Kief Studio aur‑scanner

Install

Quick heads-up on naming: on the AUR the stable package is aur-scanner (ks-aur-scanner is the same thing under a second name). There’s also aur-scanner-rc for trying the next release while it’s in testing, and aur-scanner-git that follows the latest commit. They all install the same command — aur-scan — and they conflict with each other, so install one.

From the AUR

# stable, GPG-signed release (recommended)
paru -S aur-scanner       # yay works too

Pick the one channel that fits you (the AUR pages have the current versions):

AUR packageWhat it tracks
aur-scannerStable, GPG-signed release (recommended)
ks-aur-scannerStable — same thing, different name
aur-scanner-rcRelease candidate — the next version, in testing
aur-scanner-gitLatest commit (rolling)

The stable and RC packages build from a GPG-signed git tag and verify it against our signing key, so makepkg won’t build a tag we didn’t sign — integrity comes from the signature, not a tarball hash. If your helper doesn’t fetch the key automatically, import it once:

gpg --recv-keys 25631EAE3F43999050B7D7021132BF893C33FB51

You can verify any release yourself:

git clone https://github.com/KiefStudioMA/ks-aur-scanner.git
git -C ks-aur-scanner verify-tag v2.0.0

Testing the next release? aur-scanner-rc tracks the current release candidate (it may sit behind stable between cycles). It fails closed — paru/yay and the pacman hook deny on a scan error, a timeout, or a non-interactive (no-TTY) prompt instead of letting the build through. Great for trying what’s coming; stay on aur-scanner for machines you care about.

From source

git clone https://github.com/KiefStudioMA/ks-aur-scanner.git
cd ks-aur-scanner
cargo build --release
sudo install -Dm755 target/release/aur-scan /usr/bin/aur-scan

Auto-scan with paru / yay (recommended)

Source the shell integration so AUR installs are scanned before they build:

# bash
echo 'source /usr/share/aur-scan/integration.bash' >> ~/.bashrc
# zsh
echo 'source /usr/share/aur-scan/integration.zsh' >> ~/.zshrc
# fish
echo 'source /usr/share/aur-scan/integration.fish' >> ~/.config/fish/config.fish
# nushell
echo 'source /usr/share/aur-scan/integration.nu' >> ~/.config/nushell/config.nu
  • Default gate mode: scans, then hands off to your helper.
  • export AUR_SCAN_MODE=install: the race-free path — scans the exact bytes, then builds them in dependency order.

The shell integration is the real gate. The optional pacman hook runs during the install transaction, after makepkg already built (and executed) the package, so it can only catch .install-scriptlet payloads — use it as a backstop, not your primary defense.