{"id":48797052,"url":"https://github.com/penguinztech/penguin-rust-plugins","last_synced_at":"2026-06-13T09:01:20.591Z","repository":{"id":351176898,"uuid":"1209874411","full_name":"PenguinzTech/penguin-rust-plugins","owner":"PenguinzTech","description":"Third-party security scanning and redistribution layer for Oxide (Rust game server) plugins from umod.org. Not affiliated with upstream plugin authors.","archived":false,"fork":false,"pushed_at":"2026-05-29T07:37:44.000Z","size":313,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-29T09:27:17.000Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PenguinzTech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-13T21:43:32.000Z","updated_at":"2026-04-23T13:44:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/PenguinzTech/penguin-rust-plugins","commit_stats":null,"previous_names":["penguinztech/penguin-rust-plugins"],"tags_count":1183,"template":false,"template_full_name":null,"purl":"pkg:github/PenguinzTech/penguin-rust-plugins","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PenguinzTech%2Fpenguin-rust-plugins","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PenguinzTech%2Fpenguin-rust-plugins/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PenguinzTech%2Fpenguin-rust-plugins/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PenguinzTech%2Fpenguin-rust-plugins/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PenguinzTech","download_url":"https://codeload.github.com/PenguinzTech/penguin-rust-plugins/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PenguinzTech%2Fpenguin-rust-plugins/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33897568,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-04T02:00:06.755Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-14T00:04:55.003Z","updated_at":"2026-06-04T09:00:34.721Z","avatar_url":"https://github.com/PenguinzTech.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# penguin-rust-plugins\n\n[![CodeQL](https://github.com/PenguinzTech/penguin-rust-plugins/actions/workflows/codeql.yml/badge.svg)](https://github.com/PenguinzTech/penguin-rust-plugins/actions/workflows/codeql.yml)\n[![Scan PR](https://github.com/PenguinzTech/penguin-rust-plugins/actions/workflows/scan-pr.yml/badge.svg)](https://github.com/PenguinzTech/penguin-rust-plugins/actions/workflows/scan-pr.yml)\n\nA third-party security scanning and redistribution layer for Oxide framework plugins hosted on umod.org. We are not the upstream authors of any plugin—we are a scanning service similar to Bitnami or Chainguard, which harden upstream software and make the security artifacts publicly auditable.\n\n## Purpose \u0026 Scope\n\nThis repository:\n- Fetches Rust plugins from umod.org automatically\n- Runs each plugin through security scanners: ClamAV, YARA, Semgrep, gitleaks, trivy\n- Publishes scan reports alongside the source code in git for permanent audit trail\n- Publishes clean plugins as versioned releases and OCI artifacts only when scans pass\n- Provides SHA256 hash files and SBOMs so downstream consumers can verify integrity\n\nWe do **not**:\n- Modify plugin source code\n- Guarantee plugin functionality or compatibility\n- Endorse plugins—we only report what scanners find\n- Hold any copyright or licensing authority over plugins\n\n## Trust Model\n\n**What we do:** Run deterministic, open-source scanners on unmodified upstream source. Commit scan reports to git (immutable audit log). Publish only when scanners are clean.\n\n**What you verify:** Scan reports are in this repo, Git history is tamper-proof (GitHub signed commits), hash chain is independently verifiable. You trust the scanners (ClamAV, YARA, etc.), not us.\n\n**Attack surface:** If the repo is compromised, scan reports could be falsified. Use GitHub's security features (required PR reviews, branch protection, signed commits) to mitigate.\n\n## What a Plugin Directory Contains\n\nEach `plugins/{slug}/` contains:\n- `{FileName}.cs` — unmodified plugin source from umod.org\n- `{slug}.hash` — SHA256 of the plugin file\n- `reports/` — full scan output (ClamAV, YARA, Semgrep, gitleaks, trivy)\n- `sbom.cdx.json` — CycloneDX SBOM\n- `provenance.json` — fetch metadata (author, upstream version, URL, fetch timestamp)\n- `ATTRIBUTION.md` — upstream author credit and licensing notice\n\nAll artifacts are committed to git for public inspection.\n\n## Scope\n\nThis repository covers only the **most commonly used** Rust/Oxide plugins. Each plugin gets a dedicated GitHub Actions workflow that runs the full scan suite on a daily schedule — CI credits are finite, so we deliberately keep the plugin set small and high-value rather than attempting full coverage of umod.org.\n\nIf a plugin is niche or has a small install base, it is unlikely to be accepted. Priority is given to plugins with broad server adoption.\n\n## Adding a New Plugin\n\n1. Open a GitHub issue with template `type:feature` + `component:infra`\n2. Include plugin slug (as it appears in umod.org URL) and evidence of broad adoption (download count, community usage)\n3. Maintainers evaluate CI budget impact before accepting\n4. If accepted, maintainers run `./scripts/add-plugin.sh \u003cslug\u003e \u003cFileName.cs\u003e` to scaffold\n5. File PR with new entry in `registry.txt` and workflow file generated\n6. Scanners run; if clean, automated commit + release published\n7. If quarantined, issue opened; see reports for details\n\n## Reporting an Issue\n\n- **Tampered plugin detected?** GitHub issue, label `plugin-tampered`\n- **Bad scan (false positive)?** GitHub issue, label `plugin-scan-issue`, include evidence\n- **Licensing question?** See `ATTRIBUTION.md` in plugin directory; contact upstream author via umod.org\n\n## Attribution\n\nEvery plugin retains the license and copyright of its upstream author. See `plugins/{slug}/ATTRIBUTION.md` for upstream author credit and source URL. This repository adds only scanning, audit logs, and packaging metadata.\n\n---\n\n**Upstream source:** https://umod.org  \n**Maintained by:** PenguinzTech\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpenguinztech%2Fpenguin-rust-plugins","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpenguinztech%2Fpenguin-rust-plugins","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpenguinztech%2Fpenguin-rust-plugins/lists"}