This repository contains a script to analyze the security aspects of an Arch Linux package build using AUR PKGBUILD data. It integrates with the Google Generative Language Gemini API to provide an AI-assisted security analysis.
- Retrieve and analyze PKGBUILD data for a given package.
- Fetch detailed package information using
yay. - Query the AUR RPC API for package details.
- Generate a comprehensive Markdown report with:
- PKGBUILD contents.
- Package information (if AUR package).
- AUR package details (if AUR package).
- AI-generated security analysis.
- Arch Linux or an Arch-based distribution (for
yay). curl,jq,yayinstalled.- An API key for Google's Generative Language API. Store it securely in a file located at
~/.gcp_api_key.
-
Clone the repository:
git clone https://github.com/yourusername/AUR-Package-Security-Analyzer.git cd AUR-Package-Security-Analyzer -
Make the script executable:
chmod +x analyze_aur_package.sh
-
Ensure your Google Cloud API key is saved in
~/.gcp_api_key.
./analyze_aur_package.sh <package_name>Replace <package_name> with the name of the AUR package you want to analyze.
Example:
./analyze_aur_package.sh libngtcp2The script will generate a Markdown report file named <package_name>_report.md in the generated_report directory containing the security analysis.
You can find several example markdown reports in example_reports
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions are welcome! Please open an issue or submit a pull request.
This tool is intended to assist with security analysis but does not replace thorough manual review.