I'd like to get some well-informed opinions about how to assess risk for using an open-source implementation (https://github.com/vvondra/bitwarden-serverless/) of the BitWarden API. What I like about this implementation is that it all runs in the cloud, under the free tier. It looks like it was designed to take advantage of cloud resources. I scanned it with SonarCloud, and it comes up green. I'm currently working on scanning it with OWASP Dependency-Checker. For now, I'm not able to get that scanner to work.

Thinking pessimistically, I figured there could still be a chance that there is something malicious buried in the code somewhere that the scanners wouldn't pick up, so I intended on reading through the code, line-by-line, though I am unfamiliar with NodeJS, at this time.

The code looks like it's not BitWarden's code at all, and that it's far fewer lines than it looks like Bitwarden wrote to implement its core. What I like about BitWarden is that they appear to be pretty security-minded: https://github.com/bitwarden/web/blob/master/SECURITY.md. They even have a program on HackerOne to identify and fix exploits.

I'd rather not use the infrastructure that they host in Azure. I'd rather have an unknown, private URL that is still in the cloud that I use to manage my credentials through. That's where this server-less implementation comes in.

I figure that I'm taking on the risk of using an unknown implementation. But I also figure that some of the risk is mitigated by running in AWS and by using AWS architecture. I think that all that is really left for me to do is to read through the code and make sure that no back-door calls are being made in it.

Does anyone have anything to add? I'm not interested in other options, at this time, just in assessing the risk of using this server-less implementation.