISTRY_API_BASE}/v2/providers/hashicorp/${resourceParams.provider}?include=provider-versions`;
    264:         logger.info("Fetching versions from:", versionsUrl);
>>> 265:         const versionsResponse = await fetch(versionsUrl);
    266:         if (!versionsResponse.ok) {
    267:             throw new Error(`Failed to fetch provider versions: ${versionsResponse.status} ${versionsResponse.statusText}`);

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    281:         const docIdUrl = `${REGISTRY_API_BASE}/v2/provider-docs?filter[provider-version]=${versionId}&filter[category]=resources&filter[slug]=${resourceParams.resource}&filter[language]=hcl&page[size]=1`;
    282:         logger.info("Fetching doc ID from:", docIdUrl);
>>> 283:         const docIdResponse = await fetch(docIdUrl);
    284:         if (!docIdResponse.ok) {
    285:             logger.error("Failed to fetch documentation:", {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    300:         const contentUrl = `${REGISTRY_API_BASE}/v2/provider-docs/${docId}`;
    301:         logger.info("Fetching content from:", contentUrl);
>>> 302:         const contentResponse = await fetch(contentUrl);
    303:         if (!contentResponse.ok) {
    304:             logger.error("Failed to fetch content:", {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    34:         const searchUrl = `https://registry.terraform.io/v1/modules/search?q=${encodeURIComponent(input.query)}&limit=3&verified=true&provider=${encodeURIComponent(input.provider)}`;
    35:         // Make the request
>>> 36:         const res = await fetch(searchUrl);
    37:         const resultData = await res.json();
    38:         // Verify the request was made correctly

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    68:         const searchUrl = `https://registry.terraform.io/v1/modules/search?q=${encodeURIComponent(input.query)}&limit=3&verified=true&provider=${encodeURIComponent(input.provider)}`;
    69:         // Make the request
>>> 70:         const res = await fetch(searchUrl);
    71:         const resultData = await res.json();
    72:         // Verify the response

Report false positive

Scan History

Date	Risk	Findings	Files	Duration
Feb 25, 2026	critical	143	71	0.00s
Feb 23, 2026	critical	143	71	0.00s
Feb 22, 2026	critical	143	71	0.00s