https://github.com/gardner/hbs

Experimental homebrew scanner
https://github.com/gardner/hbs

Last synced: 5 months ago
JSON representation

Experimental homebrew scanner

• Host: GitHub
• URL: https://github.com/gardner/hbs
• Owner: gardner
• Created: 2025-11-11T20:54:23.000Z (8 months ago)
• Default Branch: master
• Last Pushed: 2025-11-11T22:45:02.000Z (8 months ago)
• Last Synced: 2025-11-12T00:28:32.800Z (8 months ago)
• Language: Python
• Size: 85.9 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# HBS Single-Node Scanner (Homebrew)

A single Docker container that iteratively scans Homebrew formulae with:

- **Static code**: Semgrep, Gitleaks, Bandit (skips bandit if no Python files)

- **Binary/bottle**: ClamAV, YARA (simple rules included), radare2/rabin2 inventory

## Build

```bash

docker build --platform=linux/amd64 -t hbs:latest .

````

## Run

Mount a local output dir to collect reports (recommended):

```bash

mkdir -p out

docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest --formula zstd

```

Multiple formulae via a file:

```bash

docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest \

  --formula-file /app/example.list \

  --os x86_64_linux

```

*OS key* picks the bottle; common values:

* `x86_64_linux` (default preference)

* `arm64_ventura`, `ventura`, `arm64_monterey`, `monterey`

## Outputs

For each formula under `/work//reports/`:

* `static/semgrep.json` – Semgrep results (OWASP Top 10 ruleset)

* `static/gitleaks.json` – Secrets findings

* `static/bandit.json` – Python security findings (or a `skipped` note)

* `binary/clamscan.log` – ClamAV infected file log lines (if any)

* `binary/yara_matches.txt` – YARA matches

* `binary/rabin2_inventory.jsonl` – Per-binary metadata + strings head

A `manifest.json` summarizes what was scanned.

## Notes & Tips

* **AV signatures**: the entrypoint runs `freshclam` on start. If mirrors are flaky, it won’t crash the job.

* **Semgrep config**: uses `p/owasp-top-ten`. You can change it in `scan.py`.

* **Network**: the container needs egress to fetch formula metadata, sources, bottles, and semgrep rules.

* **Safety**: we don’t execute downloaded binaries—only static scans and metadata extraction.

## Example: scan three formulae

```bash

printf "zstd\nwget\njq\n" > example.list

docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest --formula-file /app/example.list

```

Reports end up in `./out//reports`.