This file documents the detectors currently shipped in
packages/core/src/detectors/.
Rule-id format:
- Layer A + manifest/path rules:
obf.<name> - Layer B language-aware rules:
obf.<name>.<languageId>
Example: obf.decode-then-exec.python.
These run on any readable text file.
- Flags long string literals with high Shannon entropy.
- Severity:
warn.
- Flags Unicode bidi control characters (Trojan Source family).
- Severity:
block.
- Flags mixed-script identifiers (ASCII + confusable Cyrillic/Greek).
- Severity:
block.
- Flags very long source lines.
- Thresholds:
>= 2000chars (info),>= 10000chars (warn).
- Flags large arrays of encoded-looking string literals.
- Severity:
warn.
These use ctx.config values from packages/rules/languages/*.json.
- Flags decoder -> dynamic execution flow (direct, indirect, and co-located shapes).
- Severity:
block.
- Flags network IO feeding dynamic execution.
- Severity:
block.
- Flags dynamic execution with non-literal argument.
- Severity:
warn.
- Flags unsafe deserializer calls with non-literal arguments.
- Severity:
block.
- Flags file-level cluster: secrets-path + network, or shell + network.
- Severity:
warn.
- Flags JavaScript/TypeScript package code with C2 polling, decrypt-stage, write/chmod, and child-process launch signals.
- Severity:
block.
- Flags obfuscator-style string-array + decoder + sink pattern.
- Severity:
block.
- Flags shell execution with interpolated/concatenated command input.
- Severity:
warn.
- Flags dynamic library/module loading with non-literal target.
- Severity:
warn.
- Flags install/lifecycle hooks in:
package.jsoncomposer.json*.gemspec*.rockspec*.nuspec
- Severity:
warn, escalates toblockfor network-pipe-shell shapes.
- Flags suspicious top-level side effects in
setup.py. - Severity:
block.
- Flags suspicious top-level side effects in
Makefile.PL/Build.PL. - Severity:
block.
- Flags network behavior in
build.rs. - Severity:
block.
- Flags
curl|sh-style execution in GitHub Actions workflows. - Severity:
block.
- Flags
RUN curl|sh-style execution in Dockerfiles. - Severity:
block.
- The shipped engine does not run tree-sitter queries by default.
- Hosts can add AST-based custom detectors via
ScanOptions.detectorsand optionalRuleSet.loadGrammaroverrides.