https://github.com/gardner/hbs
Experimental homebrew scanner
https://github.com/gardner/hbs
Last synced: 5 months ago
JSON representation
Experimental homebrew scanner
- Host: GitHub
- URL: https://github.com/gardner/hbs
- Owner: gardner
- Created: 2025-11-11T20:54:23.000Z (8 months ago)
- Default Branch: master
- Last Pushed: 2025-11-11T22:45:02.000Z (8 months ago)
- Last Synced: 2025-11-12T00:28:32.800Z (8 months ago)
- Language: Python
- Size: 85.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# HBS Single-Node Scanner (Homebrew)
A single Docker container that iteratively scans Homebrew formulae with:
- **Static code**: Semgrep, Gitleaks, Bandit (skips bandit if no Python files)
- **Binary/bottle**: ClamAV, YARA (simple rules included), radare2/rabin2 inventory
## Build
```bash
docker build --platform=linux/amd64 -t hbs:latest .
````
## Run
Mount a local output dir to collect reports (recommended):
```bash
mkdir -p out
docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest --formula zstd
```
Multiple formulae via a file:
```bash
docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest \
--formula-file /app/example.list \
--os x86_64_linux
```
*OS key* picks the bottle; common values:
* `x86_64_linux` (default preference)
* `arm64_ventura`, `ventura`, `arm64_monterey`, `monterey`
## Outputs
For each formula under `/work//reports/`:
* `static/semgrep.json` – Semgrep results (OWASP Top 10 ruleset)
* `static/gitleaks.json` – Secrets findings
* `static/bandit.json` – Python security findings (or a `skipped` note)
* `binary/clamscan.log` – ClamAV infected file log lines (if any)
* `binary/yara_matches.txt` – YARA matches
* `binary/rabin2_inventory.jsonl` – Per-binary metadata + strings head
A `manifest.json` summarizes what was scanned.
## Notes & Tips
* **AV signatures**: the entrypoint runs `freshclam` on start. If mirrors are flaky, it won’t crash the job.
* **Semgrep config**: uses `p/owasp-top-ten`. You can change it in `scan.py`.
* **Network**: the container needs egress to fetch formula metadata, sources, bottles, and semgrep rules.
* **Safety**: we don’t execute downloaded binaries—only static scans and metadata extraction.
## Example: scan three formulae
```bash
printf "zstd\nwget\njq\n" > example.list
docker run --platform=linux/amd64 --rm -v "$PWD/out:/work" hbs:latest --formula-file /app/example.list
```
Reports end up in `./out//reports`.