On Wed, Jun 17, 2026 at 9:41 AM Tom Hale <[email protected]> wrote: > On Wed, 17 Jun 2026, at 20:30, Thomas Stromberg wrote: > > - Unusual URL characters, including IDN URLs: > `^[a-z0-9][a-z0-9\.\-]+\.[a-z]{2,6}$` - > https://github.com/wolfi-dev/wolfictl/pull/496 > - "off-by-one" check that flagged any URL that was 1-character off another > URL mentioned in another package (using levenshtein distance): > https://github.com/wolfi-dev/wolfictl/pull/500 > > > Cheers!! Of the few posts I've read in the last few days, it seems your > tooling is cutting edge for actionable, deep inspection, evidence-based > information. >
Thanks! This scanner has been a really fun (and exceptionally difficult) project to work on. > How would we call your tool to pipe a PKGBUILD to it, or have it read from > a file name? > ascan fs /path - the path can be an archive, directory, or PKGBUILD file itself - it'll operate recursively. If something larger-scale is required, there is also a server subcommand that supports HTTP requests. Do you support an exit of 1 when the tool's certainty exceeds a confidence > threshold, with such threshold settable via --option? > Yes! Amittedly, the documentation needs some work, but for the CLI tool, the exit codes are briefly documented here: https://codeberg.org/atomdrift/scan/src/branch/main/docs/INTEGRATION.md 0 clean, 1 hostile, 2 suspicious, 3 error As far as exiting at specific confidence thresholds, the recommended way is by specifying the acceptable false-positive threshold level; by default it's "-l 50", or 50 false-positives per 100-million. I haven't trained on enough PKGBUILD files yet to get a clean statistical model (I need to collect more baddies), but it works well for other file formats. NOTE: The -l setting only changes how "hostile" is calculated, not how "suspicious" is calculated; but may in the future. We currently calculate "suspicious" as unusual enough to fire as hostile at up to 50k-per-100 million. > -- > Tom Hale >
