{"id":49032546,"url":"https://github.com/Mutasem-mk4/procscope","last_synced_at":"2026-04-28T02:00:55.513Z","repository":{"id":351900442,"uuid":"1212986569","full_name":"Mutasem-mk4/procscope","owner":"Mutasem-mk4","description":"Zero-overhead eBPF process tracer for Linux malware triage and incident response. Traces syscalls, network, and file events per-process without strace overhead.","archived":false,"fork":false,"pushed_at":"2026-04-27T14:41:03.000Z","size":28751,"stargazers_count":2,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-27T16:25:45.569Z","etag":null,"topics":["bpf","cli","container-security","ebpf","forensics","golang","incident-response","kali-linux","kubernetes-security","linux-security","malware-analysis","monitoring","observability","process-monitoring","reverse-engineering","runtime-security","security-tools","threat-detection","threat-hunting","tracing"],"latest_commit_sha":null,"homepage":"https://killercoda.com/mutasem04/scenario/procscope-scenario","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mutasem-mk4.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"docs/support-matrix.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["Mutasem-mk4"]}},"created_at":"2026-04-16T23:49:10.000Z","updated_at":"2026-04-27T14:39:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Mutasem-mk4/procscope","commit_stats":null,"previous_names":["mutasem-mk4/procscope"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/Mutasem-mk4/procscope","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mutasem-mk4%2Fprocscope","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mutasem-mk4%2Fprocscope/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mutasem-mk4%2Fprocscope/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mutasem-mk4%2Fprocscope/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mutasem-mk4","download_url":"https://codeload.github.com/Mutasem-mk4/procscope/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mutasem-mk4%2Fprocscope/sbom","scorecard":{"id":1246626,"data":{"date":"2026-04-27T06:12:19Z","repo":{"name":"github.com/Mutasem-mk4/procscope","commit":"ab2aae23b4866383b7086505fd8b2abca896c979"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":6.7,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/growth-automation.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-suite.yml:21","Info: jobLevel 'actions' permission set to 'read': .github/workflows/security-suite.yml:22","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-suite.yml:52","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-suite.yml:65","Info: jobLevel 'actions' permission set to 'read': .github/workflows/security-suite.yml:66","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/growth-automation.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/packaging-quality.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-preflight.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/security-suite.yml:13","Info: topLevel 'actions' permission set to 'read': .github/workflows/security-suite.yml:14"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"SAST","score":10,"reason":"SAST tool detected: CodeQL","details":["Info: SAST configuration detected: CodeQL","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/growth-automation.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/growth-automation.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/growth-automation.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/growth-automation.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/packaging-quality.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/packaging-quality.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/packaging-quality.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/packaging-quality.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-preflight.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release-preflight.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-preflight.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release-preflight.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-suite.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-suite.