scurl 0.2.0

Secure curl - AI-powered security review for install scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

# Usage Guide

For quick start, see the [README](README.md). This guide covers extended workflows.

## Ollama (Local AI)

Run analysis entirely on your machine with no API costs:

1. Install from [ollama.ai](https://ollama.ai)
2. Pull a model: `ollama pull llama3.2`
3. Start the server: `ollama serve`
4. Configure: `scurl login` and select Ollama

No API key needed. Works offline. Your scripts never leave your machine.

## Shell Selection

```bash
scurl --shell sh https://example.com/install.sh
scurl --shell zsh https://example.com/install.sh
```

## Inspect Without Executing

Run scurl, review the analysis, and answer "N" at the prompt. The script is never written to disk unless you approve execution.

## Shell Alias

```bash
# Add to ~/.bashrc or ~/.zshrc
alias curlbash='scurl'
```

## CI/CD

Override provider and key inline -- no `scurl login` needed:

```yaml
# GitHub Actions
- name: Install tool with scurl
  run: |
    scurl --provider anthropic --api-key ${{ secrets.ANTHROPIC_API_KEY }} \
      --auto-execute https://example.com/install.sh
```

```yaml
# GitLab CI
script:
  - scurl --provider xai --api-key $SCURL_API_KEY --auto-execute URL
```

## Testing Example Scripts

```bash
cd examples
python3 -m http.server 8000 &

scurl http://localhost:8000/safe-example.sh
scurl http://localhost:8000/suspicious-example.sh
scurl http://localhost:8000/realistic-example.sh
```

## Real-World Examples

```bash
# Homebrew
scurl -a https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh

# Rustup
scurl -a https://sh.rustup.rs

# NVM
scurl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh

# Docker
scurl https://get.docker.com
```

## Troubleshooting

**"No configuration found"** -- Run `scurl login`.

**"API error 401"** -- Invalid API key. Run `scurl login` to reconfigure, or check with `scurl config`.

**"Unknown provider"** -- Valid providers: `anthropic`, `xai`, `openai`, `ollama`.

**Script executes but fails** -- scurl analyzes security, not correctness. A safe script can still have bugs or missing dependencies.

**Ollama connection refused** -- Ensure `ollama serve` is running and listening on `localhost:11434`.