Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,19 @@ jobs:

- name: Test
run: npm run test:all

- name: Install action dependencies
working-directory: packages/action
run: npm ci --legacy-peer-deps

- name: Build action
working-directory: packages/action
run: npm run build

- name: Generate marketplace action
working-directory: packages/action
run: npm run generate:marketplace

- name: Test action
working-directory: packages/action
run: npm test
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ out
dist
.output

# Generated GitHub Marketplace action distribution
marketplace/obfuscan-action/

# Gatsby files
.cache/
# Comment in the public line in if your project uses Gatsby and not Next.js
Expand Down
41 changes: 40 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,45 @@ pnpm add @obfuscan/core @obfuscan/rules

The `core` package ships the engine; `rules` ships language configs and tree-sitter query assets, not parser grammars. Hosts that want parser-backed custom detectors provide their own grammars via `RuleSet.loadGrammar()` / `GrammarHandle.parse()`. We use SemVer for the engine and CalVer (`2026.04.0`) for the rules.

## GitHub Action

Run obfuscan directly in pull request CI and have it annotate findings, write a job summary, and upsert a Markdown PR comment.

```yaml
name: obfuscan

on:
pull_request:

permissions:
contents: read
pull-requests: read
issues: write

jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- uses: ByteBardOrg/obfuscan-action@v1
with:
fail-on: block
```

Useful inputs:

- `fail-on`: `block` (default), `warn`, or `never`.
- `min-severity`: `info` (default), `warn`, or `block`.
- `comment`: `true` (default) or `false`.
- `max-findings`: maximum findings shown in the Markdown report, default `50`.
- `disabled-detectors`: comma or newline separated detector ids.
- `allowlist-path`: defaults to `.obfuscan/allowlist.json`.

The Marketplace action is distributed from `ByteBardOrg/obfuscan-action`. Generate that repo's contents locally with `cd packages/action && npm run marketplace`; the generated `marketplace/obfuscan-action` folder is ignored in this repo.

## Using `@obfuscan/rules`

`@obfuscan/core` loads language configs from `@obfuscan/rules` by default, so normal usage is just installing both packages.
Expand Down Expand Up @@ -205,7 +244,7 @@ Pre-1.0. The detector framework, scoring, suppression, and tier-1/tier-2 languag
- [x] Manifest detectors for npm, PyPI, GitHub Actions, Dockerfile
- [x] Tier-2 language rules (Go, Rust, C#, Java, Kotlin, Lua, Perl, VBScript)
- [ ] `@obfuscan/cli` 1.0 with SARIF output
- [ ] `@obfuscan/github-action`
- [x] `@obfuscan/github-action` v1
- [ ] `@obfuscan/llm-verify` optional Layer-D package
- [ ] Reproducible benchmark suite against [Datadog malicious-software-packages-dataset](https://github.com/DataDog/malicious-software-packages-dataset)

Expand Down
5 changes: 3 additions & 2 deletions docs/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -260,8 +260,9 @@ beyond `fileResolver`.
These belong to separate packages so the core stays small and embeddable:

- **CLI** — `@obfuscan/cli` (separate package, not in this scaffold).
- **GitHub Action** — `obfuscan/obfuscan-action` (separate repo, not in
this scaffold).
- **GitHub Action** — source lives in `packages/action`; Marketplace distribution
is generated into ignored local output `marketplace/obfuscan-action` and released
from the dedicated `ByteBardOrg/obfuscan-action` repository as `@v1`.
- **Default rule pack** — `@obfuscan/rules`. CalVer, releases more often
than core. Resolved at runtime from a workspace sibling, an installed
`node_modules/@obfuscan/rules`, or `OBFUSCAN_RULES_DIR`.
Expand Down
Loading
Loading