malwar 0.2.1__tar.gz

malwar-0.2.1/.dockerignore

@@ -0,0 +1,19 @@
+# Copyright (c) 2026 Veritas Aequitas Holdings LLC. All rights reserved.
+.git
+__pycache__
+.venv
+node_modules
+web/
+tests/
+docs/
+.github/
+*.pyc
+.env
+.env.*
+.mypy_cache
+.ruff_cache
+.pytest_cache
+htmlcov/
+*.db
+deploy/
+.claude/

malwar-0.2.1/.env.example

@@ -0,0 +1,27 @@
+# malwar configuration
+# Copy this file to .env and fill in values
+
+# Anthropic API key for LLM semantic analysis (Layer 3)
+MALWAR_ANTHROPIC_API_KEY=
+
+# API authentication keys (comma-separated)
+MALWAR_API_KEYS=
+
+# Database path (default: malwar.db in current directory)
+MALWAR_DB_PATH=malwar.db
+
+# API server settings
+MALWAR_API_HOST=127.0.0.1
+MALWAR_API_PORT=8000
+
+# LLM settings
+MALWAR_LLM_MODEL=claude-sonnet-4-20250514
+MALWAR_LLM_SKIP_BELOW_RISK=15
+
+# URL crawler settings
+MALWAR_CRAWLER_MAX_URLS=10
+MALWAR_CRAWLER_TIMEOUT=5.0
+
+# Logging
+MALWAR_LOG_LEVEL=INFO
+MALWAR_LOG_FORMAT=json

malwar-0.2.1/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [Ap6pack]

malwar-0.2.1/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,53 @@
+name: Bug Report
+description: Report a bug in Malwar
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened?
+      placeholder: A clear description of the bug
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this?
+      placeholder: |
+        1. Run `malwar scan ...`
+        2. ...
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      placeholder: What should have happened?
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+      placeholder: What actually happened?
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Malwar Version
+      placeholder: "0.2.0"
+    validations:
+      required: true
+  - type: input
+    id: python
+    attributes:
+      label: Python Version
+      placeholder: "3.13"
+  - type: input
+    id: os
+    attributes:
+      label: Operating System
+      placeholder: "Ubuntu 24.04"

malwar-0.2.1/.github/ISSUE_TEMPLATE/detection_rule.yml

@@ -0,0 +1,55 @@
+name: Detection Rule Request
+description: Suggest a new detection rule
+labels: ["detection-rule", "enhancement"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What attack pattern should be detected?
+      placeholder: Describe the threat this rule would catch
+    validations:
+      required: true
+  - type: dropdown
+    id: attack_type
+    attributes:
+      label: Attack Type
+      options:
+        - Obfuscation
+        - Prompt Injection
+        - Social Engineering
+        - Data Exfiltration
+        - Credential Theft
+        - Malware Delivery
+        - Supply Chain
+        - Persistence
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: example
+    attributes:
+      label: Example SKILL.md Content
+      description: Provide a sample that demonstrates the attack pattern
+      render: markdown
+    validations:
+      required: true
+  - type: dropdown
+    id: expected_verdict
+    attributes:
+      label: Expected Verdict
+      options:
+        - MALICIOUS
+        - SUSPICIOUS
+        - CAUTION
+    validations:
+      required: true
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Suggested Severity
+      options:
+        - Critical
+        - High
+        - Medium
+        - Low

malwar-0.2.1/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,26 @@
+name: Feature Request
+description: Suggest a new feature for Malwar
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What feature would you like?
+      placeholder: A clear description of the feature
+    validations:
+      required: true
+  - type: textarea
+    id: use_case
+    attributes:
+      label: Use Case
+      description: Why do you need this?
+      placeholder: Describe the problem this would solve
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How would you implement this?
+      placeholder: Optional — your ideas on how to solve it

malwar-0.2.1/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## Description
+
+<!-- What does this PR do? -->
+
+## Type of Change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] New detection rule
+- [ ] Documentation
+- [ ] Infrastructure / CI
+
+## Checklist
+
+- [ ] Tests added or updated
+- [ ] `ruff check src/ tests/` passes
+- [ ] `pytest tests/` passes
+- [ ] Copyright headers on new files
+- [ ] Documentation updated (if applicable)

