False positive: GHSA-576v-xg3m-rpj7 — grepleaks is a legitimate security scanning CLI, not malware #6842
Description
Advisory: GHSA-576v-xg3m-rpj7
Package: grepleaks (npm)
Context
I am the author of grepleaks, a SaaS security scanner available at
https://grepleaks.com. The npm package grepleaks is a CLI client that allows users to
scan their codebase for vulnerabilities, secrets, and misconfigurations — similar to
tools like Snyk CLI, Semgrep, or Checkmarx CLI.
This advisory incorrectly classifies my package as malware (CWE-506). I am requesting
its removal.
Why this is a false positive
- No postinstall or preinstall scripts — The package does nothing on installation.
Users must explicitly run grepleaks init and provide their API key before any action
is taken. - Explicit user consent — The CLI requires the user to manually configure it
(grepleaks init), enter their API key, and choose when scans run. No data is sent
without deliberate user action. - Standard SaaS security scanner behavior — Like Snyk CLI, Semgrep, SonarQube
Scanner, and Checkmarx CLI, the tool uploads source code to a cloud API for analysis.
This is the standard architecture for SaaS security tools, not data exfiltration. - Legitimate business — grepleaks.com is a commercial security scanning service with
a public website, documentation, and paying customers. - No obfuscation — The source code of the CLI is plain JavaScript, fully readable,
with no obfuscation or encoded payloads.
Impact
This false positive has resulted in:
- My npm account being suspended
- The package being removed from npm
- Reputational damage via Google search results (Veracode, GitHub Advisory)
Request
Please review the package source code and remove this advisory. I am happy to provide
any additional information needed.
Thank you.