feat: detect binary artifacts during scanning#6
Open
vlsi wants to merge 1 commit into
Open
Conversation
a2681a0 to
1b93010
Compare
f33cfda to
aece199
Compare
CyberFerret scanned only text before, so binary files committed by mistake (build outputs, archives) went unnoticed. The scanner now reports each binary file as a BINARY_ARTIFACT finding and fails the scan, so the CLI/pre-commit hook exits non-zero. A file counts as binary when its first 16 KiB contains a NUL byte; UTF-16 text is detected by its encoding and kept out of the check. Supported image formats are scanned for embedded metadata instead of being flagged. Legitimate binaries can be whitelisted with the new (binary-exclude) dictionary key, a comma-separated list of file-name regex patterns; the key applies to both the GUI and the CLI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
aece199 to
ba93096
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
CyberFerret scanned only text files, so binary files committed by mistake — build outputs, archives, stray jars — went unnoticed. They are worth surfacing during a scan, and a pre-commit run should fail when one is found.
What
BINARY_ARTIFACTfinding and fails the scan, so the CLI/pre-commit hook exits non-zero.(binary-exclude)dictionary key — a comma-separated list of file-name regex patterns. The key applies to both the GUI and the CLI. The shipped default whitelists only the build wrapper jars (gradle-wrapper\\.jar,maven-wrapper\\.jar), so any other committed binary is still reported.How to verify
mvn testpasses for all modules. Coverage:FileUtilsTests—isBinaryFileflags NUL bytes, treats plain text, UTF-16 text, and empty files as text, and ignores directories;matchesAnyPatternmatches by file name, handles empty or null pattern lists, and whitelists the wrapper jars while still flagging other jars.RunnableScannerTests— a binary file is reported asBINARY_ARTIFACTand fails the scan; one matching abinary-excludepattern is skipped; a supported image is not flagged (its metadata is scanned instead). The existing UTF-16LE test confirms such files are still scanned.Manual check: run a pre-commit scan over a repository holding both
gradle/wrapper/gradle-wrapper.jarand an unexpected binary — the wrapper jar is skipped, the other is reported and the hook exits non-zero.