Skip to main content
AI/MLjmagly

binary-blob-audit

Scan tracked repository files for committed binary blobs and report reviewability/provenance exceptions

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--binary-blob-audit
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/security-engineering/skills/binary-blob-audit/SKILL.md -o .claude/skills/binary-blob-audit.md

Drops the SKILL.md into .claude/skills/binary-blob-audit.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Binary Blob Audit

Scan source repositories for committed binary blobs. This enforces the no-binary-blobs rule and maps curl Practice 6 into an AIWG security-engineering control.

Execution Flow

  1. Run git ls-files -z to enumerate tracked files.
  2. For each file, collect size, MIME classification, and last touched commit.
  3. Flag binary MIME types and extension-blocklisted files: .so, .dll, .dylib, .exe, .bin, .dat, .o, .a, .jar, .war.
  4. Classify exceptions:
    • test/fixtures/** and tests/fixtures/** under the configured size cap.
    • assets/** images under the configured size cap.
    • SBOM/attestation files with a signature or provenance note.
  5. Emit a report with violations and allowed exceptions.

Output

Each finding includes path, MIME type, byte size, last touched commit, exception status, and remediation.

CI

Run in report-only mode first:

aiwg run skill binary-blob-audit

Gate new violations after baselining:

aiwg run skill binary-blob-audit -- --fail-on-violation

References

  • agentic/code/frameworks/security-engineering/rules/no-binary-blobs.md
  • .aiwg/security/curl-checklist-gap-analysis.md row 1, Practice 6