action

package

v1.23.0 Latest Latest Go to latest Published: May 6, 2026 License: Apache-2.0 Imports: 30 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainguard-dev/malcontent

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func ApplyCategoryFilter(r *malcontent.Report, categories []string)
func CachedRules(ctx context.Context, fss []fs.FS) (*yarax.Rules, error)
func CleanPath(path string, prefix string) string
func Diff(ctx context.Context, c malcontent.Config, _ *clog.Logger) (*malcontent.Report, error)
func FilterBehaviorsByCategory(behaviors []*malcontent.Behavior, categories []string) ([]*malcontent.Behavior, int)
func MatchesAnyCategory(ruleID string, categories []string) bool
func Scan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error)
func TrimFileReport(fr *malcontent.FileReport, categories []string) bool
type ErrorType
type FileReportError
- func NewFileReportError(err error, path string, reason ErrorType) *FileReportError
type ProcessInfo
- func ActiveProcesses(ctx context.Context) ([]*ProcessInfo, error)
type ScanResult

Constants ¶

View Source

const (
	CHANGE = iota + 1
	OBJECTIVE
	RESOURCE
	TECHNIQUE
	ALL
)

Sensitivity levels: 1: Only display a diff if the file's risk score changes (equivalent to FileRiskChange) 2: Only display a diff if the file's objective changes (e.g., anti-static -> c2) 3: Only display a diff if the file's resource changes (e.g., base64 -> binary) 4: Only display a diff if the file's technique changes (e.g., eval -> exec) 5: Display all files in a diff (default, no filtering)

Variables ¶

View Source

var (
	ErrMatchedCondition = errors.New("matched exit criteria")
)

Functions ¶

func ApplyCategoryFilter ¶ added in v1.23.0

func ApplyCategoryFilter(r *malcontent.Report, categories []string)

ApplyCategoryFilter trims each FileReport in the report so that only behaviors matching one of the categories remain, then removes any FileReport whose behavior list became empty. Empty/nil categories is a no-op. Use this for analyze/scan output where empty entries are noise — for the diff path, prefer TrimFileReport per-file so that reconciliation can still see both sides of a change.

func CachedRules ¶ added in v1.5.0

func CachedRules(ctx context.Context, fss []fs.FS) (*yarax.Rules, error)

func CleanPath ¶ added in v1.18.0

func CleanPath(path string, prefix string) string

CleanPath removes the temporary directory prefix from the path. It only removes the prefix if it's at a directory boundary to avoid partial matches (e.g., "/tmp/extract" should not match "/tmp/extract2/file").

func Diff ¶

func Diff(ctx context.Context, c malcontent.Config, _ *clog.Logger) (*malcontent.Report, error)

func FilterBehaviorsByCategory ¶ added in v1.23.0

func FilterBehaviorsByCategory(behaviors []*malcontent.Behavior, categories []string) ([]*malcontent.Behavior, int)

FilterBehaviorsByCategory returns the subset of behaviors whose ID matches any of the supplied categories, plus the count of dropped entries. Empty/nil categories returns the input slice unchanged.

func MatchesAnyCategory ¶ added in v1.23.0

func MatchesAnyCategory(ruleID string, categories []string) bool

MatchesAnyCategory reports whether ruleID matches any of the supplied categories. A category matches when it is equal to ruleID or is a '/'-bounded prefix of it (so "exfil" matches "exfil/stealer/foo" but not "exfiltrate/foo"). An empty or nil categories slice is a no-op (returns true) so the filter is opt-in.

func Scan ¶

func Scan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error)

Scan YARA scans a data source, applying output filters if necessary.

func TrimFileReport ¶ added in v1.23.0

func TrimFileReport(fr *malcontent.FileReport, categories []string) bool

TrimFileReport trims behaviors on a single FileReport to those matching any of the categories. Returns true when at least one behavior remains (useful for callers that want to skip rendering empty reports). Empty/nil categories is a no-op (returns true).

Types ¶

type ErrorType ¶ added in v1.8.5

type ErrorType int

const (
	// TypeUnknown will be the default of `0`.
	TypeUnknown ErrorType = iota
	// TypeScanError is to be used when compiled rules are invalid or the scan fails otherwise.
	TypeScanError
	// TypeGenerateError is to be used when a file's report cannot be created.
	TypeGenerateError
)

Error type iotas.

type FileReportError ¶ added in v1.8.5

type FileReportError struct {
	// contains filtered or unexported fields
}

FileReportError is a custom error type to hold the error, path, and vanity reason.

func NewFileReportError ¶ added in v1.8.5

func NewFileReportError(err error, path string, reason ErrorType) *FileReportError

NewFileReportError returns a new FileReportError.

func (*FileReportError) Error ¶ added in v1.8.5

func (e *FileReportError) Error() string

func (*FileReportError) Is ¶ added in v1.8.5

func (e *FileReportError) Is(target error) bool

func (*FileReportError) Path ¶ added in v1.8.5

func (e *FileReportError) Path() string

func (*FileReportError) Type ¶ added in v1.8.5

func (e *FileReportError) Type() ErrorType

func (*FileReportError) Unwrap ¶ added in v1.8.5

func (e *FileReportError) Unwrap() error

type ProcessInfo ¶ added in v1.2.0

type ProcessInfo struct {
	PID            int32
	PPID           int32
	Name           string
	ScanPath       string
	AdvertisedPath string
	CmdLine        []string
}

func ActiveProcesses ¶ added in v1.2.0

func ActiveProcesses(ctx context.Context) ([]*ProcessInfo, error)

ActiveProcesses is an exported function that a list of active processes.

type ScanResult ¶ added in v1.10.0

type ScanResult struct {
	// contains filtered or unexported fields
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL