fix: skip binaries using mime sniffing (#13)

- add gofile-based BinaryCheck to classify binary magic headers
  - propagate binary check through discovery and eligibility reasons
  - exclude .git directories with recursive pattern default
  - add pdf fixture and broaden coverage across app, filesystem, detector, finding, report
  - bump dependencies including gofile and golang.org/x/sys

Author: jcouture

go.mod

@@ -6,10 +6,13 @@ require github.com/fatih/color v1.19.0
 
 require github.com/rs/zerolog v1.35.0
 
-require github.com/spf13/pflag v1.0.10
+require (
+	github.com/shirou/gofile v0.0.0-20260314143841-7dc06be96404
+	github.com/spf13/pflag v1.0.10
+)
 
 require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	golang.org/x/sys v0.42.0 // indirect
+	github.com/mattn/go-isatty v0.0.21 // indirect
+	golang.org/x/sys v0.43.0 // indirect
 )

go.sum

@@ -2,12 +2,13 @@ github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
 github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/rs/zerolog v1.35.0 h1:VD0ykx7HMiMJytqINBsKcbLS+BJ4WYjz+05us+LRTdI=
 github.com/rs/zerolog v1.35.0/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
+github.com/shirou/gofile v0.0.0-20260314143841-7dc06be96404 h1:FSesQzaVDGqNiF1pyQ8QTNpRZrBjXq+AQijCoEqY1Gw=
+github.com/shirou/gofile v0.0.0-20260314143841-7dc06be96404/go.mod h1:5R2Lq6rCwzvUkQLMyzYn2lkwhkXgrlgz803ZRWViHdw=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

internal/app/coverage_test.go

@@ -0,0 +1,141 @@
+// Copyright 2026 Jean-Philippe Couture
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+package app
+
+import (
+	"context"
+	"io"
+	"strings"
+	"testing"
+)
+
+// --- isBinaryMIME ---
+
+func TestIsBinaryMIME(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		mime string
+		want bool
+	}{
+		{"", false},
+		{"text/plain", false},
+		{"text/html", false},
+		{"application/json", false},
+		{"application/javascript", false},
+		{"application/pdf", true},
+		{"application/octet-stream", true},
+		{"image/png", true},
+		{"image/jpeg", true},
+		{"image/gif", true},
+		{"image/svg+xml", true},
+		{"audio/mpeg", true},
+		{"video/mp4", true},
+		{"font/ttf", true},
+		{"application/zip", true},
+		{"application/gzip", true},
+		{"application/x-gzip", true},
+		{"application/x-bzip2", true},
+		{"application/x-tar", true},
+		{"application/x-7z-compressed", true},
+		{"application/vnd.rar", true},
+		{"application/java-archive", true},
+		{"application/x-java-class", true},
+		{"application/wasm", true},
+		{"application/x-sqlite3", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.mime, func(t *testing.T) {
+			t.Parallel()
+			if got := isBinaryMIME(tt.mime); got != tt.want {
+				t.Fatalf("isBinaryMIME(%q) = %v, want %v", tt.mime, got, tt.want)
+			}
+		})
+	}
+}
+
+// --- Run with invalid format ---
+
+func TestRunInvalidFormat(t *testing.T) {
+	t.Parallel()
+
+	_, err := Run(context.Background(), Options{
+		Path:   ".",
+		Stdout: io.Discard,
+		Format: OutputFormat("invalid"),
+	})
+	if err == nil {
+		t.Fatal("Run() error = nil, want error for invalid format")
+	}
+	if !strings.Contains(err.Error(), "unsupported --format") {
+		t.Fatalf("Run() error = %q, want mention of unsupported format", err.Error())
+	}
+}
+
+// --- Run with invalid exclude pattern ---
+
+func TestRunInvalidExcludePattern(t *testing.T) {
+	t.Parallel()
+
+	_, err := Run(context.Background(), Options{
+		Path:     ".",
+		Stdout:   io.Discard,
+		Excludes: []string{"bad["},
+	})
+	if err == nil {
+		t.Fatal("Run() error = nil, want error for invalid exclude pattern")
+	}
+	if !strings.Contains(err.Error(), "configure excludes") {
+		t.Fatalf("Run() error = %q, want configure excludes", err.Error())
+	}
+}
+
+// --- scanCandidates with empty paths ---
+
+func TestScanCandidatesEmpty(t *testing.T) {
+	t.Parallel()
+
+	results, errors := scanCandidates(context.Background(), nil, nil)
+	if results != nil {
+		t.Fatalf("scanCandidates(nil) results = %v, want nil", results)
+	}
+	if errors != nil {
+		t.Fatalf("scanCandidates(nil) errors = %v, want nil", errors)
+	}
+}
+
+// --- Run with canceled context ---
+
+func TestRunCanceledContext(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := Run(ctx, Options{
+		Path:   ".",
+		Stdout: io.Discard,
+	})
+	if err == nil {
+		t.Fatal("Run() error = nil, want error for canceled context")
+	}
+}

