Releases: forloopcodes/safe
Releases · forloopcodes/safe
Release list
v0.1.0 (2026-06-05)
0.1.0 (2026-06-05)
Initial release.
Features
- Inspect command - downloads and analyzes installer scripts without executing them
- Run command - analyzes then executes with a risk-based confirmation prompt
- Static analysis - detects privilege escalation, persistence, obfuscation, and network exfiltration patterns
- Vulnerability scanning - queries OSV (CVE database) and GitHub Advisory Database for known package vulnerabilities
- Domain reputation - matches installer hosts against a curated trusted database
- URLHaus lookup - checks download hosts against known malware distribution URLs
- VirusTotal integration - optional file hash lookups via API key
- Cloudflare Radar integration - optional domain ranking checks via API token
- Package manager support - recognizes npm, pip, and cargo install commands and resolves package metadata
- OpenSSF Scorecard - fetches security practice scores for linked GitHub repositories
- Energy-based scoring - findings contribute through exponential saturation, preventing linear score inflation
- CVE deduplication - duplicate CVEs across sources are collapsed to avoid double-counting
- Adaptive prompts -
[Y/n]for low/medium risk,[y/N]for high/critical risk,-yto skip - JSON output - machine-readable output with
--jsonflag - Config file - persistent API key storage in platform config directory via
safe set
CLI
safe inspect <source>- download and analyze without executionsafe run <command>- analyze then execute with confirmationsafe set <key> <value>- store API keys in config file
Project structure
src/
├── main.rs # Entrypoint and CLI routing
├── cli.rs # Subcommand definitions (clap)
├── command.rs # Input classifier (URL, curl-pipe, package manager)
├── source.rs # Downloader and installer type detection
├── analyzer.rs # Static analysis rules and scoring engine
├── executor.rs # Execution gates and interpreter dispatch
├── report.rs # Terminal and JSON output formatting
├── config.rs # Persistent config storage (API keys)
├── registry.rs # Package registry lookups (npm, GitHub, Scorecard)
└── reputation/ # External threat intelligence providers
├── domain.rs # Domain trust checks
├── urlhaus.rs # URLHaus malware URL database
├── osv.rs # Open Source Vulnerabilities (CVE database)
├── github_advisory.rs # GitHub Advisory Database
├── virustotal.rs # VirusTotal file hash lookups
└── cloudflare.rs # Cloudflare Radar domain ranking