Closed egibs closed 2 months ago
FWIW, we're always going to want to turn off false-positives, as our rules are designed to match any program. From https://yara-ci.cloud.virustotal.com/configuration/false_negatives/
false_positives:
disabled: true
As far as the false negatives, go ahead and leave them for now. I'll probably just end up removing them and resetting the hashes. I had initially populated most of them with https://github.com/chainguard-dev/yato - a PoC which later inspired bincapz.
I've enabled it - sending out a cleanup PR imminently. Thanks for opening this!
The YARA-CI app can be used to scan all of the Yara rules in a given repository and provide feedback on any issues as well as false positive and negative reports.
Initially this should be non-blocking since there are current warnings/failures.
Here's an example from my fork:
Checks:![CleanShot 2024-05-04 at 13 03 36@2x](https://github.com/chainguard-dev/bincapz/assets/20933572/10ef623f-69bd-45c7-9198-7b5b99e0c46f)
Configuration docs: