Skip to content

Watch / diff mode for CI integration #47

Description

@mdavistffhrtporg

Description

Running `attackmap analyze` on every CI job re-emits every finding. In a PR workflow the useful signal is the delta — findings introduced (or resolved) by the PR relative to the base branch. GitHub Code Scanning + SARIF (#42) gives you inline delta rendering for free, but for teams that want a lighter integration (a bot comment on the PR, a JSON diff), an in-tool diff mode is more direct.

Suggested shape

  • `attackmap analyze --baseline <previous-report.json>` — read a prior scan and emit only new / removed / changed findings
  • Stable finding IDs (`sha256(title + first evidence citation)` or similar) so a finding that persists across scans has the same ID
  • Diff report: `--diff-output attackmap-diff.md` — Markdown-formatted "New / Persisted / Resolved" sections suitable for a PR comment
  • Optional flag to fail the process with nonzero exit when new HIGH findings appear (gate the PR)

Design questions

  • Finding stability: title + first evidence file/line is a reasonable identity, but line numbers drift on unrelated commits. Consider hashing title + evidence file only (ignore line) — trades finding-move detection for finding-drift stability.
  • Baseline storage: file path via CLI flag is fine for now. GitHub-Actions integration could pull from cache.

Sizing

Medium. Blocked on nothing but should be sequenced after SARIF (#42) which addresses the biggest CI-integration use case with less new surface.

Metadata

Metadata

Assignees

No one assigned

    Labels

    coreMigrated from GitLabenhancementMigrated from GitLabpriority-3Migrated from GitLab

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions