whatisgithub

What is aurscan?

manticore-projects/aurscan — explained in plain English

Analysis updated 2026-05-18

14GoAudience · developerComplexity · 3/5Setup · moderate

In one sentence

A command-line security scanner that checks Arch Linux AUR build scripts for malicious behavior before they run, using static rules plus an optional AI review.

Mindmap

mindmap
  root((repo))
    What it does
      Scans AUR build scripts
      Blocks malicious builds
      Wraps yay command
    Tech stack
      Go
    Use cases
      Pre-build safety check
      Catch known attack patterns
      Optional AI code review
    Audience
      Arch Linux users
    AI backends
      Claude Code CLI
      Anthropic API
      Local models

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Automatically scan an AUR package's build script for malicious patterns before installing it.

USE CASE 2

Block a package build that a static rule or AI review flags as suspicious.

USE CASE 3

Run entirely offline using static rules only, with no AI service required.

USE CASE 4

Use a local AI model to keep all package scanning data private on your own machine.

What is it built with?

Go

How does it compare?

manticore-projects/aurscangizmodata/adbc-driver-quackgokele/ovh
Stars141414
LanguageGoGoGo
Setup difficultymoderatemoderatemoderate
Complexity3/53/53/5
Audiencedeveloperdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Static rules work with no setup, the optional AI review step needs either a Claude subscription, an API key, or a local model.

License terms are not stated in the explanation.

So what is it?

aurscan is a command-line security tool for Arch Linux users who install software from the AUR, the community-maintained repository where anyone can publish build scripts. Before your system actually builds and installs a package, aurscan reads the build instructions and checks them for signs of malicious behavior. The tool works in two stages. First, it runs a set of offline static rules to catch known attack patterns, this requires no internet connection and no AI service. Then it passes the build script and any helper files to an AI model, which reads the code and judges whether anything looks suspicious. The AI step is optional: if you have no model configured, the static rules alone still run and can block a build. In practice, aurscan plugs into yay, the most common AUR helper, by wrapping the yay command in a thin script called syay. When yay downloads a package's build instructions and normally hands them to your text editor for review, aurscan intercepts that step and runs its scan first. A clean verdict passes control through to your editor as usual, a flagged verdict exits with an error and aborts the build before any build-time code runs. For AI analysis the tool supports several backends: the Claude Code CLI (using your existing Claude subscription with no separate API key), a direct Anthropic API key, any local model running through a compatible interface such as Ollama or llama.cpp, or any custom command that reads a prompt from stdin. Running a local model keeps all package data entirely private on your machine. The README cites real incidents that motivated the project: in July 2025 attackers published AUR packages disguised as browser fixes that ran malware at build time, and in June 2026 a larger campaign compromised over 1,500 orphaned packages to deliver credential stealers and rootkits. aurscan encodes the patterns from those attacks in both its static rules and its AI prompt.

Copy-paste prompts

Prompt 1
Explain how aurscan integrates with yay to scan a package before it builds.
Prompt 2
Explain the difference between aurscan's static rule stage and its AI analysis stage.
Prompt 3
Walk me through configuring aurscan to use a local model instead of a cloud API key.
Prompt 4
Explain the real AUR attacks from 2025 and 2026 that this project says motivated it.
Prompt 5
List the AI backends aurscan supports for its analysis step.

Frequently asked questions

What is aurscan?

A command-line security scanner that checks Arch Linux AUR build scripts for malicious behavior before they run, using static rules plus an optional AI review.

What language is aurscan written in?

Mainly Go. The stack also includes Go.

What license does aurscan use?

License terms are not stated in the explanation.

How hard is aurscan to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is aurscan for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.