The default SuspiciousFile analyzer currently runs for all input, even when scanning a directory triggering false positives. Most of the SuspiciousFile detections are due to a hidden file being detected (starting with a dot) which is suspicious when inside the python package (sdist, wheel etc.) but completely normal when scanning for example a GitHub repo.
Suspicious file scan should be triggered only when the input data is an archive or a package scan - mirror:// or pypi:// URIs.
The default SuspiciousFile analyzer currently runs for all input, even when scanning a directory triggering false positives. Most of the SuspiciousFile detections are due to a hidden file being detected (starting with a dot) which is suspicious when inside the python package (sdist, wheel etc.) but completely normal when scanning for example a GitHub repo.
Suspicious file scan should be triggered only when the input data is an archive or a package scan - mirror:// or pypi:// URIs.