This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
A Go CLI tool using YARA-X for high-performance scanning of gzipped tarballs and directories. Named after the slamhound in William Gibson's Count Zero.
Requires the YARA-X C library (libyara_x_capi), headers, and pkgconfig installed to a standard path (e.g. /usr/local).
Build:
make build
Output binary: bin/slamhound
Test (all):
make test
Test (single package):
go test -v ./pkg/slamhound/
cmd/slamhound— CLI entry point. Parses flags (-rule,-rules,-skiplist,-profile-cpu,-profile-mem), determines if target is archive or directory, dispatches to scanner.pkg/slamhound— Core scanner.Houndstruct holds config and compiled YARA-X rules. Two scanning modes:ScanArchive→inMemoryScan: streams tar.gz contents, scans each file entry in memory via pgzip.ScanDirectory→fileWalkScan: concurrent directory walk with 32 parallel workers, each with its ownyara_x.Scannerinstance.
pkg/cfg— Configuration loading and validation. Enforces mutual exclusivity of-ruleand-rulesflags.pkg/untar— Archive utilities including skiplist matching (IsSkippable), zip-slip prevention (IsIllegalPath), and full extraction (Untar).
- YARA-X global variables
filenameandfilepathare set per-scan viascanner.SetGlobal()inpipeline.go. - Rules can be a single file (
.yara/.yar) or a directory compiled recursively. - Results are JSON-formatted:
{"path":"...","matches":["namespace.rulename"]}. - Uses
klauspost/pgzipfor parallel gzip decompression and stdlibfilepath.WalkDirfor directory traversal. - Logging via
log/slogwith structured output.
Module path: github.com/mble/slamhound (go 1.26).