File scanning & analysis platform
  • Go 57.2%
  • Vue 23.5%
  • Python 13.5%
  • TypeScript 1.8%
  • Dockerfile 1.6%
  • Other 2.3%
Find a file
2026-06-17 19:57:14 +02:00
.devcontainer Add AGENTS.md and current working changes 2026-06-09 15:04:28 +02:00
cmd/migrate Add SQL migration tooling with golang-migrate 2026-06-10 11:18:01 +02:00
frontend Create proper dashboard with upload/download navigation and recent files list 2026-06-17 19:57:14 +02:00
scanners Add entropy/packer detection scanner 2026-06-17 19:49:47 +02:00
server Add entropy/packer detection scanner 2026-06-17 19:49:47 +02:00
tests Expand e2e test suite with rescan and diec verification 2026-06-10 10:58:37 +02:00
vendor vendored dependencies 2026-06-16 17:56:33 +02:00
.air.toml Update builds to use vendored Go dependencies 2026-06-16 18:05:54 +02:00
.dockerignore fix docker compose: build context, scanner rebuilds, env override, web host 2026-06-09 20:11:33 +02:00
.gitignore Ignore config.toml in git and remove from tracking 2026-06-15 18:39:24 +02:00
AGENTS.md Update AGENTS.md: clarify always-commit convention 2026-06-15 18:02:12 +02:00
config.example.toml Add admin password bootstrapping, container ownership checks, and start/stop loading states 2026-06-15 18:01:38 +02:00
docker-compose.yml Add PE/ELF binary metadata scanner 2026-06-16 18:31:15 +02:00
go.mod Add download container feature for fetching remote files 2026-06-14 11:24:17 +02:00
go.sum Add download container feature for fetching remote files 2026-06-14 11:24:17 +02:00
LICENSE Fix context deadline, add Yara-Forge rules, switch to GPLv3 2026-06-11 20:08:08 +02:00
Makefile Add packer-dev Makefile target and include in dev/dev-host/e2e 2026-06-17 19:52:51 +02:00
package-lock.json Replace web interface with Vue 3 SPA 2026-06-09 18:52:57 +02:00
package.json Replace web interface with Vue 3 SPA 2026-06-09 18:52:57 +02:00
README.md Add PDF analyser scanner using oletools pdfid 2026-06-16 18:16:26 +02:00
scoring.example.toml Include CAPA ATT&CK tactics and MBC in scoring 2026-06-12 14:44:43 +02:00
TODO.md Mark Enhanced Office analysis as done in TODO 2026-06-17 19:45:17 +02:00

Scanfile

Scanfile is a multi-engine file analysis web application. Users upload files, which are scanned in parallel by multiple analysis engines. Results are aggregated into a risk score and displayed through a web interface.

Features

  • Multi-engine scanning -- Files are analyzed by several engines simultaneously:
    • Basic properties (file type, hashes via libmagic)
    • Detect-It-Easy (file type detection, compiler/linker identification)
    • YARA rule matching (Yara-Forge full rule collection)
    • CAPA capability detection (MITRE ATT&CK, MBC)
    • Microsoft Office analysis (OLE, VBA macros, olevba)
    • ICAP-based external scanners (ClamAV antivirus)
    • Email analysis (header extraction, attachment scanning)
    • Archive content listing and extraction (ZIP, 7z, tar, RAR and more)
    • CAPEv2 sandbox integration (optional, submits PE/ELF files)
  • Aggregate risk scoring -- Scanner results are combined into a 0-100 score with configurable weights
  • Download controls -- Operators can toggle download permission per file; automatic download allowed below configurable score threshold
  • User management -- Three roles: user, operator, administrator
  • OAuth SSO -- Configurable OAuth providers with group-to-role mapping
  • ICAP server -- Built-in ICAP server for proxy integration, plus ICAP client to forward files to external scanners
  • Download container -- Optional browser-in-a-container (linuxserver/firefox) for isolated file downloads
  • REST API -- Full API with Swagger documentation at /swagger/
  • Web UI -- Vue 3 SPA with dark mode and mobile-responsive layout

Architecture

                    +-----------+
                    | PostgreSQL|
                    +-----+-----+
                          |
+-------------------+-----+----+-------------------+
| Go Server   (port 8080)     |                   |
| - REST API                   |                   |
| - Worker pool (async scans)  |                   |
| - User sessions + auth       |                   |
| - Scoring engine             |                   |
+----+----+----+----+----+----+                   |
     |    |    |    |    |                         |
+----+ +--+-+ +--+-+ +--+-+ +----+ +----+ +-------+  |
|File| |OLE| |CAPA| |YARA| |Clam| |Mail| |Archive|  |
|Scan| |Scan| |Scan| |Scan| |AV  | |Scan| |Scan   |  |
+----+ +----+ +----+ +----+ +----+ +----+ +-------+

Quick Start

Prerequisites

  • Go 1.26+
  • PostgreSQL 17+
  • Python 3.13+
  • Node.js 22+

Setup

make deps          # Install Go, Python, and Node dependencies

Copy and edit the configuration:

cp config.example.toml config.toml
cp scoring.example.toml scoring.toml
# Edit config.toml with your database credentials

Create the database and apply migrations:

createdb scanfile
make migrate-up

Running

Start the Go server (with auth bypass for development):

make run

Or start all services (Go server + scanner microservices):

make dev

The web UI is at http://localhost:3000 (Vite dev server proxies API calls to :8080).

