Skip to content

Releases: forloopcodes/safe

v0.1.0 (2026-06-05)

Choose a tag to compare

@forloopcodes forloopcodes released this 05 Jun 12:52

0.1.0 (2026-06-05)

Initial release.

Features

  • Inspect command - downloads and analyzes installer scripts without executing them
  • Run command - analyzes then executes with a risk-based confirmation prompt
  • Static analysis - detects privilege escalation, persistence, obfuscation, and network exfiltration patterns
  • Vulnerability scanning - queries OSV (CVE database) and GitHub Advisory Database for known package vulnerabilities
  • Domain reputation - matches installer hosts against a curated trusted database
  • URLHaus lookup - checks download hosts against known malware distribution URLs
  • VirusTotal integration - optional file hash lookups via API key
  • Cloudflare Radar integration - optional domain ranking checks via API token
  • Package manager support - recognizes npm, pip, and cargo install commands and resolves package metadata
  • OpenSSF Scorecard - fetches security practice scores for linked GitHub repositories
  • Energy-based scoring - findings contribute through exponential saturation, preventing linear score inflation
  • CVE deduplication - duplicate CVEs across sources are collapsed to avoid double-counting
  • Adaptive prompts - [Y/n] for low/medium risk, [y/N] for high/critical risk, -y to skip
  • JSON output - machine-readable output with --json flag
  • Config file - persistent API key storage in platform config directory via safe set

CLI

  • safe inspect <source> - download and analyze without execution
  • safe run <command> - analyze then execute with confirmation
  • safe set <key> <value> - store API keys in config file

Project structure

src/
├── main.rs              # Entrypoint and CLI routing
├── cli.rs               # Subcommand definitions (clap)
├── command.rs           # Input classifier (URL, curl-pipe, package manager)
├── source.rs            # Downloader and installer type detection
├── analyzer.rs          # Static analysis rules and scoring engine
├── executor.rs          # Execution gates and interpreter dispatch
├── report.rs            # Terminal and JSON output formatting
├── config.rs            # Persistent config storage (API keys)
├── registry.rs          # Package registry lookups (npm, GitHub, Scorecard)
└── reputation/          # External threat intelligence providers
    ├── domain.rs        # Domain trust checks
    ├── urlhaus.rs       # URLHaus malware URL database
    ├── osv.rs           # Open Source Vulnerabilities (CVE database)
    ├── github_advisory.rs # GitHub Advisory Database
    ├── virustotal.rs    # VirusTotal file hash lookups
    └── cloudflare.rs    # Cloudflare Radar domain ranking