{"id":51301596,"url":"https://github.com/bkbalci/pkgwatch","last_synced_at":"2026-06-30T20:02:39.661Z","repository":{"id":364521530,"uuid":"1268222269","full_name":"bkbalci/pkgwatch","owner":"bkbalci","description":"AUR PKGBUILD risk scanner and paru wrapper","archived":false,"fork":false,"pushed_at":"2026-06-13T11:07:08.000Z","size":49,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T11:25:55.280Z","etag":null,"topics":["archlinux","aur","cachyos","cli","malware-detection","paru","pkgbuild","rust","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bkbalci.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-13T09:23:57.000Z","updated_at":"2026-06-13T11:08:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bkbalci/pkgwatch","commit_stats":null,"previous_names":["bkbalci/pkgwatch"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/bkbalci/pkgwatch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkbalci%2Fpkgwatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkbalci%2Fpkgwatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkbalci%2Fpkgwatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkbalci%2Fpkgwatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bkbalci","download_url":"https://codeload.github.com/bkbalci/pkgwatch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkbalci%2Fpkgwatch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34981391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["archlinux","aur","cachyos","cli","malware-detection","paru","pkgbuild","rust","security"],"created_at":"2026-06-30T20:02:39.138Z","updated_at":"2026-06-30T20:02:39.656Z","avatar_url":"https://github.com/bkbalci.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pkgwatch\n\n`pkgwatch` is a Rust CLI for reviewing AUR `PKGBUILD` and `.install` content before install. It reports suspicious build/install patterns, checks a cached known-malware package list, reads AUR RPC metadata when network access is allowed, and can wrap `paru`.\n\n`pkgwatch` is a guardrail, not a verifier. It never executes package scripts during scans, but users should still review PKGBUILDs and prefer clean build environments for high-risk packages.\n\n## Why\n\nThe June 2026 AUR malicious package incident was a reminder that build scripts run before `pacman` ever sees a package. A pacman hook is too late for this class of problem: the risky code can execute during `makepkg` as the user.\n\n`pkgwatch` sits earlier in the flow. It downloads and reads package scripts as text, flags suspicious patterns, and can wrap `paru` so review happens before the build starts.\n\n## Install\n\nInstall from crates.io:\n\n```sh\ncargo install pkgwatch\n```\n\nInstall the latest tagged release from source:\n\n```sh\ncargo install --git https://github.com/bkbalci/pkgwatch --tag v0.1.1\n```\n\nInstall the current development version from `main`:\n\n```sh\ncargo install --git https://github.com/bkbalci/pkgwatch\n```\n\nOr download the Linux x86_64 binary from the GitHub release:\n\n```sh\ncurl -L -o pkgwatch.tar.gz https://github.com/bkbalci/pkgwatch/releases/download/v0.1.1/pkgwatch-v0.1.1-x86_64-unknown-linux-gnu.tar.gz\ncurl -L -o pkgwatch.tar.gz.sha256 https://github.com/bkbalci/pkgwatch/releases/download/v0.1.1/pkgwatch-v0.1.1-x86_64-unknown-linux-gnu.tar.gz.sha256\nsha256sum -c pkgwatch.tar.gz.sha256\ntar -xzf pkgwatch.tar.gz\nmkdir -p ~/.local/bin\ncp pkgwatch-v0.1.1-x86_64-unknown-linux-gnu/pkgwatch ~/.local/bin/pkgwatch\n```\n\nOr build from a local checkout:\n\n```sh\ncargo build --release\nmkdir -p ~/.local/bin\ncp target/release/pkgwatch ~/.local/bin/pkgwatch\n```\n\nMake sure the install location is in `PATH`:\n\n```sh\ncommand -v pkgwatch\n```\n\n## Quick Start\n\nCreate the config and print the shell wrapper:\n\n```sh\npkgwatch init\n```\n\nAdd the printed function to your shell rc file.