Risk audit

malys · November 18, 2025, 7:11pm

Risk Audit

Description

The Enhanced Risk Audit f for SilverBullet analyzes scripts for potentially dangerous constructs and API calls.
It provides a risk audit report that includes a trust score for each code block, a summary of findings, and a list of rules used to analyze scripts.

Commands

Security: Scan Current Page: Runs the scanner on the current page and generates a risk audit report.
Security: Scan All Children Pages: Scans all child pages of the current page and generates a risk audit report for each page.

Reports

audit1
audit2

Code

In my library,
https://github.com/malys/silverbullet-libraries/blob/main/src/RiskAudit.md

malys · November 18, 2025, 7:13pm

Rules and static analysis must be improved, but it seems correct.

malys · November 20, 2025, 10:41am

Massive improvements:

revert scoring
add more dangerous pattern

malys · November 20, 2025, 11:58am

add some screencasts

rharmonson · November 21, 2025, 8:20pm

I love the idea of auditing and appreciate you sharing your work. I will be taking a closer look at it in the near future.

malys · November 22, 2025, 10:00am

Feel free to contribute and to propose new checking rules.

ChenZhu-Xie · December 1, 2025, 1:53pm

Might it eventually be used as an optional default filter before/after SB imports a library?

This makes SB both powerful (lots of APIs) and secure (with API restrictions on calls).

malys · December 1, 2025, 7:19pm

yes a hook before to install imported script

alvarolm · January 10, 2026, 11:26pm

thanks !

malys · January 15, 2026, 12:47pm

I will update dependy analysis to integrate new internal api

malys · January 20, 2026, 6:46pm

Update! see changelog in md file.

performance
security checks improved
…

malys · January 21, 2026, 8:07am

@zef
I’m looking for a way to get dynamically the list of internal api (ex: string, net ) from space lua to know intenal global declaration.

From space lua, is it possible?

janssen-io · January 21, 2026, 9:15am

Is system.listSyscalls() what you are looking or at least usable for that purpose?

zef · January 21, 2026, 1:23pm

Not possible right now, but let me quickly see if I can expose the _G global variable (which is a Lua thing but I never implemented it).

zef · January 21, 2026, 1:33pm

From this commit you can access the global object via _G: Expose _G global variable in Space Lua · silverbulletmd/silverbullet@a89ab96 · GitHub (e.g. you can do table.keys(_G) to get a names of all top-level global variables)

malys · January 21, 2026, 4:34pm

You are very reactive. I suppose this commit is available on edge docker image? I will implement it in parallel of my current integration and switch on it to the next release.

It will be used in static code analysis and security code audit.
Many thanks

zef · January 21, 2026, 5:25pm

Yes, it’s on the edge builds already.

malys · January 24, 2026, 10:26am

Bug fixes and performance improvements
See changelog in md file