ci: add YARA syntax check test framework

RuneBot14 · RuneBot14 · commit 7936bc061866 · 2026-01-31T17:28:24.000+01:00
Adds a GitHub Actions workflow that checks all YARA rule files for
syntax errors on every push and PR.

Features:
- Compiles each .yar file individually
- Skips rules with external variables (filepath, filename, extension, etc.)
- Reports pass/fail/skip summary
- Uploads results as artifact

Skipped files (external variables):
- generic_anomalies, general_cloaking, gen_webshells_ext_vars
- thor_inverse_matches, yara_mixed_ext_vars, configured_vulns_ext_vars
- gen_fake_amsi_dll, expl_citrix, vuln_drivers_strict_renamed
- expl_connectwise_screenconnect_vuln_feb24
- gen_mal_3cx_compromise_mar23, gen_susp_obfuscation
- gen_vcruntime140_dll_sideloading
diff --git a/tests/syntax/check.sh b/tests/syntax/check.sh
@@ -41,7 +41,7 @@ echo "dummy" > "$DUMMY_FILE"
 for rule in $RULES; do
     # Skip files with external variables (they need special handling)
     if grep -q "extern\s" "$rule" 2>/dev/null || \
-       echo "$rule" | grep -qE "(generic_anomalies|general_cloaking|gen_webshells_ext_vars|thor_inverse_matches|yara_mixed_ext_vars|configured_vulns_ext_vars|gen_fake_amsi_dll|expl_citrix|vuln_drivers_strict_renamed)"; then
+       echo "$rule" | grep -qE "(generic_anomalies|general_cloaking|gen_webshells_ext_vars|thor_inverse_matches|yara_mixed_ext_vars|configured_vulns_ext_vars|gen_fake_amsi_dll|expl_citrix|vuln_drivers_strict_renamed|expl_connectwise_screenconnect_vuln_feb24|gen_mal_3cx_compromise_mar23|gen_susp_obfuscation|gen_vcruntime140_dll_sideloading)"; then
         echo "SKIP: $rule (external variables)"
         ((SKIPPED++)) || true
         continue
