guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard
verified publisher icon DataDog

Bug: Potential False Positive Scanning @types/node

Open davekerber opened this issue 1 month ago • 0 comments

Using this config to scan my package.json:

https://github.com/cloud-copilot/iam-shrink/blob/main/.github/workflows/guarddog.yml

Specifically this line:

guarddog npm verify package.json --exclude-rules empty_information --exit-non-zero-on-finding

I've been getting this error for a few weeks now:


Found 1 potentially malicious indicators in @types/node

suspicious_passwd_access_linux: found 1 source code matches
  * Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting at node v22.18/fs.d.ts:117191
        b"readFile('/etc/passwd"

Looking in @types/node I can't find a line 117191. But I can see in that file things like this in the ts docs section:

     /**
     * ...
     * readFile('/etc/passwd', (err, data) => {
     *   if (err) throw err;
     *   console.log(data);
     * });
     * ...
     */

Here is a permalink https://github.com/DefinitelyTyped/DefinitelyTyped/blob/c030728c3e25d15bcb3fbf48edf2df784b9f08db/types/node/v22/fs.d.ts#L2725

So the string does technically exist in the source but its in the documentation of the method so I think this is a false positive.

davekerber avatar Nov 01 '25 17:11 davekerber