Skip to content

Commit c386003

Browse files
authored
Merge branch 'main' into really-fix-json
2 parents 4d685d0 + 4c7566e commit c386003

1 file changed

Lines changed: 50 additions & 23 deletions

File tree

README.md

Lines changed: 50 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,37 @@
11
# Malcontent GitHub Action
22

3-
A GitHub Action that runs [malcontent](https://github.com/chainguard-dev/malcontent) on PR diffs to detect security changes between versions.
3+
A GitHub Action that runs [malcontent](https://github.com/chainguard-dev/malcontent) on PR diffs to detect security-relevant changes between code versions.
44

55
## Features
66

7-
- 🔍 **Diff Analysis**: Compares malcontent findings between base and head commits
8-
- 📊 **Risk Scoring**: Calculates risk scores and detects increases/decreases
9-
- 💬 **Enhanced PR Comments**: Shows detailed behaviors, not just counts
10-
- 📝 **Workflow Summary**: Outputs to GitHub Actions summary for non-PR contexts
11-
- 🎯 **Flexible Modes**: Supports both `diff` and `analyze` modes
12-
- 📁 **Path Filtering**: Can analyze specific directories with `base-path`
7+
- 🔍 **Security Diff Analysis**: Compares malcontent findings between base and head commits
8+
- 📊 **Risk Scoring**: Calculates risk scores and tracks increases/decreases
9+
- 💬 **Detailed PR Comments**: Shows specific behaviors with risk levels and match examples
10+
- 📝 **Workflow Summary**: Outputs findings to GitHub Actions summary for non-PR contexts
11+
- 📁 **Path Filtering**: Analyze specific directories with `base-path`
1312
- 🚀 **Docker-based**: Uses malcontent Docker image for consistent results
13+
- 🎯 **Risk-based Actions**: Take different actions based on risk magnitude with `risk-delta` output
1414

15-
## What's New
15+
## PR Comment Example
1616

17-
### Enhanced PR Comments
18-
Instead of just showing behavior counts, the action now displays:
19-
- Up to 10 specific behaviors per file
20-
- Risk levels with emoji indicators (🔴 CRITICAL, 🟠 HIGH, 🟡 MEDIUM, 🔵 LOW)
21-
- Example match strings for each behavior
22-
- Clear risk score changes
17+
The action provides detailed behavior analysis in PR comments:
2318

24-
Example output:
2519
```
26-
#### 📄 `suspicious-file.js`
27-
**Risk Score: 35**
20+
## 🔴 Security Risk Increased (+15 points)
2821
29-
**Behaviors detected:**
30-
- 🔴 **Potential backdoor** [CRITICAL]
22+
### Modified Files
23+
24+
#### 📄 `src/app.js`
25+
26+
**➕ Added behaviors:**
27+
- 🔴 **Potential backdoor detected** [CRITICAL]
3128
- Match: `eval(atob(`
29+
- Rule: [backdoor/js/eval_base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/...)
3230
- 🟠 **Obfuscated code** [HIGH]
3331
- Match: `String.fromCharCode(0x68,0x65,0x6c,0x6c,0x6f)`
34-
- 🟡 **Network communication** [MEDIUM]
35-
- Match: `fetch("http://example.com")`
36-
...and 7 more behaviors
32+
33+
**➖ Removed behaviors:**
34+
- 🟢 ~~Basic logging~~ [LOW]
3735
```
3836

3937
## Usage
@@ -103,7 +101,9 @@ jobs:
103101
| `risk-delta` | The change in risk score (positive for increase, negative for decrease) |
104102
| `report-file` | Path to the full diff report JSON file |
105103

106-
### Example: Using outputs in workflow
104+
### Using the risk-delta output
105+
106+
The `risk-delta` output allows you to implement custom logic based on the magnitude of security changes:
107107

108108
```yaml
109109
- uses: imjasonh/malcontent-action@v1
@@ -125,6 +125,19 @@ jobs:
125125
run: |
126126
echo "::error::Significant security risk increase detected!"
127127
exit 1
128+
129+
# Or use different thresholds for different actions
130+
- name: Request security review
131+
if: steps.malcontent.outputs.risk-delta > 5 && steps.malcontent.outputs.risk-delta <= 10
132+
uses: actions/github-script@v6
133+
with:
134+
script: |
135+
github.rest.issues.addLabels({
136+
issue_number: context.issue.number,
137+
owner: context.repo.owner,
138+
repo: context.repo.repo,
139+
labels: ['security-review']
140+
})
128141
```
129142

130143
## How It Works
@@ -156,6 +169,20 @@ This will compile the TypeScript/JavaScript code into `dist/index.js` using `@ve
156169
4. Build: `npm run build`
157170
5. Commit both source and dist files
158171

172+
### Code Quality
173+
174+
This project uses Prettier for code formatting:
175+
176+
```bash
177+
# Format code
178+
npm run format
179+
180+
# Check formatting
181+
npm run format:check
182+
```
183+
184+
Pre-commit hooks are configured with Husky to automatically format code before commits.
185+
159186
## Requirements
160187

161188
- GitHub Actions runner with Docker support (Linux runners)

0 commit comments

Comments
 (0)