Pre-commit hook to detect GlassWorm-style invisible Unicode attacks (variation selectors, bidi controls, zero-width chars)
Project description
pre-commit-glassworm
A pre-commit hook that detects GlassWorm‑style supply-chain attacks: invisible Unicode characters, variation selectors, Trojan Source (CVE-2021-42574), and zero-width characters that can hide malicious code from reviewers and many automated scanners.
What it catches
- Variation Selectors (U+FE00–U+FE0F) – GlassWorm primary technique
- Variation Selectors Supplement (U+E0100–U+E01EF)
- Bidi control (U+202A–202E, U+2066–2069) – Trojan Source
- Zero-width (U+200B–200F, U+2060–2064, U+180E)
- BOM mid-file (U+FEFF) – valid at file start, flagged elsewhere
- Replacement character (U+FFFD)
- Other format characters (Cf category)
Installation
As a pre-commit hook
Add to .pre-commit-config.yaml:
repos:
- repo: https://github.com/solaegis/pre-commit-glassworm
rev: v0.1.0 # pin to tag for reproducible installs
hooks:
- id: glassworm
Then:
pre-commit install
Using glassworm with prek
If you prefer using prek instead of pre-commit, you can define a prek.toml file:
[[repos]]
repo = "https://github.com/solaegis/pre-commit-glassworm"
rev = "v0.1.0" # pin to tag for reproducible installs
hooks = [{ id = "glassworm" }]
Then run prek install. Your existing .pre-commit-config.yaml also works with prek unchanged.
Standalone
uv add pre-commit-glassworm
# or: pip install pre-commit-glassworm
glassworm path/to/file.py path/to/other.js
glassworm src/ # scan directory recursively
cat file.py | glassworm # read from stdin
Configuration
Optional config in pyproject.toml or .glassworm.toml:
[tool.glassworm]
severity = "error" # "error" | "warning"
severity=error– exit 1 on findings (blocks commit)severity=warning– exit 0, prints warning (allows commit)
CLI options
glassworm [OPTIONS] [FILES...]
| Flag | Description |
|---|---|
--severity |
Override: error or warning |
--config |
Path to config file |
--format |
Output format: text (default) or json |
-v, --verbose |
Per-file summary |
-q, --quiet |
Summary only |
--version |
Show version and exit |
JSON output
For CI/SARIF integration:
glassworm --format json src/
Returns a JSON array of finding objects with path, line, column, codepoint, hex_repr, name, category, and unicode_category.
CI integration
pre-commit run --all-files
Commitizen and version bump
This project uses Commitizen for Conventional Commits:
pre-commit install --hook-type commit-msg
Version bump via Taskfile:
task bump # infer from conventional commits since last tag
task bump:patch # force patch (0.0.X)
task bump:minor # force minor (0.X.0)
task bump:major # force major (X.0.0)
Publishing to PyPI
# 1. Create .env with your PyPI token:
# UV_PUBLISH_TOKEN=pypi-...
# 2. Or copy from example:
cp .env.example .env
# Edit .env and add your token
# 3. Build and publish
task publish
.env is gitignored. task publish loads it automatically.
License
MIT – see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pre_commit_glassworm-0.1.0.tar.gz.
File metadata
- Download URL: pre_commit_glassworm-0.1.0.tar.gz
- Upload date:
- Size: 7.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.18 {"installer":{"name":"uv","version":"0.9.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4a498892bcf9e7e2371f6ce9d65113ab34f015cae9cba76c9eb7888cba525290
|
|
| MD5 |
2c0adc97bd591b96ecb4fc4794f24d50
|
|
| BLAKE2b-256 |
cd7dd4530f9bd620aeeb8dc3e1066db168ff8202aaac4bc724bd3315032eaa0a
|
File details
Details for the file pre_commit_glassworm-0.1.0-py3-none-any.whl.
File metadata
- Download URL: pre_commit_glassworm-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.18 {"installer":{"name":"uv","version":"0.9.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f56e394e052549e94613ee8a9e2bd0370cf257bb74cb6b715055d888f6de925c
|
|
| MD5 |
cf5fd3b4df4741fe594d33358eeabc0b
|
|
| BLAKE2b-256 |
596d69d2121347dd658e1e1007c57c15d331ff4260c2f0a95b23bb98a7607a5c
|