Production Build

make build          # Builds Vue app and compiles Go server
./main.out          # Run the compiled binary

Configuration

Configuration uses TOML files with environment variable overrides (prefix SF_).

Key config sections

Section Description
[web] Server host, port, TLS, upload limits, download controls
[db] PostgreSQL connection
[auth] Authentication settings, OAuth providers
[processing] Scanner URLs, worker pool size, ICAP servers
[log] Log format and level

See config.example.toml for all options.

Scoring

The aggregate risk score (0-100) is configurable via scoring.toml:

  • YARA -- per-rule score, max contribution
  • CAPA -- per-capability score, per-tactic score, per-MBC score, specific capability overrides
  • ICAP -- score when infection detected
  • MSOffice -- fine-grained scores for verdict, VBA stomping, auto-exec macros, suspicious indicators, IOCs, encryption
  • CAPEv2 -- malscore and detection counts contribute to the aggregate score

See scoring.example.toml for defaults.

API

Full API documentation is available at /swagger/ when the server is running.

Key endpoints

Method Endpoint Description
POST /api/v0/submit Upload a file
POST /api/v0/submit-url Submit a file from a URL
GET /api/v0/files List files
GET /api/v0/files/{uuid} Get file details
PATCH /api/v0/files/{uuid} Update file metadata (operator+)
DELETE /api/v0/files/{uuid} Delete file
GET /api/v0/files/{uuid}/download Download file
GET /api/v0/files/{uuid}/properties Hashes and libmagic
GET /api/v0/files/{uuid}/diec Detect-It-Easy results
GET /api/v0/files/{uuid}/capa CAPA analysis
GET /api/v0/files/{uuid}/msoffice Office document analysis
GET /api/v0/files/{uuid}/yara YARA match results
GET /api/v0/files/{uuid}/icap ICAP scan results
GET /api/v0/files/{uuid}/cape CAPEv2 sandbox results
GET /api/v0/files/{uuid}/pdf PDF structural analysis
GET /api/v0/files/{uuid}/mail Email analysis results
GET /api/v0/files/{uuid}/archive Archive contents listing
POST /api/v0/files/{uuid}/archive/submit Extract and submit archive entry
POST /api/v0/files/{uuid}/rescan Re-run all scanners
POST /api/v0/files/{uuid}/rescan/{scanner} Re-run specific scanner
POST /api/v0/register Register user
POST /api/v0/login Login
POST /api/v0/logout Logout
GET /api/v0/me Current user info
PATCH /api/v0/me Update profile
GET /api/v0/jobs List processing jobs
GET /api/v0/jobs/{id} Get job details
POST /api/v0/jobs/{id}/retry Retry failed job
GET /api/v0/admin/users List users (admin)
PATCH /api/v0/admin/users/{id} Update user (admin)
DELETE /api/v0/admin/users/{id} Delete user (admin)
GET /api/v0/container/status Container feature status
POST /api/v0/container Start download container
GET /api/v0/container List download containers
DELETE /api/v0/container/{name} Stop download container
GET /api/v0/container/{name}/proxy/ Proxy to container web UI
GET /api/v0/container/{name}/downloads List container downloads
POST /api/v0/container/{name}/downloads/{filename} Submit container file
GET /api/v0/oauth/providers List OAuth providers
GET /api/v0/oauth/{provider} Initiate OAuth login
GET /api/v0/oauth/{provider}/callback OAuth callback

Scanner Microservices

Each scanner is an independent microservice:

Scanner Port Language Technology
File (basic) 5003 Python aiohttp, python-magic, die-python
OLE / MSOffice 5000 Python aiohttp, oletools
CAPA 5001 Python aiohttp, flare-capa
YARA 5002 Python aiohttp, yara-python
ClamAV (ICAP) 5004 Python aiohttp, clamd
Mail 5005 Python aiohttp, email
Archive 5006 Python aiohttp, py7zr, rarfile
PDF 5007 Python aiohttp, oletools (pdfid)

Docker

docker compose up -d

This starts all services: Go server, PostgreSQL, and all scanner microservices.

Development

make dev            # Start all services with live reload
make dev-host       # Same, but bind to 0.0.0.0 for LAN access
make vue-dev        # Vue dev server only
make watch          # Go server with air live reload

Testing

make test           # Unit tests (Go, Rust, Python)
make e2e-test       # End-to-end API tests via Hurl

Database Migrations

make migrate-up     # Apply pending migrations
make migrate-down   # Roll back last migration

API Documentation

make swagger-gen    # Regenerate Swagger docs from annotations

License

GPLv3 -- see LICENSE.