Add Argus scanning service

[janbro]

This PR adds support for Argus as a pre-publish malware scanning backend in the Open VSX registry as part of the work agreed upon by the Eclipse Foundation.

Argus is a cloud-based multi-engine malware and AI analysis service exposed through https://app.yeethsecurity.com / https://api.yeethsecurity.com. The integration follows Argus’s asynchronous scan flow:

• POST /api/scan uploads the extension package and returns a jobId
• GET /api/scan/{jobId} is used to poll scan status until completion
• the same result endpoint is then parsed for findings

The scanner is wired into the existing configurable scanner framework and maps Argus responses into the registry’s standard scan result model.

Configuration added

This change introduces an argus scanner definition with the following behavior:

• enabled: true
• type: "ARGUS"
• required: false
• enforced: true
• async: true
• timeout-minutes: 30

Why

This strengthens pre-publish security checks by adding another detection layer for malicious extensions. Argus complements the existing checks by providing cloud-based multi-engine and AI-assisted analysis, while fitting the same enforcement model already being introduced for other scanners.

The 30-minute timeout is deliberately set as larger buffer. This provides enough headroom for additional detection stages and future detection enhancements.

Implementation details

• Adds a new scanner configuration block for ARGUS
• Supports asynchronous execution with job-based polling
• Uses the standard HTTP client settings and timeout controls
• Normalizes Argus findings into the common threat model used by the registry
• Keeps the scanner enforced but not required initially, which matches the cautious rollout pattern discussed for other checks

Operational notes

• Requires ARGUS_API_KEY to be present in the environment
• Depending on network management of the production environment, there may be a change required to the egress rules to allow the server to reach Argus services
• Because this scanner is asynchronous and network-dependent, it is introduced as:
  • enforced: true so detected threats can block publication
  • required: false so transient scanner availability issues do not immediately cause unnecessary publishing failures
• Once stability and reliability are proven in production, required can be reconsidered

@chrisguindon @netomi

[netomi]

can you create the PR for staging first please?

[janbro]

Yep can do

[Copilot]

Pull request overview

Adds configuration for an Argus-backed, asynchronous malware scanning backend to the existing ovsx.scanning.configured scanner framework, enabling pre-publish scans via Argus’s job-based API flow.

Changes:

• Introduces a new argus scanner configuration block (type ARGUS) with async start/poll/result endpoints.
• Adds per-scanner HTTP client settings, polling cadence, and a 30-minute overall timeout.
• Maps Argus JSON responses into the common threat model via JSON-path fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.