\n\nFor bash or zsh:\n\n```sh\nparu() {\n  pkgwatch paru -- \"$@\"\n}\n```\n\nFor fish:\n\n```fish\nfunction paru\n    pkgwatch paru -- $argv\nend\n```\n\nReload your shell and verify that `paru` is wrapped:\n\n```sh\nsource ~/.zshrc\ntype paru\n```\n\nRun a non-installing AUR update scan:\n\n```sh\npkgwatch update-check\n```\n\nThen use `paru` normally:\n\n```sh\nparu -Syu\nparu -S package-name\n```\n\nWithout the shell wrapper, normal `paru` commands do not automatically run `pkgwatch`.\n\n## Commands\n\n```sh\npkgwatch scan \u003cpackage\u003e\npkgwatch file \u003cpath\u003e\npkgwatch -f \u003cpath\u003e\npkgwatch batch\npkgwatch update-check\npkgwatch update-list\npkgwatch init\npkgwatch paru -- \u003cparu args...\u003e\n```\n\nGlobal flags:\n\n```sh\n--json        Emit stable JSON output\n--strict      Exit non-zero on high or critical findings\n--no-network  Use local cache and built-in fallbacks only\n--yes         Auto-accept non-critical prompts\n--ai          Enable advisory AI review for this command\n--ai-provider auto|codex|claude|gemini\n--ai-threshold always|info|low|medium|high|critical\n--ai-custom-command /path/to/reviewer\n```\n\n## Paru Wrapper Setup\n\nRun:\n\n```sh\npkgwatch init\n```\n\nThis creates `~/.config/pkgwatch/config.toml` and prints a shell function:\n\n```sh\nparu() {\n  pkgwatch paru -- \"$@\"\n}\n```\n\nAdd that function to your shell rc file if you want normal `paru -S ...` usage to pass through `pkgwatch` first.\n\nExample config:\n\n```toml\n[policy]\nstrict = false\nask_on = \"high\"\nblock_on = \"critical\"\nyes = false\n\n[network]\nauto_update_list = true\nuse_aur_metadata = true\nmax_aur_packages = 25\n\n[ai]\nenabled = false\nprovider = \"auto\"\nthreshold = \"medium\"\ntimeout_seconds = 45\nfail_closed = false\nmax_file_bytes = 65536\nmax_total_bytes = 245760\n\n[wrapper]\nenabled = true\nreal_paru_path = \"/usr/bin/paru\"\n```\n\nAI review is opt-in. When enabled, `pkgwatch` looks for `codex`, `claude`, or `gemini` in `PATH`, or runs `custom_command` when `provider = \"custom\"`. It sends only package script text for advisory review. AI output does not execute package code and is not treated as a blocking signal by itself unless `fail_closed = true` and the AI review cannot complete.\n\nEnable AI for one command:\n\n```sh\npkgwatch --ai --ai-threshold always update-check\n```\n\nEnable AI by default in `~/.config/pkgwatch/config.toml`:\n\n```toml\n[ai]\nenabled = true\nprovider = \"auto\"\nthreshold = \"medium\"\n```\n\nRemote AUR scans download the package snapshot and inspect `PKGBUILD`, `.install`, `.SRCINFO`, and helper shell scripts before build. `pkgwatch paru -- ...` also expands AUR dependency closure up to `max_aur_packages`.\n\n`pkgwatch paru -- ...` skips AUR scanning for repo-only operations such as `paru --repo ...`.\n\nFor high or critical findings, human output writes a report draft under `/tmp/pkgwatch-report-\u003cpackage\u003e.txt`. It is never sent automatically.\n\nExit codes:\n\n- `0`: clean or accepted warnings\n- `1`: scan completed with warnings in strict mode\n- `2`: critical finding blocked or user declined\n- `3`: usage/config error\n\n## Uninstall\n\nRemove the shell wrapper function from your shell rc file, then remove the binary:\n\n```sh\nrm -f ~/.local/bin/pkgwatch\n```\n\nIf installed with Cargo:\n\n```sh\ncargo uninstall pkgwatch\n```\n\nOptional config/cache cleanup:\n\n```sh\nrm -rf ~/.config/pkgwatch ~/.cache/pkgwatch\n```\n\n## Verification\n\nWhen a Rust toolchain is available:\n\n```sh\ncargo fmt --check\ncargo test\ncargo run -- file fixtures/clean/PKGBUILD\ncargo run -- --json file fixtures/malicious-npm/PKGBUILD\n```\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md). Keep scanner changes evidence-based, add tests for new rules, and do not add package execution to tests or scan paths.\n\n## Security\n\nPlease report security issues privately; see [SECURITY.md](SECURITY.md).\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbkbalci%2Fpkgwatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbkbalci%2Fpkgwatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbkbalci%2Fpkgwatch/lists"}