Description
Running `attackmap analyze` on every CI job re-emits every finding. In a PR workflow the useful signal is the delta — findings introduced (or resolved) by the PR relative to the base branch. GitHub Code Scanning + SARIF (#42) gives you inline delta rendering for free, but for teams that want a lighter integration (a bot comment on the PR, a JSON diff), an in-tool diff mode is more direct.
Suggested shape
- `attackmap analyze --baseline <previous-report.json>` — read a prior scan and emit only new / removed / changed findings
- Stable finding IDs (`sha256(title + first evidence citation)` or similar) so a finding that persists across scans has the same ID
- Diff report: `--diff-output attackmap-diff.md` — Markdown-formatted "New / Persisted / Resolved" sections suitable for a PR comment
- Optional flag to fail the process with nonzero exit when new HIGH findings appear (gate the PR)
Design questions
- Finding stability: title + first evidence file/line is a reasonable identity, but line numbers drift on unrelated commits. Consider hashing title + evidence file only (ignore line) — trades finding-move detection for finding-drift stability.
- Baseline storage: file path via CLI flag is fine for now. GitHub-Actions integration could pull from cache.
Sizing
Medium. Blocked on nothing but should be sequenced after SARIF (#42) which addresses the biggest CI-integration use case with less new surface.
Description
Running `attackmap analyze` on every CI job re-emits every finding. In a PR workflow the useful signal is the delta — findings introduced (or resolved) by the PR relative to the base branch. GitHub Code Scanning + SARIF (#42) gives you inline delta rendering for free, but for teams that want a lighter integration (a bot comment on the PR, a JSON diff), an in-tool diff mode is more direct.
Suggested shape
Design questions
Sizing
Medium. Blocked on nothing but should be sequenced after SARIF (#42) which addresses the biggest CI-integration use case with less new surface.