malwar-0.2.1/.github/actions/scan-skills/action.yml

@@ -0,0 +1,115 @@
+# Copyright (c) 2026 Veritas Aequitas Holdings LLC. All rights reserved.
+#
+# Composite GitHub Action that scans SKILL.md files for malware using Malwar.
+
+name: "Malwar Skill Scanner"
+description: "Scan SKILL.md files in pull requests for malware, prompt injection, and other threats."
+branding:
+  icon: "shield"
+  color: "red"
+
+inputs:
+  path:
+    description: "Glob pattern for SKILL.md files to scan"
+    required: false
+    default: "**/SKILL.md"
+  fail-on:
+    description: "Verdict threshold that causes the action to fail (MALICIOUS, SUSPICIOUS, CAUTION)"
+    required: false
+    default: "SUSPICIOUS"
+  format:
+    description: "Output format: text, json, or sarif"
+    required: false
+    default: "text"
+
+outputs:
+  verdict:
+    description: "Worst verdict across all scanned files"
+    value: ${{ steps.scan.outputs.verdict }}
+  risk_score:
+    description: "Highest risk score across all scanned files"
+    value: ${{ steps.scan.outputs.risk_score }}
+  finding_count:
+    description: "Total number of findings across all scanned files"
+    value: ${{ steps.scan.outputs.finding_count }}
+  sarif_path:
+    description: "Path to SARIF output file (when format is sarif)"
+    value: ${{ steps.scan.outputs.sarif_path }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Python 3.13
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.13"
+
+    - name: Install Malwar
+      shell: bash
+      run: pip install malwar
+
+    - name: Run Malwar scan
+      id: scan
+      shell: bash
+      run: |
+        python "${{ github.action_path }}/scan.py" \
+          --path "${{ inputs.path }}" \
+          --fail-on "${{ inputs.fail-on }}" \
+          --format "${{ inputs.format }}"
+
+    - name: Post PR comment
+      if: github.event_name == 'pull_request' && always()
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const verdict = '${{ steps.scan.outputs.verdict }}';
+          const riskScore = '${{ steps.scan.outputs.risk_score }}';
+          const findingCount = '${{ steps.scan.outputs.finding_count }}';
+
+          if (!verdict) return;
+
+          const icons = {
+            'CLEAN': ':white_check_mark:',
+            'CAUTION': ':warning:',
+            'SUSPICIOUS': ':orange_circle:',
+            'MALICIOUS': ':red_circle:'
+          };
+          const icon = icons[verdict] || ':question:';
+
+          const body = [
+            `## ${icon} Malwar Scan Results`,
+            '',
+            `| Metric | Value |`,
+            `|--------|-------|`,
+            `| **Verdict** | ${verdict} |`,
+            `| **Risk Score** | ${riskScore}/100 |`,
+            `| **Findings** | ${findingCount} |`,
+            '',
+            '*Scanned by [Malwar](https://github.com/Ap6pack/malwar) — malware detection for agentic AI skills.*'
+          ].join('\n');
+
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+
+          const existing = comments.find(c =>
+            c.user.type === 'Bot' && c.body.includes('Malwar Scan Results')
+          );
+
+          if (existing) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: existing.id,
+              body,
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });
+          }

