Baish is a security-focused tool that uses Large Language Models (LLMs) and other heuristics to analyse shell scripts before they are executed. It's designed to be used as a more secure alternative to the common "curl | bash" pattern.
Importantly, Baish is a cybersecurity learning project, where the developers have a relatively narrow solution to implement, but still learn a lot about the problem space. For example, how to use LLMs, how to secure them, and how to take and understand untrusted input.
Check it out on Github: https://github.com/taicodotca/baish
Installing Baish
Text of Installation
This is a quick post on installing Baish.
In this example we’ll install Baish into a Linux VM, specifically Ubuntu 24.04. We’re assuming it’s a fresh install, but it should work on other Linux distros as well, and pipx works on MacOS and Windows as well.
The installation instructions are available on the Baish Github repo.
First, we need the dependencies, and we are going to use pipx to install, so lets get those things installed.
sudo apt install libmagic1 pipx
Now we have pipx and can simply install baish.
Pipx is a nice tool for installing Python packages, and it puts them in their own virtual environments. Read more about it here.
pipx install baish
Once that completes, we need a config file. We can use the example config file as a starting point.
mkdir ~/.baish
vi ~/.baish/config.yaml # edit the config file
Baish supports several major LLM providers, but here let’s use Anthropic and Haiku. You can also setup more than one LLM provider, but we’ll keep it simple for now and just use one.
default_llm: haiku # default model to use
llms:
haiku: # memorable name
provider: anthropic # provider name
model: claude-3-5-haiku-latest # model name
temperature: 0.1 # temperature
Put that into the config file and save it.
Now make sure you have an API key for Anthropic.
export ANTHROPIC_API_KEY=your_api_key
Finally, we can run Baish.
$ curl -sSL https://raw.githubusercontent.com/taicodotca/baish/main/install.sh | baish
⠋ Analyzing file...
╭──────────────────────────────── Baish - Bash AI Shield ────────────────────────────────╮
│ Analysis Results - 2024-12-21_06-55-35_e9fa19e5_script.sh │
│ │
│ Harm Score: 2/10 ████──────────────── │
│ Complexity Score: 8/10 ████████████████──── │
│ Uses Root: False │
│ │
│ File type: text/x-shellscript │
│ │
│ Explanation: │
│ The script is a bash installer for baish, a tool that sets up a Python virtual │
│ environment and installs baish. It checks for system dependencies, Python │
│ requirements, and installs baish using pip. It also sets up an alias for baish in the │
│ user's shell configuration file. │
│ │
│ Script saved to: /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh │
│ To execute, run: bash │
│ /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh │
│ │
│ ⚠️ AI-based analysis is not perfect and should not be considered a complete security │
│ audit. For complete trust in a script, you should analyze it in detail yourself. Baish │
│ has downloaded the script so you can review and execute it in your own environment. │
╰────────────────────────────────────────────────────────────────────────────────────────╯
Video of Installation
Here’s a video that goes through the same installation process.
