Secure your GitHub repos in 1 minute!

Binfix Application Security Testing

Binfix is a DevSecOps tool for GitHub that can easily be integrated into your CI/CD workflow. It automatically detects and analyzes binary data file types, such as documents and images, analyzing them without altering their content. If necessary, it will automatically create a pull request accompanied by a detailed report explaining the modifications. This increases your knowledge about binary data files and provides flexibility to accept or reject the changes. It is free for private and public projects, available to both individual users and corporate accounts.

How Binfix works

It works as follows, for every push in your repository on the default branch:

  • Commits in the push are read and binary files are collected,
  • Each binary file is analyzed and transformed,
  • The transformed version of the binary file is checked in a new branch from the head commit of the push,
  • A pull request is created from the new branch to the default branch,
  • The analysis result is available as a check run report, see e.g. this report in the demo repo.

Binfix Demo

Binfix Demo repository

Interested how Binfix works and what the results look like? Check out the Binfix demo repo on GitHub to see the app in action. You can also read more in this blog.

Binfix Demo

Installation instructions

Binfix should be installed on your account via the GitHub Marketplace. When installing, GitHub asks you to give the app access to all or some of your repositories.

To finalize your installation, please add a configuration file with the name .binfix.yml to each repository you want Binfix to run on. The configuration file should be placed in the root directory of the default branch. The default branch is usually called main or master.

The file may be empty. Binfix uses this file to determine whether it should analyze and propose improvements. Without it, it will not run. As we add features to Binfix, this file will contain filters and additional configuration.

Binfix creates a checkrun when changes can be made

Configuration options

name mandatory type description example
excludes NO LIST Exclude paths from analysis. Globbing patterns are accepted (e.g. ?, * and ** as wildcards). If wildcards are used the string must be wrapped in quotes.
  - src/test/documentation/file.pdf
  - "**/test/resources/**"
includes NO LIST Include paths for analysis. Globbing patterns are accepted (e.g. ?, * and ** as wildcards). This option is to define exceptions to the 'excludes' rules, since all paths are included by default. If 'excludes' is not defined, this option has no effect.
  - "src/test/resources/**.jpg"
version YES SCALAR The version of the configuration. If a version is missing, the configuration file is considered empty.
version: 1.0

How to use Binfix

Once all installation requirements are met and a selected repository contains a .binfix.yml file, Binfix will automatically analyze all supported files in each push to the default branch in that repository.

In practice, this means every time a PNG, JPEG or PDF file is pushed to the main or master branch, Binfix will analyze these files. When it detects anything inside those files that might be dangerous, non-standard, unnecessary or otherwise undesirable, it creates a Pull Request on GitHub and notifies you through a notification on the associated commit.

Binfix creates a checkrun when changes can be made

Current Release and Supported File Types

This is an initial and experimental release of Binfix. The service may undergo some major changes as we adapt to issues arising from use in practice as well as from improving performance and functionality.

Currently Binfix supports 3 types of files: PNG, JPEG and PDF. This means that files of these types will be analyzed and improvements proposed whenever Binfix is active on a repository and files of those types are pushed to the default branch. The level of support for these file types varies:

  • PNG-support is currently at Release Candidate. It’s almost complete and supports many analyses and improvements.
  • JPEG-support is currently at Beta. While files are analyzed extensively, we still have plans for a lot of additional features.
  • PDF-support is currently at Alpha. A large test set of diverse files has been analyzed and improved in order to develop the current implementation, but a lot of work still remains and is in progress.