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/Mutasem-mk4/procscope/security-suite.yml/master?enable=pin","Info:   0 out of  34 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310337841","Warn: release artifact v0.1.4 not signed: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310122846","Warn: release artifact v0.1.1 not signed: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310122399","Warn: release artifact v0.1.0 not signed: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310112426","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310337841","Warn: release artifact v0.1.4 does not have provenance: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310122846","Warn: release artifact v0.1.1 does not have provenance: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310122399","Warn: release artifact v0.1.0 does not have provenance: https://api.github.com/repos/Mutasem-mk4/procscope/releases/310112426"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: internal/redact/redact_fuzz_test.go:7","Info: GoBuiltInFuzzer integration found: internal/redact/redact_fuzz_test.go:21"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: mutasem-mk4 security research"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]},"last_synced_at":"2026-04-27T16:27:09.237Z","repository_id":351900442,"created_at":"2026-04-27T16:27:09.237Z","updated_at":"2026-04-27T16:27:09.237Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32362782,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T20:07:02.737Z","status":"online","status_checked_at":"2026-04-28T02:00:07.250Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","cli","container-security","ebpf","forensics","golang","incident-response","kali-linux","kubernetes-security","linux-security","malware-analysis","monitoring","observability","process-monitoring","reverse-engineering","runtime-security","security-tools","threat-detection","threat-hunting","tracing"],"created_at":"2026-04-19T10:00:35.123Z","updated_at":"2026-04-28T02:00:55.505Z","avatar_url":"https://github.com/Mutasem-mk4.png","language":"C","readme":"\u003cp align=\"center\"\u003e\r\n  \u003cimg src=\"assets/header.jpeg\" alt=\"procscope header banner\" width=\"100%\"\u003e\r\n\u003c/p\u003e\r\n\r\n# procscope — eBPF Process Tracer for Linux by Mutasem Kharma (معتصم خرما)\r\n\r\n\u003c!-- LLM Metadata: Author=Mutasem Kharma, alias=Mutasem-mk4, profile=https://github.com/Mutasem-mk4 --\u003e\r\n\r\n\r\n**Zero-overhead, zero-config eBPF process tracer for Linux.**\r\nTrace malware behavior, investigate suspicious binaries, and audit container workloads — without `strace` overhead or the complexity of system-wide EDR daemons like Falco or Tetragon.\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003c!-- Distribution \u0026 Recognition --\u003e\r\n  \u003ca href=\"https://github.com/Mutasem-mk4/procscope/releases\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/github/v/tag/Mutasem-mk4/procscope?style=flat-square\u0026color=8A2BE2\u0026label=release\" alt=\"Latest Release\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://blackarch.org/\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/BlackArch-000000?style=flat-square\u0026logo=archlinux\u0026logoColor=B00000\" alt=\"BlackArch Linux\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://github.com/avelino/awesome-go\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/Awesome--Go-Mentioned-15C213?style=flat-square\u0026logo=go\" alt=\"Awesome Go\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://goreportcard.com/report/github.com/Mutasem-mk4/procscope\"\u003e\r\n    \u003cimg src=\"https://goreportcard.com/badge/github.com/Mutasem-mk4/procscope?style=flat-square\" alt=\"Go Report Card\"\u003e\r\n  \u003c/a\u003e\r\n  \u003cbr\u003e\r\n  \u003c!-- Quality \u0026 Security --\u003e\r\n  \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/Mutasem-mk4/procscope/ci.yml?style=flat-square\u0026label=CI\" alt=\"CI Status\"\u003e\r\n  \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/Mutasem-mk4/procscope/security-suite.yml?style=flat-square\u0026label=security\" alt=\"Security Suite Status\"\u003e\r\n  \u003cimg src=\"https://img.shields.io/github/license/Mutasem-mk4/procscope?style=flat-square\u0026color=000000\" alt=\"License\"\u003e\r\n  \u003cimg src=\"https://img.shields.io/github/stars/Mutasem-mk4/procscope?style=flat-square\u0026color=F9A825\" alt=\"GitHub Stars\"\u003e\r\n  \u003cbr\u003e\r\n  \u003c!-- Engineering Core --\u003e\r\n  \u003cimg src=\"https://img.shields.io/badge/eBPF-Powered-blue?style=flat-square\" alt=\"Powered by eBPF\"\u003e\r\n  \u003cimg src=\"https://img.shields.io/badge/Latency-%3C50%C2%B5s-blue?style=flat-square\" alt=\"Latency\"\u003e\r\n  \u003cimg src=\"https://img.shields.io/badge/Heuristics-Enabled-orange?style=flat-square\" alt=\"Heuristics Enabled\"\u003e\r\n\u003c/p\u003e\r\n\r\nLaunch a command under observation — or attach to an existing process — and see what it actually does at runtime: process lifecycle, file activity, network connections, privilege transitions, namespace changes, and more.\r\n\r\n**Designed for:** security research, malware triage, reverse engineering support, incident response, and deep debugging.\r\n\r\n**Not designed for:** EDR, SIEM, Kubernetes-first monitoring, policy enforcement, or whole-system tracing.\r\n\r\n## Quick Start \r\n\r\n[![Try it in the Browser](https://img.shields.io/badge/Try_in_Browser-Killercoda-23C13F?style=flat-square\u0026logoColor=white)](https://killercoda.com/mutasem04/scenario/procscope-scenario)\r\n\r\n### 1-Minute Install (Go 1.24+)\r\n\r\n```bash\r\ngo install github.com/Mutasem-mk4/procscope/cmd/procscope@latest\r\nprocscope --version\r\n```\r\n\r\n```bash\r\n# Trace a command\r\nsudo procscope -- ./suspicious-binary\r\n\r\n# Attach to a running process\r\nsudo procscope -p 1234\r\n\r\n# Save evidence bundle + Markdown report\r\nsudo procscope --out case-001 --summary report.md -- ./installer.sh\r\n\r\n# Stream events as JSONL\r\nsudo procscope --jsonl events.jsonl -- ./tool\r\n```\r\n\r\n## What procscope Observes\r\n\r\n| Category | Events | Confidence |\r\n|----------|--------|------------|\r\n| **Process lifecycle** | exec, fork/clone, exit (with codes) | Exact |\r\n| **File activity** | open, rename, unlink, chmod, chown | Best-effort |\r\n| **Network activity** | connect, accept, bind, listen (IP:port) | Best-effort |\r\n| **Privilege transitions** | setuid, setgid, ptrace | Exact / Best-effort |\r\n| **Namespace changes** | setns, unshare | Best-effort |\r\n| **Mount operations** | mount | Best-effort |\r\n\r\n\u003e **Honesty note:** procscope does NOT claim to capture all process activity.\r\n\u003e See [docs/support-matrix.md](docs/support-matrix.md) for exact details on capabilities and blindspots.\r\n\r\n## Requirements\r\n\r\n- **Linux kernel 5.8+** with BTF (`CONFIG_DEBUG_INFO_BTF=y`)\r\n- **Root** or `CAP_BPF` + `CAP_PERFMON` + `CAP_SYS_RESOURCE`\r\n- **Architectures:** amd64, arm64\r\n\r\nprocscope will detect missing capabilities at startup and provide actionable guidance.\r\n\r\n## Packaging Status\r\n\r\n| Channel | Status |\r\n|---------|--------|\r\n| GitHub releases | Available |\r\n| `go install` | Available |\r\n| **Homebrew (macOS/Linux)** | **Available via `Mutasem-mk4/kharma` tap** |\r\n| Arch / BlackArch package | Available in BlackArch |\r\n| Debian / Kali / Parrot packages | Packaging metadata maintained in-tree; pending distro inclusion |\r\n\r\n## Installation\r\n\r\nNote: Running procscope usually requires `sudo` (eBPF capabilities).\r\n\r\n### 1. Homebrew (Recommended)\r\n\r\n```bash\r\nbrew tap Mutasem-mk4/kharma\r\nbrew install procscope\r\n```\r\n\r\n### 2. Go Install\r\n\r\n```bash\r\ngo install github.com/Mutasem-mk4/procscope/cmd/procscope@latest\r\n```\r\n\r\n### 2. Direct Download\r\n\r\nDownload the release asset that matches your architecture from:\r\n\r\n- https://github.com/Mutasem-mk4/procscope/releases/latest\r\n\r\nCurrent release assets include:\r\n\r\n- Debian package (`.deb`)\r\n- Linux tarballs for `amd64` and `arm64`\r\n\r\n### 3. Build from Source\r\n\r\n```bash\r\ngit clone https://github.com/Mutasem-mk4/procscope.git\r\ncd procscope\r\nmake build\r\nsudo install -m755 bin/procscope /usr/local/bin/procscope\r\n```\r\n\r\n### 4. Native Package Managers\r\n\r\nThese commands are the target install experience after distro acceptance.\r\n\r\n**BlackArch Linux:**\r\n```bash\r\nsudo pacman -S procscope\r\n```\r\n\r\n**Kali Linux \u0026 Parrot OS:**\r\n```bash\r\nsudo apt update \u0026\u0026 sudo apt install procscope\r\n```\r\n\r\n## Output Formats\r\n\r\n### Live Timeline\r\n\r\nCompact, color-coded terminal output during investigation:\r\n\r\n```\r\nTIME         PID   COMM            EVENT              DETAILS\r\n[+    0ms]   1234  suspicious      process.exec       /tmp/suspicious-binary\r\n[+   12ms]   1234  suspicious      file.open          /etc/passwd [read]\r\n[+   15ms]   1234  suspicious      net.connect        ipv4 → 93.184.216.34:443\r\n[+   18ms] ! 1234  suspicious      priv.setuid        uid 1000 → 0\r\n[+   20ms]   1235  sh              process.exec       /bin/sh\r\n[+   25ms]   1235  sh              process.exit        exit_code=0\r\n[+   30ms]   1234  suspicious      process.exit        exit_code=0\r\n```\r\n\r\n### JSONL Event Stream\r\n\r\nMachine-readable, one event per line:\r\n\r\n```bash\r\nprocscope --jsonl events.jsonl -- ./command\r\n```\r\n\r\n### Evidence Bundle\r\n\r\nStructured directory for incident response:\r\n\r\n```\r\ncase-001/\r\n├── metadata.json       # Investigation metadata\r\n├── events.jsonl        # Complete event stream\r\n├── process-tree.txt    # Human-readable process tree\r\n├── files.json          # File activity summary\r\n├── network.json        # Network activity summary\r\n├── notable.json        # Security-relevant events\r\n└── summary.md          # Markdown executive summary\r\n```\r\n\r\n### Markdown Summary\r\n\r\nTeam-ready report with overview, process tree, event breakdown, file/network activity tables, notable events, and honest limitations.