Scanning built packages of scary because it requires building, which can involve malicious actions, but probably need to perform 2-pass scanning: pkgbuild-build-scan binary
Pasha Finkelshteyn Developer Advocate [image: Logo] <https://bell-sw.com/> Mobile: +49 1525 981-7123 Email: [email protected] bell-sw.com [image: facebook icon] <https://www.facebook.com/asm0dey> [image: twitter icon] <https://twitter.com/asm0di0> [image: linkedin icon] <https://www.linkedin.com/in/asm0dey> [image: instagram icon] <https://www.instagram.com/asm0dey> [image: telegram icon] <https://t.me/asm0dey> On Mon, 15 Jun 2026, 12:07 Thomas Stromberg, <[email protected]> wrote: > > > On Mon, Jun 15, 2026 at 2:12 AM Pasha Finkelshtein < > [email protected]> wrote: > >> Hi Thomas, >> >> First of all, thank you for what you're doing, it looks amazing! >> > > Thanks! It's been truly a labor of love. > > >> Second, I'm not a maintainer, just a mere user. As a mere user, I'd love >> to have some kind of cli tool, that could scan package for me before I >> build/install it. >> > > That's available: > > git clone https://codeberg.org/atomdrift/scan.gitcd scan > make install > > ascan fs /path/to/aur > > That will recursively scan a path - containing an AUR or whatever - > including within archives (if it doesn't work - let me know). Unlike most > tools, Atomdrift reverse-engineers both code and binary content, applying > common rules to both. > > One important limitation: AS does not yet follow external file references > (other packages, URLs), but it does detect unusual external references, > which have flagged many of the AUR attacks. I'm working on the external > refs feature as we speak; and hope to have the initial > implementation added behind a --fetch flag later today. > > Third, I'm not sure how Atomdrift works, but the code of AUR itself is >> also open and probably you might see a way how to integrate scanning into >> the pipeline? Like when someone committs an update to a package, it runs >> thru Atomdrift. >> > > Yup, that should entirely be possible! At Chainguard, we deployed a > similar sort of tool as part of our code review process. The more > interesting part of the tooling that is yet to be released is differential > analysis (you can get a preview by the diff subcommand in > https://codeberg.org/atomdrift/cleave) - that's where things get really > exciting for this use case. That will then flag the interesting > xzutils-inspired question: why did a v1.0.0 -> v1.0.1 bump yield a 93% > behavioral change? > > >> >> Best, >> Pasha >> >> Pasha Finkelshteyn >> Developer Advocate [image: Logo] <https://bell-sw.com/> >> Mobile: +49 1525 981-7123 >> Email: [email protected] >> bell-sw.com [image: facebook icon] <https://www.facebook.com/asm0dey> >> [image: twitter icon] <https://twitter.com/asm0di0> [image: linkedin >> icon] <https://www.linkedin.com/in/asm0dey> [image: instagram icon] >> <https://www.instagram.com/asm0dey> [image: telegram icon] >> <https://t.me/asm0dey> >> >> On Mon, 15 Jun 2026, 04:43 Thomas Stromberg, <[email protected]> wrote: >> >>> [resending as my e-mail yesterday went to the moderation queue] >>> >>> I've been building out an open-source platform for supply-chain >>> detection over the last 6 months, based on my previous work at Chainguard. >>> While it's still a work in progress, the recent attacks have tipped my >>> hand, so here it goes: https://atomdrift.org/ (Apache 2.0) >>> >>> TL;DR - We're building an automated local reverse-engineering and >>> detection platform, powered by tiny local deterministic AI models, >>> retrained constantly based on recent attacks and threat feeds. Because it >>> uses other great open-source projects under the hood (tree-sitter, rizin, >>> etc) rather than just pattern matching, it's immune to most obfuscation >>> attacks. >>> >>> Atomdrift's detection is runnable via a simple rust CLI tool ( >>> https://codeberg.org/atomdrift/scan). No special hardware required. If >>> you have a local LLM, we support an optimized path for getting a second >>> opinion from it via --interpret that provides a summary and steers >>> confidence levels. >>> >>> While our training pipeline has been pulling from open-source >>> marketplaces for months, yesterday we just started scanning AUR updates >>> rather than new additions, and here's an example of what it looks like: >>> https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9 >>> >>> Here's a link to the Arch pipeline results: >>> https://lab.atomdrift.org/arch/ >>> >>> I built this to help open-source, and would love to figure out how I >>> can help ArchLinux with their supply chain issues - whether it's just >>> discussing ideas, making a sustainable alert pipeline to what is up and >>> running already, running the pipeline on your infra, or collaborating >>> on development. >>> >>> As atomdrift both emits scores and lets you tune for a specific >>> acceptable false-positive level, one idea for AUR could be automated review >>> or publishing delay based on confidence levels. >>> >>> The compute-side runs on Arch, btw. >>> Thomas >>> >>
