Kief Studio aur‑scanner

Security

aur-scan is a security tool, so we hold it to a higher bar than most projects — both in what it does and in how it’s built and shipped.

Reporting a vulnerability

Please report privately. Don’t open a public issue for a security problem.

  • Email [email protected], or
  • Use GitHub’s Security → Report a vulnerability (private advisory) on the repo.

Include enough to reproduce: affected version (aur-scan --version), the PKGBUILD or input involved, and the behavior you observed vs. expected. A private patch is welcome. We aim to acknowledge within 72 hours and to ship a fix as fast as the severity warrants, and we’ll credit you in the release notes unless you ask us not to.

What counts as a security issue here

Because of what this tool is, these are treated as security-grade:

  • A false negative — a malicious pattern the scanner should flag but doesn’t, or any path where a scan silently fails yet reports “clean.”
  • Anything that makes the scanner execute, source, or fetch-and-run a package it’s only supposed to read (a breach of the static-only invariant).
  • Tampering with the build/release supply chain (signing, packaging, tags).

Ordinary false positives are bugs, not vulnerabilities — file those as normal issues.

Threat model

What this tool does, and deliberately does not do:

  • Static analysis only. aur-scan parses PKGBUILDs and install scripts with pure pattern/AST analysis. It does not run makepkg, source the PKGBUILD, evaluate shell, or execute the package. The only subprocesses it spawns are a hardened git clone (no hooks/submodules, protocol-restricted) to fetch a PKGBUILD, and read-only pacman queries. The scan cannot compromise the machine doing the scanning — that property is non-negotiable.
  • Opaque boundary. When a package fetches and runs code from an external source, the scanner flags it and stops — it does not follow the URL or resolve that chain. It tells you “this runs code from <url>,” which is the thing you actually needed to know.
  • Not a guarantee. Static analysis can’t catch every novel or obfuscated attack. Sandboxed dynamic analysis is intentionally out of scope — running the thing is exactly what we refuse to do. Treat findings as defense-in-depth and still review PKGBUILDs for critical systems.

Supply-chain hardening

  • Release tags are GPG-signed. Verify any release yourself:

    gpg --recv-keys 25631EAE3F43999050B7D7021132BF893C33FB51
git -C ks-aur-scanner verify-tag v2.0.0

  • The tagged AUR packages (aur-scanner, ks-aur-scanner, aur-scanner-rc) build from the signed tag and verify it (validpgpkeys) rather than trusting a GitHub tarball hash. The rolling aur-scanner-git verifies the signed HEAD commit at build time.

  • CI runs format, clippy-as-error, the full test suite, and a cargo-deny supply-chain gate, plus a weekly advisory scan.

Supported versions

We support the latest released version. The AUR is rolling — please update before reporting (paru -S aur-scanner, or rebuild the tagged package). The signing key fingerprint is 25631EAE3F43999050B7D7021132BF893C33FB51.