Binfix is a DevSecOps tool for GitHub that can easily be integrated into your CI/CD workflow. It automatically detects and analyzes binary data file types, such as documents and images, analyzing them without altering their content. If necessary, it will automatically create a pull request accompanied by a detailed report explaining the modifications. This increases your knowledge about binary data files and provides flexibility to accept or reject the changes. It is free for private and public projects, available to both individual users and corporate accounts.
It works as follows, for every push in your repository on the default branch:
Interested how Binfix works and what the results look like? Check out the Binfix demo repo on GitHub to see the app in action. You can also read more in this blog.
Binfix should be installed on your account via the GitHub Marketplace. When installing, GitHub asks you to give the app access to all or some of your repositories.
To finalize your installation, please add a configuration file with the name .binfix.yml
to each repository you want Binfix to run on.
The configuration file should be placed in the root directory of the default branch.
The default branch is usually called main or master.
The file may be empty. Binfix uses this file to determine whether it should analyze and propose improvements. Without it, it will not run. As we add features to Binfix, this file will contain filters and additional configuration.
name | mandatory | type | description | example |
---|---|---|---|---|
excludes | NO | LIST | Exclude paths from analysis. Globbing patterns are accepted (e.g. ?, * and ** as wildcards). If wildcards are used the string must be wrapped in quotes. | excludes: - src/test/documentation/file.pdf - "**/test/resources/**" |
includes | NO | LIST | Include paths for analysis. Globbing patterns are accepted (e.g. ?, * and ** as wildcards). This option is to define exceptions to the 'excludes' rules, since all paths are included by default. If 'excludes' is not defined, this option has no effect. | includes: - "src/test/resources/**.jpg" |
version | YES | SCALAR | The version of the configuration. If a version is missing, the configuration file is considered empty. | version: 1.0 |
Once all installation requirements are met and a selected repository contains a .binfix.yml file, Binfix will automatically analyze all supported files in each push to the default branch in that repository.
In practice, this means every time a PNG, JPEG or PDF file is pushed to the main or master branch, Binfix will analyze these files. When it detects anything inside those files that might be dangerous, non-standard, unnecessary or otherwise undesirable, it creates a Pull Request on GitHub and notifies you through a notification on the associated commit.
This is an initial and experimental release of Binfix. The service may undergo some major changes as we adapt to issues arising from use in practice as well as from improving performance and functionality.
Currently Binfix supports 3 types of files: PNG, JPEG and PDF. This means that files of these types will be analyzed and improvements proposed whenever Binfix is active on a repository and files of those types are pushed to the default branch. The level of support for these file types varies: