High-risk tools in Build
8 of the 9 tools in Build are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
buildExecuteRuns a build command and returns structured success/failure with errors and warnings. Allowed commands: ant, bazel, bun, bunx, cargo, cmake, dotnet, esbuild, go, gradle, gradlew...
-
esbuildExecuteRuns the esbuild bundler and returns structured errors, warnings, and output files.
-
lernaExecuteRuns Lerna monorepo commands (list, run, changed, version) and returns structured package information.
-
nxExecuteRuns Nx workspace commands and returns structured per-project task results with cache status.
-
rollupExecuteRuns Rollup bundler and returns structured bundle output with errors and warnings.
-
turboExecuteRuns Turborepo tasks and returns structured per-package results with cache hit/miss info.
-
vite-buildExecuteRuns Vite production build and returns structured output files with sizes.
-
webpackExecuteRuns webpack build with JSON stats output and returns structured assets, errors, and warnings.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.