From 8da9de60f79fef06037722658d6987dbed3ce64b Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <aiden@sublimesecurity.com>
Date: Wed, 15 Apr 2026 15:44:23 -0700
Subject: [PATCH] Add YARA rule compilation validation to CI

Adds a step to the rule validation workflow that compiles all YARA rules
using yarac, catching syntax errors before they are merged.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/rule-validate.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml
index 290344fdd90..7b17a2343c6 100644
--- a/.github/workflows/rule-validate.yml
+++ b/.github/workflows/rule-validate.yml
@@ -215,6 +215,24 @@ jobs:
 
           echo "All batches submitted successfully!"
 
+      - name: Validate YARA rules
+        if: github.event_name != 'issue_comment'
+        run: |
+          sudo apt-get install -y -qq yara > /dev/null 2>&1
+          failed=0
+          for f in yara/*.yar; do
+            echo "Validating $f..."
+            if ! yarac "$f" /dev/null; then
+              echo "::error file=$f::YARA rule failed to compile: $f"
+              failed=1
+            fi
+          done
+          if [[ $failed -eq 1 ]]; then
+            echo "One or more YARA rules failed to compile"
+            exit 1
+          fi
+          echo "All YARA rules compiled successfully!"
+
       - name: Verify no .yaml files exist
         if: github.event_name != 'issue_comment'
         run: |