linPEAS-flake¶
Personal Nix-flake wrapper around peass-ng/PEASS-ng linpeas.sh. All credit for LinPEAS itself belongs to the PEASS-ng authors.
Pin
20260510-cd4bd619
Drift
0 days
Latest release
20260510-cd4bd619
Upstream parity
success
Install¶
Persistent: nix profile install github:rvenutolo/linPEAS-flake. Full options on the Nix install page.
Tag-pinned alternatives on the Docker install page.
curl --location \
https://github.com/rvenutolo/linPEAS-flake/releases/latest/download/linpeas-bundle.sh \
--output linpeas
chmod +x linpeas
./linpeas -a
Details on the bundle install page.
{
inputs.linpeas-flake.url = "github:rvenutolo/linPEAS-flake";
}
# access via: linpeas-flake.packages.${system}.linpeas
Overlay form on the Nix install page.
What this is¶
A thin Nix wrapper. Upstream releases linpeas.sh; this repo pins the asset by SRI hash, asserts pin shape at flake-eval, cross-checks the GitHub Releases API .digest field on each bump, and re-verifies upstream parity daily. Three automations keep the pin current — see Architecture → Auto-update.
Trust model in 60 seconds¶
- Build provenance: every release artifact has a SLSA attestation.
gh attestation verify <artifact> --repo rvenutolo/linPEAS-flakeproves it was built here. - Content trust on upstream: upstream PEASS-ng ships no signatures. SRI hash binds you to a specific upstream artifact, not to a particular author. If upstream is compromised, the wrapper faithfully ships the compromise.
- Site: documentation only, not a trust anchor.
Full breakdown: Security → Trust model → Verification walkthrough.