On Wed, Jun 17, 2026 at 9:41 AM Tom Hale <[email protected]> wrote:

> On Wed, 17 Jun 2026, at 20:30, Thomas Stromberg wrote:
>
> - Unusual URL characters, including IDN URLs:
> `^[a-z0-9][a-z0-9\.\-]+\.[a-z]{2,6}$` -
> https://github.com/wolfi-dev/wolfictl/pull/496
> - "off-by-one" check that flagged any URL that was 1-character off another
> URL mentioned in another package (using levenshtein distance):
> https://github.com/wolfi-dev/wolfictl/pull/500
>
>
> Cheers!!  Of the few posts I've read in the last few days, it seems your
> tooling is cutting edge for actionable, deep inspection, evidence-based
> information.
>

Thanks! This scanner has been a really fun (and exceptionally
difficult) project
to work on.


> How would we call your tool to pipe a PKGBUILD to it, or have it read from
> a file name?
>

ascan fs /path - the path can be an archive, directory, or PKGBUILD file
itself - it'll operate recursively. If something larger-scale is required,
there is also a server subcommand that supports HTTP requests.

Do you support an exit of 1 when the tool's certainty exceeds a confidence
> threshold, with such threshold settable via --option?
>

Yes! Amittedly, the documentation needs some work, but for the CLI tool,
the exit codes are briefly documented here:
https://codeberg.org/atomdrift/scan/src/branch/main/docs/INTEGRATION.md

0 clean, 1 hostile, 2 suspicious, 3 error

As far as exiting at specific confidence thresholds, the recommended way is by
specifying the acceptable false-positive threshold level; by default it's
"-l 50", or 50 false-positives per 100-million. I haven't trained on enough
PKGBUILD files yet to get a clean statistical model (I need to collect more
baddies), but it works well for other file formats.

NOTE: The -l setting only changes how "hostile" is calculated, not how
"suspicious" is calculated; but may in the future. We currently calculate
"suspicious" as unusual enough to fire as hostile at up to 50k-per-100
million.


> --
> Tom Hale
>

Reply via email to