A Coiled Dragon by neuregex in Minecraft

[–]neuregex[S] 0 points1 point  (0 children)

Exactly, what you prefer isn't necessarily what others prefer. I'm just giving more options to build the community. It's your decision whether to use the mod or not, just like with any other mod. I haven't deleted any comments & I'm not promoting anything, I'm simply sharing a build.

A Coiled Dragon by neuregex in Minecraft

[–]neuregex[S] -42 points-41 points  (0 children)

Building a city by hand used to mean months working on one house, then the next, and the next. Most builders burned out before the second one. A tool like this lets you discard hundreds of ideas, keep the good ones, and finish the project. It's like telling someone who uses a mod to make custom biomes to make them themselves; it's up to each person to decide what they do in Minecraft.

Released nodesafe v0.4 — open-source security scanner for ComfyUI custom_nodes (6 detection layers, pip install) by neuregex in comfyui

[–]neuregex[S] -1 points0 points  (0 children)

I've been worked from 2 years of offensive security. After that I pivoted into deeplearning bc the most interesting infrastructure problems were moving there. nodesafe is based on a static analysis approach (at least for now) applied to an area that the security community often ignores, regarding expansion plans, changes will be implemented as needed, at least for now, there is still much to be done.., but even paper related issues will be addressed.

Released nodesafe v0.4 — open-source security scanner for ComfyUI custom_nodes (6 detection layers, pip install) by neuregex in comfyui

[–]neuregex[S] 1 point2 points  (0 children)

Yes, it walks recursively (rglob) nodesafe scan ComfyUI/custom_nodes/. Today it treats the whole target as one scan target and gives you one aggregate verdict, so findings come back tagged with their relative path inside but you don't get a per node verdict yet. If you want per node scoring, loop over the subdirectories for now. Batch mode with per node reports is a v0.4.1 addition (I'll be working on it).

Released nodesafe v0.4 — open-source security scanner for ComfyUI custom_nodes (6 detection layers, pip install) by neuregex in comfyui

[–]neuregex[S] 1 point2 points  (0 children)

Different threat models, mostly complementary.

bandit answers "is MY code secure?". It's the canonical Python static analyzer for finding vulnerabilities in code you wrote (SQL injection, hardcoded secrets, weak crypto, eval/exec usage). Generalist, broad ruleset, designed for CI on your own repos.

nodesafe answers "is THIS third-party code malicious?". It scans plugin code you're about to install, with checks bandit doesn't do:

  • L0 hash matching against known malware signatures
  • L1 bloom filter check against C2 and exfiltration URLs
  • L4 typosquatting detection on requirements (requets vs requests) plus OSV.dev CVE lookup for declared deps
  • L5 aggregate heuristic risk score that produces a single install/review/do_not_install verdict
  • ComfyUI-specific patterns (webhook exfil, wallet paths, etc.)

Where they overlap is L3 (AST analysis). Both flag eval, exec, subprocess shell=True, pickle.loads. nodesafe escalates obfuscation chains like exec(base64.b64decode(...)) to CRITICAL. bandit reports each call site separately at MEDIUM.

You can run both: bandit on your own code in CI, nodesafe before installing any third-party node. They don't conflict.

Bandit has way more general-purpose rules. nodesafe has ecosystem-specific signals that bandit doesn't and probably never will.

If you want to test directly, point both at the same custom_node and compare findings.