Skip to content

ast-guard v1.2.0 — Constant Folding, SARIF Output, Enhanced Obfuscation Detection

Choose a tag to compare

View all tags
@Nick-is-building Nick-is-building released this 25 May 23:04
· 148 commits to main since this release
1.2.0
a0ff03a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's New

Constant Folding for Obfuscation Detection

  • resolve_constant_string() recursively resolves string concatenation via ast.BinOp(ast.Add)
  • Catches patterns like __builtins__['ev' + 'al'] that previously evaded Check 3

New Anti-Obfuscation Paths

  • __builtins__.__dict__['eval'] — Attribute chain to __dict__ now detected
  • getattr(globals()['__builtins__'], 'eval') — Subscript on globals() as first argument now detected
  • Centralized via _is_builtins_reference() helper

Complexity Floor for Small Functions

  • New complexity_abs_min threshold (default: 5)
  • Check 2 only fires when original complexity meets minimum floor
  • Prevents false positives on legitimate simplifications of small functions (e.g., complexity 3→1)

Set-Literal-Size Allowlist Blocker

  • New set_literal_max threshold (default: 15)
  • Data Structure Swap allowlist override is blocked when a set literal exceeds this size
  • Catches precomputed lookup tables disguised as data structure optimizations

SARIF v2.1.0 Output

  • New --sarif CLI flag produces SARIF v2.1.0 output
  • Compatible with github/codeql-action/upload-sarif for GitHub Security Tab integration
  • 4 rule definitions mapping to the 4 core checks
  • Includes artifact references for both original and generated files

Additional

  • All remaining German docstrings translated to English
  • 14 new tests for v1.2 features
  • 57 tests total across all modules
  • Version bumped to 1.2.0
Assets 2
Loading