malwar-0.2.1/.github/actions/scan-skills/scan.py

@@ -0,0 +1,270 @@
+# Copyright (c) 2026 Veritas Aequitas Holdings LLC. All rights reserved.
+"""Malwar SKILL.md scanner for GitHub Actions.
+
+Finds files matching a glob pattern, scans each with the malwar SDK,
+and reports results in the requested format. Sets GitHub Action outputs
+and exits with code 1 if any file meets or exceeds the fail-on threshold.
+"""
+
+from __future__ import annotations
+
+import argparse
+import asyncio
+import json
+import logging
+import os
+import sys
+from glob import glob
+from pathlib import Path
+from typing import Any
+
+from malwar import __version__, scan
+from malwar.cli.formatters.sarif import scan_result_to_sarif
+from malwar.models.scan import ScanResult
+
+logger = logging.getLogger("malwar.action")
+
+# Verdict severity ordering (lowest to highest)
+VERDICT_ORDER: dict[str, int] = {
+    "CLEAN": 0,
+    "CAUTION": 1,
+    "SUSPICIOUS": 2,
+    "MALICIOUS": 3,
+}
+
+SARIF_OUTPUT_FILE = "malwar-results.sarif"
+
+
+def parse_args(argv: list[str] | None = None) -> argparse.Namespace:
+    """Parse command-line arguments."""
+    parser = argparse.ArgumentParser(
+        description="Scan SKILL.md files for threats using Malwar.",
+    )
+    parser.add_argument(
+        "--path",
+        default="**/SKILL.md",
+        help="Glob pattern for files to scan (default: **/SKILL.md)",
+    )
+    parser.add_argument(
+        "--fail-on",
+        default="SUSPICIOUS",
+        choices=["CAUTION", "SUSPICIOUS", "MALICIOUS"],
+        help="Verdict threshold that triggers failure (default: SUSPICIOUS)",
+    )
+    parser.add_argument(
+        "--format",
+        default="text",
+        choices=["text", "json", "sarif"],
+        dest="output_format",
+        help="Output format (default: text)",
+    )
+    return parser.parse_args(argv)
+
+
+def find_files(pattern: str) -> list[Path]:
+    """Find all files matching the glob pattern."""
+    matches = sorted(glob(pattern, recursive=True))
+    return [Path(m) for m in matches if Path(m).is_file()]
+
+
+def verdict_meets_threshold(verdict: str, threshold: str) -> bool:
+    """Return True if the verdict meets or exceeds the threshold."""
+    return VERDICT_ORDER.get(verdict, 0) >= VERDICT_ORDER.get(threshold, 0)
+
+
+def worst_verdict(verdicts: list[str]) -> str:
+    """Return the most severe verdict from a list."""
+    if not verdicts:
+        return "CLEAN"
+    return max(verdicts, key=lambda v: VERDICT_ORDER.get(v, 0))
+
+
+async def scan_files(files: list[Path]) -> list[tuple[Path, ScanResult]]:
+    """Scan all files and return (path, result) pairs."""
+    results: list[tuple[Path, ScanResult]] = []
+    for file_path in files:
+        content = file_path.read_text(encoding="utf-8")
+        result = await scan(
+            content,
+            file_name=str(file_path),
+            use_llm=False,
+            use_urls=False,
+        )
+        results.append((file_path, result))
+    return results
+
+
+def format_text(results: list[tuple[Path, ScanResult]]) -> str:
+    """Format scan results as human-readable text."""
+    if not results:
+        return "No SKILL.md files found to scan."
+
+    lines: list[str] = []
+    lines.append(f"Malwar Scan Results (v{__version__})")
+    lines.append("=" * 50)
+
+    for file_path, result in results:
+        lines.append("")
+        lines.append(f"File: {file_path}")
+        lines.append(f"  Verdict:    {result.verdict}")
+        lines.append(f"  Risk Score: {result.risk_score}/100")
+        lines.append(f"  Findings:   {len(result.findings)}")
+
+        for finding in result.findings:
+            lines.append(f"    - [{finding.severity.upper()}] {finding.title}")
+            if finding.location:
+                lines.append(f"      Line {finding.location.line_start}: {finding.description}")
+            else:
+                lines.append(f"      {finding.description}")
+
+    lines.append("")
+    lines.append("-" * 50)
+    all_verdicts = [r.verdict for _, r in results]
+    lines.append(f"Overall: {worst_verdict(all_verdicts)}")
+
+    return "\n".join(lines)
+
+
+def format_json(results: list[tuple[Path, ScanResult]]) -> str:
+    """Format scan results as JSON."""
+    output: list[dict[str, Any]] = []
+    for file_path, result in results:
+        output.append({
+            "file": str(file_path),
+            "verdict": result.verdict,
+            "risk_score": result.risk_score,
