v0.46.0 — drop-on-Kali binary + DB exporters
ShareSift v0.46.0 — combined ship covering engagement-DB exporters and the PyInstaller single-file binary breakthrough.
Headline
| Workflow | Before | After |
|---|---|---|
| Get findings into the report tool | grep + hand-format | sharesift export --format ghostwriter |
| Get findings into SysReptor | not supported | sharesift export --format sysreptor |
| Drop ShareSift on a fresh Kali box | pipx install + 100MB deps | wget .../sharesift && chmod +x |
| Binary size | 1.5 GB (v0.38 attempt) | 77 MB (20× smaller) |
| Tests passing | 1309 | 1309 |
Single-file binary (77 MB)
wget https://github.com/byevincent/ShareSift/releases/latest/download/sharesift
chmod +x sharesift
./sharesift --version
# sharesift 0.46.0Covers score-paths, scan-files (rule + extractor), to-snaffler-tsv, sort, query, export. Operators wanting SMB-direct, network discovery, verify, content-classifier, or report rendering use pipx install 'sharesift[smb,network-enum,content-inference,verify,report]' instead.
The size shrink came from a minimal build venv (no torch transitive pulls) + aggressive PyInstaller excludes. Two gotchas worth recording: strip and upx corrupt scipy's OpenBLAS shared lib (binary crashes at import); --clean breaks PyInstaller's PYZ archive. Both documented in docs/v0p46_results.md.
Engagement DB exporters
Three new formats off the v0.41 SQLite datastore:
sharesift export --db engagement.db --format markdown --output findings.md
sharesift export --db engagement.db --format ghostwriter --output findings.csv
sharesift export --db engagement.db --format sysreptor --output sysreptor.json- Markdown — pastes into Dradis, GhostWriter, SysReptor, Notion, Slack, plain delivery docs
- GhostWriter CSV — direct CSV import; columns match the findings-page schema, tier maps to severity
- SysReptor JSON —
projects/v1envelope with lowercased severities
All three sort tier > host > share > rel_path.
Path-prefix dedup deferred
Diagnostic showed MSF3 top-12-30 dominated by 19 copies of an Internet Explorer cache backup. Fixing requires either a path-prefix penalty or rule-action awareness (treat Yellow-from-Relay as Green); both are research-y patterns. v0.28's falsified extension-frequency hypothesis is the cautionary precedent. Top-10 already at 0.80 — not worth disturbing for a marginal gain. Re-open if a future benchmark shows the duplicate-backup pattern materially hurting top-K precision.
What's in the binary
Bundled at runtime:
- Stage 1 path classifiers (Windows + Linux LightGBM models, ~39 MB combined)
- Rule sets:
snaffler_default.json(88 base) +extra_rules.json(v0.12 blind-spot + Gitleaks modern SaaS + v0.42 Linux gap closure)
Excluded (use pipx extras instead):
- Content classifier (torch, ~1.5 GB)
- SMB-direct (smbprotocol, ~30 MB)
- Network discovery (impacket, ~100 MB)
- Verifiers (requests/paramiko/ldap3/jwt/boto3, ~50 MB)
- Report rendering (jinja2)
Changelog
See CHANGELOG.md and docs/v0p46_results.md for the full write-up.
Honest assessment vs Snaffler
v0.45's assessment said ShareSift was technically on-par for most engagement workflows but lagged Snaffler on two fronts: "drop binary on a box" and "feed straight into the report." v0.46 closes both. Open gaps for v0.47+: status heartbeat on long scans, HTML report's Markdown twin, path-prefix dedup with rule-action awareness.
🤖 Generated with Claude Code