Detection-as-code workbench for writing, testing, scoring, and documenting Sigma-style detections.
This repository is intentionally scope-locked by documentation first. Before adding code, read:
docs/SCOPE.md— what v0.1 is and is not.docs/ARCHITECTURE.md— modules, commands, data flow, file layout.docs/QUALITY_MODEL.md— rule scoring and linter philosophy.docs/TESTING_STRATEGY.md— regression test approach and supported Sigma subset.docs/REPORT_SCHEMAS.md— JSON report and exit-code contracts for automation and future UI work.docs/TUI_ROADMAP.md— future Charm TUI direction, explicitly deferred until the CLI is stable.docs/plans/0001-detectsmith-v0.1.md— implementation plan.AGENTS.md— instructions for AI agents and future context resets.
Build a focused, portfolio-quality detection engineering project that demonstrates:
- Detection-as-code discipline.
- Sigma-style rule authoring.
- Rule metadata quality checks.
- Fixture-based detection regression testing.
- MITRE ATT&CK coverage reporting.
- Analyst-facing documentation generation.
- GitHub Actions CI for detection content.
The first implementation target is a Python CLI with four commands:
detectsmith lint rules/
detectsmith test tests/expected.yml
detectsmith coverage rules/
detectsmith docs rules/ --out site/Detectsmith v0.1 is not a SIEM, EDR, scanner, offensive tool, live log collector, or full Sigma engine. It deliberately supports a small, documented subset of Sigma-like matching so the first version remains buildable and trustworthy.
Detectsmith should eventually have a Charm ecosystem TUI for interactive review and demos. That TUI is intentionally not part of v0.1. The planned architecture is:
Python CLI/core first → stable JSON reports → Go Charm TUI frontend
The TUI should invoke the CLI and read JSON reports rather than reimplementing detection logic. See docs/TUI_ROADMAP.md.
The project should tell this story:
Threat behavior → detection rule → metadata quality → sample telemetry → regression test → ATT&CK coverage → analyst-facing docs → CI validation → eventual interactive TUI review.
That story is more important than broad platform support.