Skip to content

feat: detect binary artifacts during scanning#6

Open
vlsi wants to merge 1 commit into
exadmin:mainfrom
vlsi:claude/add-pattern-detection-011CV3op6dBvEYh3vC1VUXTX
Open

feat: detect binary artifacts during scanning#6
vlsi wants to merge 1 commit into
exadmin:mainfrom
vlsi:claude/add-pattern-detection-011CV3op6dBvEYh3vC1VUXTX

Conversation

@vlsi

@vlsi vlsi commented Nov 12, 2025

Copy link
Copy Markdown
Contributor

Why

CyberFerret scanned only text files, so binary files committed by mistake — build outputs, archives, stray jars — went unnoticed. They are worth surfacing during a scan, and a pre-commit run should fail when one is found.

What

  • The scanner reports each binary file as a BINARY_ARTIFACT finding and fails the scan, so the CLI/pre-commit hook exits non-zero.
  • A file counts as binary when its first 16 KiB contains a NUL byte. UTF-16 text is recognised by its encoding and excluded, so it is still scanned for signatures.
  • Supported image formats are scanned for embedded metadata (EXIF) as before, rather than being flagged as artifacts.
  • Legitimate binaries can be whitelisted with the new (binary-exclude) dictionary key — a comma-separated list of file-name regex patterns. The key applies to both the GUI and the CLI. The shipped default whitelists only the build wrapper jars (gradle-wrapper\\.jar,maven-wrapper\\.jar), so any other committed binary is still reported.

How to verify

mvn test passes for all modules. Coverage:

  • FileUtilsTestsisBinaryFile flags NUL bytes, treats plain text, UTF-16 text, and empty files as text, and ignores directories; matchesAnyPattern matches by file name, handles empty or null pattern lists, and whitelists the wrapper jars while still flagging other jars.
  • RunnableScannerTests — a binary file is reported as BINARY_ARTIFACT and fails the scan; one matching a binary-exclude pattern is skipped; a supported image is not flagged (its metadata is scanned instead). The existing UTF-16LE test confirms such files are still scanned.

Manual check: run a pre-commit scan over a repository holding both gradle/wrapper/gradle-wrapper.jar and an unexpected binary — the wrapper jar is skipped, the other is reported and the hook exits non-zero.

@vlsi vlsi force-pushed the claude/add-pattern-detection-011CV3op6dBvEYh3vC1VUXTX branch from a2681a0 to 1b93010 Compare June 9, 2026 11:14
@vlsi vlsi changed the title Add binary artifact detection feature feat: detect binary artifacts during scanning Jun 9, 2026
@vlsi vlsi force-pushed the claude/add-pattern-detection-011CV3op6dBvEYh3vC1VUXTX branch 2 times, most recently from f33cfda to aece199 Compare June 9, 2026 12:05
@vlsi vlsi marked this pull request as ready for review June 9, 2026 12:25
CyberFerret scanned only text before, so binary files committed by
mistake (build outputs, archives) went unnoticed. The scanner now
reports each binary file as a BINARY_ARTIFACT finding and fails the
scan, so the CLI/pre-commit hook exits non-zero.

A file counts as binary when its first 16 KiB contains a NUL byte;
UTF-16 text is detected by its encoding and kept out of the check.
Supported image formats are scanned for embedded metadata instead of
being flagged. Legitimate binaries can be whitelisted with the new
(binary-exclude) dictionary key, a comma-separated list of file-name
regex patterns; the key applies to both the GUI and the CLI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vlsi vlsi force-pushed the claude/add-pattern-detection-011CV3op6dBvEYh3vC1VUXTX branch from aece199 to ba93096 Compare June 9, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants