Sorry, lost the link, here you go: https://aur.archlinux.org/packages/atomdrift-scan
Best, Pasha On Mon, 15 Jun 2026 at 13:21, Pasha Finkelshtein < [email protected]> wrote: > I dared to publish atomdrift-scan as a package to AUR, I would be > gracious if you could eyeball it and say if you think it's fine > > Best, > Pasha > > On Mon, 15 Jun 2026 at 12:15, Pasha Finkelshtein < > [email protected]> wrote: > >> Scanning built packages of scary because it requires building, which can >> involve malicious actions, but probably need to perform 2-pass scanning: >> pkgbuild-build-scan binary >> >> Pasha Finkelshteyn >> Developer Advocate [image: Logo] <https://bell-sw.com/> >> Mobile: +49 1525 981-7123 >> Email: [email protected] >> bell-sw.com [image: facebook icon] <https://www.facebook.com/asm0dey> >> [image: twitter icon] <https://twitter.com/asm0di0> [image: linkedin >> icon] <https://www.linkedin.com/in/asm0dey> [image: instagram icon] >> <https://www.instagram.com/asm0dey> [image: telegram icon] >> <https://t.me/asm0dey> >> >> On Mon, 15 Jun 2026, 12:07 Thomas Stromberg, <[email protected]> wrote: >> >>> >>> >>> On Mon, Jun 15, 2026 at 2:12 AM Pasha Finkelshtein < >>> [email protected]> wrote: >>> >>>> Hi Thomas, >>>> >>>> First of all, thank you for what you're doing, it looks amazing! >>>> >>> >>> Thanks! It's been truly a labor of love. >>> >>> >>>> Second, I'm not a maintainer, just a mere user. As a mere user, I'd >>>> love to have some kind of cli tool, that could scan package for me before I >>>> build/install it. >>>> >>> >>> That's available: >>> >>> git clone https://codeberg.org/atomdrift/scan.gitcd scan >>> make install >>> >>> ascan fs /path/to/aur >>> >>> That will recursively scan a path - containing an AUR or whatever - >>> including within archives (if it doesn't work - let me know). Unlike most >>> tools, Atomdrift reverse-engineers both code and binary content, applying >>> common rules to both. >>> >>> One important limitation: AS does not yet follow external file >>> references (other packages, URLs), but it does detect unusual external >>> references, which have flagged many of the AUR attacks. I'm working on >>> the external refs feature as we speak; and hope to have the initial >>> implementation added behind a --fetch flag later today. >>> >>> Third, I'm not sure how Atomdrift works, but the code of AUR itself is >>>> also open and probably you might see a way how to integrate scanning into >>>> the pipeline? Like when someone committs an update to a package, it runs >>>> thru Atomdrift. >>>> >>> >>> Yup, that should entirely be possible! At Chainguard, we deployed a >>> similar sort of tool as part of our code review process. The more >>> interesting part of the tooling that is yet to be released is differential >>> analysis (you can get a preview by the diff subcommand in >>> https://codeberg.org/atomdrift/cleave) - that's where things get really >>> exciting for this use case. That will then flag the interesting >>> xzutils-inspired question: why did a v1.0.0 -> v1.0.1 bump yield a 93% >>> behavioral change? >>> >>> >>>> >>>> Best, >>>> Pasha >>>> >>>> Pasha Finkelshteyn >>>> Developer Advocate [image: Logo] <https://bell-sw.com/> >>>> Mobile: +49 1525 981-7123 >>>> Email: [email protected] >>>> bell-sw.com [image: facebook icon] <https://www.facebook.com/asm0dey> >>>> [image: twitter icon] <https://twitter.com/asm0di0> [image: >>>> linkedin icon] <https://www.linkedin.com/in/asm0dey> [image: >>>> instagram icon] <https://www.instagram.com/asm0dey> [image: telegram >>>> icon] <https://t.me/asm0dey> >>>> >>>> On Mon, 15 Jun 2026, 04:43 Thomas Stromberg, <[email protected]> wrote: >>>> >>>>> [resending as my e-mail yesterday went to the moderation queue] >>>>> >>>>> I've been building out an open-source platform for supply-chain >>>>> detection over the last 6 months, based on my previous work at Chainguard. >>>>> While it's still a work in progress, the recent attacks have tipped my >>>>> hand, so here it goes: https://atomdrift.org/ (Apache 2.0) >>>>> >>>>> TL;DR - We're building an automated local reverse-engineering and >>>>> detection platform, powered by tiny local deterministic AI models, >>>>> retrained constantly based on recent attacks and threat feeds. Because it >>>>> uses other great open-source projects under the hood (tree-sitter, rizin, >>>>> etc) rather than just pattern matching, it's immune to most obfuscation >>>>> attacks. >>>>> >>>>> Atomdrift's detection is runnable via a simple rust CLI tool ( >>>>> https://codeberg.org/atomdrift/scan). No special hardware required. >>>>> If you have a local LLM, we support an optimized path for getting a second >>>>> opinion from it via --interpret that provides a summary and steers >>>>> confidence levels. >>>>> >>>>> While our training pipeline has been pulling from open-source >>>>> marketplaces for months, yesterday we just started scanning AUR updates >>>>> rather than new additions, and here's an example of what it looks like: >>>>> https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9 >>>>> >>>>> Here's a link to the Arch pipeline results: >>>>> https://lab.atomdrift.org/arch/ >>>>> >>>>> I built this to help open-source, and would love to figure out how I >>>>> can help ArchLinux with their supply chain issues - whether it's just >>>>> discussing ideas, making a sustainable alert pipeline to what is up >>>>> and running already, running the pipeline on your infra, or >>>>> collaborating on development. >>>>> >>>>> As atomdrift both emits scores and lets you tune for a specific >>>>> acceptable false-positive level, one idea for AUR could be automated >>>>> review >>>>> or publishing delay based on confidence levels. >>>>> >>>>> The compute-side runs on Arch, btw. >>>>> Thomas >>>>> >>>>
