Go modules · proxy.golang.org

github.com/Azure/agentbaker/e2e

DNS / OAST exfiltration: matched "dig %s +timeout=1 +tries=1\", testdomain)\n\texecResult := execScriptOnVMForScenarioValidateExitCode(ctx, s, command, 0, \"dns resolution failed\")\n\tassert.Contains(s.T, execResult.stdout, \"status: NOERROR\")\n\tassert.Contains(s.T, execResult.stdout, fmt.Sprintf(\"SERVER: %s\", server))\n}\n\n// ValidateLocalDNSHostsFile checks that /etc/localdns/hosts contains at least one IPv4 entry for each critical FQDN.\n// This validation approach avoids flakiness with CDN/frontdoor-backed FQDNs (like mcr.microsoft.com) whose A records\n// can rotate between queries. We verify presence, not exact IP matching.\n// The hosts file is populated asynchronously by the aks-localdns-hosts-setup timer/service, so we poll with a timeout.\nfunc ValidateLocalDNSHostsFile(ctx context.Context, s *Scenario, fqdns []string) {\n\ts.T.Helper()\n\n\t// Build script that polls until all FQDNs have at least one IPv4 entry in hosts file\n\tscript := fmt.Sprintf(`set -euo pipefail\nhosts_file=\"/etc/localdns/hosts\"\nfqdns=(%s)\ntimeout_secs=60\npoll_interval_secs=5\ndeadline=$("

Why PkgRadar flagged v0.0.0-20260530051135-f4d8d72a8d7a

Severity	Signal	Evidence
high	DNS / OAST exfiltration	matched "dig %s +timeout=1 +tries=1\", testdomain)\n\texecResult := execScriptOnVMForScenarioValidateExitCode(ctx, s, command, 0, \"dns resolution failed\")\n\tassert.Contains(s.T, execResult.stdout, \"status: NOERROR\")\n\tassert.Contains(s.T, execResult.stdout, fmt.Sprintf(\"SERVER: %s\", server))\n}\n\n// ValidateLocalDNSHostsFile checks that /etc/localdns/hosts contains at least one IPv4 entry for each critical FQDN.\n// This validation approach avoids flakiness with CDN/frontdoor-backed FQDNs (like mcr.microsoft.com) whose A records\n// can rotate between queries. We verify presence, not exact IP matching.\n// The hosts file is populated asynchronously by the aks-localdns-hosts-setup timer/service, so we poll with a timeout.\nfunc ValidateLocalDNSHostsFile(ctx context.Context, s *Scenario, fqdns []string) {\n\ts.T.Helper()\n\n\t// Build script that polls until all FQDNs have at least one IPv4 entry in hosts file\n\tscript := fmt.Sprintf(`set -euo pipefail\nhosts_file=\"/etc/localdns/hosts\"\nfqdns=(%s)\ntimeout_secs=60\npoll_interval_secs=5\ndeadline=$(" · github.com/azure/agentbaker/[email protected]/validators.go
medium	Remote Payload	matched "curl " · github.com/azure/agentbaker/[email protected]/validation.go
medium	Remote Payload	matched "curl " · github.com/azure/agentbaker/[email protected]/vmss.go
medium	Go Mod Replace Local	go.mod replace directive redirects to a local filesystem path — non-portable / dev-time only. · github.com/azure/agentbaker/[email protected]/go.mod

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260530051135-f4d8d72a8d7a`	High risk	69	2026-06-02

Block this in CI

PkgRadar gates github.com/Azure/agentbaker/e2e (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/Azure/agentbaker/[email protected]

Start free — 25 scans / mo View full evidence