Custom & Community Rules
Every detection code lives in one authoritative, uniqueness-enforced catalog. You can extend it with a few lines of TOML — no rebuild required. The loader skips malformed files with a warning and refuses to start if any ID collides, so the index stays trustworthy.
Where rules live
Drop .toml files into any of these (later overrides earlier):
| Path | Scope |
|---|---|
/usr/share/aur-scanner/rules.d/ | distro / package-shipped |
/etc/aur-scanner/rules.d/ | system administrator |
~/.config/aur-scanner/rules.d/ | per user |
Rule format
[[rule]]
id = "ACME-001" # must be UNIQUE across the whole catalog
name = "Flags the ACME backdoor marker"
description = "Detects the marker string left by the ACME backdoor."
severity = "critical" # critical | high | medium | low | info
category = "malicious_code"
recommendation = "Do not build; report the package."
file_types = ["pkgbuild", "install_script"]
[[rule.patterns]]
type = "regex"
pattern = "acme_backdoor_[0-9a-f]{8}"Use an org-specific prefix (e.g. ACME-…) to avoid collisions with built-in
codes. Then:
aur-scan codes # confirm your rule is in the index
aur-scan explain ACME-001 # view itCategories
command_injection, privilege_escalation, network_security,
data_exfiltration, malicious_code, cryptography, configuration,
dependencies, obfuscation, credential_theft, persistence,
cryptomining, suspicious_metadata.
Want a rule shared with everyone? Open a PR on GitHub.