internal/app/run.go

@@ -27,12 +27,14 @@ import (
 	"io"
 	"runtime"
 	"sort"
+	"strings"
 	"time"
 
 	"github.com/jcouture/ghostscan/internal/filesystem"
 	"github.com/jcouture/ghostscan/internal/finding"
 	"github.com/jcouture/ghostscan/internal/report"
 	"github.com/jcouture/ghostscan/internal/scan"
+	"github.com/shirou/gofile"
 )
 
 type Options struct {
@@ -108,6 +110,14 @@ func Run(ctx context.Context, opts Options) (Result, error) {
 		now = time.Now
 	}
 
+	identifier, err := gofile.New(gofile.Options{MimeType: true})
+	if err != nil {
+		return Result{}, fmt.Errorf("initialize binary identifier: %w", err)
+	}
+	binaryCheck := func(buf []byte) bool {
+		return isBinaryMIME(identifier.IdentifyBuffer(buf))
+	}
+
 	runStart := now().UTC()
 	walkStart := now()
 	maxFileSize := opts.MaxFileSize
@@ -137,6 +147,7 @@ func Run(ctx context.Context, opts Options) (Result, error) {
 		MaxFileSize: maxFileSize,
 		Excluder:    excluder,
 		OnExclude:   buildExcludeReporter(opts.Stdout, format == OutputFormatHuman && opts.Verbose),
+		BinaryCheck: binaryCheck,
 	})
 	if err != nil {
 		return Result{}, fmt.Errorf("discover files from %q: %w", path, err)
@@ -314,9 +325,32 @@ func reportErrors(scanErrors []scanError) []report.ErrorEntry {
 	return items
 }
 
+func isBinaryMIME(mimeType string) bool {
+	if mimeType == "" {
+		return false
+	}
+	return strings.HasPrefix(mimeType, "image/") ||
+		strings.HasPrefix(mimeType, "audio/") ||
+		strings.HasPrefix(mimeType, "video/") ||
+		strings.HasPrefix(mimeType, "font/") ||
+		mimeType == "application/pdf" ||
+		mimeType == "application/octet-stream" ||
+		mimeType == "application/zip" ||
+		mimeType == "application/gzip" ||
+		mimeType == "application/x-gzip" ||
+		mimeType == "application/x-bzip2" ||
+		mimeType == "application/x-tar" ||
+		mimeType == "application/x-7z-compressed" ||
+		mimeType == "application/vnd.rar" ||
+		mimeType == "application/java-archive" ||
+		mimeType == "application/x-java-class" ||
+		mimeType == "application/wasm" ||
+		mimeType == "application/x-sqlite3"
+}
+
 func mapSkipReason(reason filesystem.EligibilityReason) string {
 	switch reason {
-	case filesystem.EligibilityReasonBinaryNUL:
+	case filesystem.EligibilityReasonBinaryNUL, filesystem.EligibilityReasonBinaryMagic:
 		return "binary"
 	case filesystem.EligibilityReasonTooLarge:
 		return "max_file_size_exceeded"