+            "finding_count": len(result.findings),
+            "findings": [
+                {
+                    "id": f.id,
+                    "rule_id": f.rule_id,
+                    "title": f.title,
+                    "severity": f.severity,
+                    "confidence": f.confidence,
+                    "description": f.description,
+                }
+                for f in result.findings
+            ],
+        })
+    return json.dumps(output, indent=2)
+
+
+def format_sarif(results: list[tuple[Path, ScanResult]]) -> str:
+    """Format scan results as SARIF 2.1.0 and write to file."""
+    if not results:
+        sarif: dict[str, Any] = {
+            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+            "version": "2.1.0",
+            "runs": [{
+                "tool": {
+                    "driver": {
+                        "name": "malwar",
+                        "version": __version__,
+                        "rules": [],
+                    }
+                },
+                "results": [],
+            }],
+        }
+    elif len(results) == 1:
+        _, result = results[0]
+        sarif = scan_result_to_sarif(result)
+    else:
+        # Merge multiple results into a single SARIF run
+        all_rules: list[dict[str, Any]] = []
+        all_results: list[dict[str, Any]] = []
+        seen_rules: set[str] = set()
+
+        for _, result in results:
+            single = scan_result_to_sarif(result)
+            run = single["runs"][0]
+            for rule in run["tool"]["driver"]["rules"]:
+                if rule["id"] not in seen_rules:
+                    seen_rules.add(rule["id"])
+                    all_rules.append(rule)
+            all_results.extend(run["results"])
+
+        sarif = {
+            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+            "version": "2.1.0",
+            "runs": [{
+                "tool": {
+                    "driver": {
+                        "name": "malwar",
+                        "version": __version__,
+                        "rules": all_rules,
+                    }
+                },
+                "results": all_results,
+            }],
+        }
+
+    sarif_str = json.dumps(sarif, indent=2)
+
+    # Write SARIF file to disk
+    Path(SARIF_OUTPUT_FILE).write_text(sarif_str, encoding="utf-8")
+
+    return sarif_str
+
+
+def set_github_output(name: str, value: str) -> None:
+    """Write a key=value pair to $GITHUB_OUTPUT."""
+    output_file = os.environ.get("GITHUB_OUTPUT")
+    if output_file:
+        with open(output_file, "a", encoding="utf-8") as f:
+            f.write(f"{name}={value}\n")
+
+
+def main(argv: list[str] | None = None) -> int:
+    """Entry point for the scan script."""
+    args = parse_args(argv)
+
+    # Discover files
+    files = find_files(args.path)
+    sys.stdout.write(f"Found {len(files)} file(s) matching '{args.path}'\n")
+
+    if not files:
+        set_github_output("verdict", "CLEAN")
+        set_github_output("risk_score", "0")
+        set_github_output("finding_count", "0")
+        sys.stdout.write("No files to scan. Exiting clean.\n")
+        return 0
+
+    # Run scans
+    results = asyncio.run(scan_files(files))
+
+    # Compute aggregates
+    verdicts = [r.verdict for _, r in results]
+    overall = worst_verdict(verdicts)
+    max_score = max((r.risk_score for _, r in results), default=0)
+    total_findings = sum(len(r.findings) for _, r in results)
+
+    # Format output
+    formatters = {
+        "text": format_text,
+        "json": format_json,
+        "sarif": format_sarif,
+    }
+    formatter = formatters[args.output_format]
+    output = formatter(results)
+    sys.stdout.write(output + "\n")
+
+    # Set GitHub Action outputs
+    set_github_output("verdict", overall)
+    set_github_output("risk_score", str(max_score))
+    set_github_output("finding_count", str(total_findings))
+    if args.output_format == "sarif":
+        set_github_output("sarif_path", SARIF_OUTPUT_FILE)
+
+    # Determine exit code
+    should_fail = verdict_meets_threshold(overall, args.fail_on)
+    if should_fail:
+        sys.stdout.write(f"\nFailed: verdict '{overall}' meets or exceeds threshold '{args.fail_on}'\n")
+        return 1
+
+    sys.stdout.write(f"\nPassed: verdict '{overall}' is below threshold '{args.fail_on}'\n")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())