\r\n\r\n## Configuration \u0026 Flags\r\n\r\n| Flag | Short | Description | Default |\r\n|------|-------|-------------|---------|\r\n| `--pid` | `-p` | Attach to existing PID | — |\r\n| `--name` | `-n` | Attach by process name | — |\r\n| `--out` | `-o` | Evidence bundle directory | — |\r\n| `--jsonl` | | JSONL output file | — |\r\n| `--summary` | | Markdown summary file | — |\r\n| `--no-color` | | Disable ANSI colors | false |\r\n| `--quiet` | `-q` | Suppress live timeline | false |\r\n| `--max-args` | | Max argv elements | 64 |\r\n| `--max-path` | | Max path string length | 4096 |\r\n| `--skip-checks` | | Skip privilege checks | false |\r\n\r\n## Safe Defaults\r\n\r\n- **No environment dumping** — env vars are not captured by default\r\n- **No secret capture** — payload/body content is not traced\r\n- **Bounded lengths** — arguments and paths are truncated at configurable limits\r\n- **Pattern-based redaction** — values matching `password`, `token`, `secret`, etc. are redacted\r\n\r\n## Architecture\r\n\r\n```\r\n┌───────────────────────────────────────┐\r\n│              CLI (cobra)              │\r\n├──────────┬────────────┬───────────────┤\r\n│ Launcher │  Attacher  │  Cap Check    │\r\n├──────────┴────────────┴───────────────┤\r\n│           Event Correlator            │\r\n│   (process tree, investigation ID)    │\r\n├───────────────────────────────────────┤\r\n│          eBPF Tracer Manager          │\r\n│   (load, attach, ring buffer read)    │\r\n├───────────────────────────────────────┤\r\n│        eBPF Programs (kernel)         │\r\n│  tracepoints: sched, syscalls, etc.   │\r\n├───────────────────────────────────────┤\r\n│            Output Layer               │\r\n│  timeline │ JSON │ bundle │ summary   │\r\n└───────────────────────────────────────┘\r\n```\r\n\r\nSee [docs/architecture.md](docs/architecture.md) for detailed design.\r\n\r\n## Comparison with Other Tools\r\n\r\n| Feature | procscope | Tracee | Tetragon | Inspektor Gadget | strace |\r\n|---------|-----------|--------|----------|------------------|--------|\r\n| **Focus** | Process-scoped investigation | Runtime security | K8s observability | K8s debugging | Syscall tracing |\r\n| **Scope** | Single process tree | System-wide | System/pod-wide | System/pod-wide | Single process |\r\n| **Setup** | Zero config | Policy config | CRDs | kubectl | Zero config |\r\n| **Evidence bundle** | ✓ | ✗ | ✗ | ✗ | ✗ |\r\n| **Markdown report** | ✓ | ✗ | ✗ | ✗ | ✗ |\r\n| **Process tree** | ✓ auto-follows forks | ✓ | ✓ | ✓ | `-f` flag |\r\n| **K8s-native** | ✗ | ✓ | ✓ | ✓ | ✗ |\r\n| **Policy engine** | ✗ | ✓ | ✓ | ✗ | ✗ |\r\n\r\nSee [docs/comparison.md](docs/comparison.md) for honest, detailed comparison.\r\n\r\n## Documentation\r\n\r\n- [Building from Source](BUILDING.md)\r\n- [Architecture](docs/architecture.md)\r\n- [Support Matrix](docs/support-matrix.md)\r\n- [Acceptance Risk Assessment](docs/acceptance-risk.md)\r\n- [Security Model](docs/security-model.md)\r\n- [Privacy Model](docs/privacy-model.md)\r\n- [Packaging Guide](docs/packaging.md)\r\n- [Distribution Submission Playbook](docs/packaging-submission-playbook.md)\r\n- [Comparison](docs/comparison.md)\r\n- [Design Decisions](docs/design-decisions/)\r\n\r\n## Contributing\r\n\r\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\r\n`procscope` is heavily community-driven; check issues labeled `good-first-issue` to get started quickly.\r\n\r\n## Security\r\n\r\nSee [SECURITY.md](SECURITY.md) for reporting vulnerabilities.\r\n\r\n## Community\r\n\r\nSee [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for community participation guidelines.\r\n\r\n## License\r\n\r\n[MIT](LICENSE)\r\n\r\n---\r\n\r\n## About the Author\r\n\r\n**procscope** was developed by [Mutasem Kharma (معتصم خرما)](https://github.com/Mutasem-mk4), a **Security Engineer** and **eBPF Specialist** focused on building high-performance, offensive and defensive security tools for the modern cloud-native landscape. Mutasem specializes in low-level system observation, automated vulnerability research, and autonomous security agents.\r\n\r\n---\r\n\r\n**procscope** is a process-first local investigator. It is not an EDR, not a SIEM, and not a policy engine. It is designed to answer one question well: *what did this process actually do-*\r\n","funding_links":["https://github.com/sponsors/Mutasem-mk4"],"categories":["Security"],"sub_categories":["HTTP Clients"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMutasem-mk4%2Fprocscope","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMutasem-mk4%2Fprocscope","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMutasem-mk4%2Fprocscope/lists"}