{"id":15116735,"url":"https://github.com/chainguard-dev/malcontent","last_synced_at":"2026-04-01T20:25:34.758Z","repository":{"id":221272255,"uuid":"753881685","full_name":"chainguard-dev/malcontent","owner":"chainguard-dev","description":"#supply #chain #attack #detection","archived":false,"fork":false,"pushed_at":"2026-03-26T12:26:50.000Z","size":1509296,"stargazers_count":646,"open_issues_count":8,"forks_count":60,"subscribers_count":10,"default_branch":"main","last_synced_at":"2026-03-26T15:24:49.332Z","etag":null,"topics":["binary","linux","macos","malware-analysis","no-ghaudit-default-permissions","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-02-07T00:47:30.000Z","updated_at":"2026-03-26T12:26:54.000Z","dependencies_parsed_at":"2025-04-14T18:10:25.190Z","dependency_job_id":"df23f594-3a75-411e-86d7-d8b8dc23178a","html_url":"https://github.com/chainguard-dev/malcontent","commit_stats":null,"previous_names":["tstromberg/bincapz","chainguard-dev/bincapz","chainguard-dev/malcontent"],"tags_count":102,"template":false,"template_full_name":null,"purl":"pkg:github/chainguard-dev/malcontent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmalcontent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmalcontent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmalcontent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmalcontent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/malcontent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmalcontent/sbom","scorecard":{"id":398436,"data":{"date":"2025-08-18T17:53:41Z","repo":{"name":"github.com/chainguard-dev/malcontent","commit":"a5e2172a46f11edc844a1f367a8fd443378b65a0"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":9.1,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yaml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:24","Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yaml:25","Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yaml:76","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yaml:74","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:75","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yaml:18","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:30","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecard.yml:31","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecard.yml:32","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecard.yml:33","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:29","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/third-party.yaml:30","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/version.yaml:22","Info: found token with 'none' permissions: .github/workflows/codeql.yaml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/go-tests.yaml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/style.yaml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/third-party.yaml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/version.yaml:12"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info: 23 out of 23 GitHub-owned GitHubAction dependencies pinned","Info: 19 out of 19 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is required - but no codeowners file found in repo","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 7 contributing companies or organizations","details":["Info: found contributions from: chainguard-dev, chainguard-images, codeGROOVE-dev, codegroove.dev, octo-sts, ready-to-review, wolfi-dev"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-18T19:34:35.207Z","repository_id":221272255,"created_at":"2025-08-18T19:34:35.208Z","updated_at":"2025-08-18T19:34:35.208Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291579,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary","linux","macos","malware-analysis","no-ghaudit-default-permissions","reverse-engineering"],"created_at":"2024-09-26T01:44:33.770Z","updated_at":"2026-04-01T20:25:34.748Z","avatar_url":"https://github.com/chainguard-dev.png","language":"YARA","readme":"# malcontent\n\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/gojp/goreportcard/blob/master/LICENSE)\n[![Latest Release](https://img.shields.io/github/v/release/chainguard-dev/malcontent?include_prereleases)](https://github.com/chainguard-dev/malcontent/releases/latest)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9633/badge)](https://www.bestpractices.dev/projects/9633)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/chainguard-dev/malcontent/badge)](https://scorecard.dev/viewer/?uri=github.com/chainguard-dev/malcontent)\n[![Go Report Card](https://goreportcard.com/badge/chainguard-dev/malcontent)](https://goreportcard.com/report/chainguard-dev/malcontent)\n\n---\n\n```bash\n#\n# 8 o o\n# 8 8 8\n# ooYoYo. .oPYo. 8 .oPYo. .oPYo. odYo. o8P .oPYo. odYo. o8P\n# 8' 8 8 .oooo8 8 8 ' 8 8 8' `8 8 8oooo8 8' `8 8\n# 8 8 8 8 8 8 8 . 8 8 8 8 8 8. 8 8 8\n# 8 8 8 `YooP8 8 `YooP' `YooP' 8 8 8 `Yooo' 8 8 8\n# ..:..:..:.....:..:.....::.....:..::..::..::.....:..::..::..:\n# ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n# ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n#\n# subtle malware discovery tool\n```\n\n---\n\nmalcontent discovers supply-chain compromises through the magic of context, differential analysis, and YARA.\n\nmalcontent has 3 modes of operation:\n\n- [analyze](#analyze): unfiltered analysis of a program's capabilities\n- [diff](#diff): risk-weighted differential analysis between two sources\n- [scan](#scan): threshold-based scan of a program's capabilities\n\nmalcontent is at its best analyzing programs that run on Linux. Still, it also performs admirably for programs designed for other UNIX platforms such as macOS and, to a lesser extent, Windows.\n\n## Features\n\n* 14,500+ YARA rules including third-party rules from:\n * Avast\n * Elastic\n * FireEye\n * Mandiant\n * Nextron\n * ReversingLabs\n* Analyzes binary files in most common formats (a.out, ELF, Mach-O, PE)\n* Analyzes code from most common languages (AppleScript, C, Go, Javascript/Typescript, PHP, Perl, Python, Ruby, Shell, Typescript)\n* Transparent support for archives and container images\n* Multiple output formats (JSON, YAML, Markdown, Text, Terminal/TUI)\n* Designed to work as part of a CI/CD pipeline\n* Embedded rules to support air-gapped networks\n\n## Configuration\n\n```text\nGLOBAL OPTIONS:\n --all Ignore nothing within a provided scan path\n --exit-extraction Exit when encountering file extraction errors\n --exit-first-miss Exit with error if scan source has no matching capabilities\n --exit-first-hit Exit with error if scan source has matching capabilities\n --format string Output format (interactive, json, markdown, simple, strings, terminal, yaml) (default: \"auto\")\n --ignore-self Ignore the malcontent binary\n --ignore-tags string Rule tags to ignore (default: \"false_positive,ignore\")\n --include-data-files Include files that are detected as non-program (binary or source) files\n --jobs int, -j int Concurrently scan files within target scan paths (default: 12)\n --max-depth int Maximum depth for archive extraction (0 or -1 for unlimited) (default: 32)\n --max-files int Maximum number of files to scan (0 or -1 for unlimited) (default: 2097152)\n --max-image-size int Maximum OCI image size in bytes (0 or -1 for unlimited) (default: 17179869184)\n --min-file-level int Obsoleted by --min-file-risk (default: -1)\n --min-file-risk string Only show results for files which meet the given risk level (any, low, medium, high, critical) (default: \"low\")\n --min-level int Obsoleted by --min-risk (default: -1)\n --min-risk string Only show results which meet the given risk level (any, low, medium, high, critical) (default: \"low\")\n --oci-auth Use Docker Keychain authentication to pull images (warning: may leak credentials to malicious registries!)\n --output string, -o string Write output to specified file instead of stdout\n --profile, -p Generate profile and trace files\n --quantity-increases-risk Increase file risk score based on behavior quantity\n --stats, -s Show scan statistics\n --third-party Include third-party rules which may have licensing restrictions\n --verbose Emit verbose logging messages to stderr\n --help, -h show help\n --version, -v print the version\n```\n\n\u003e Using `--oci-auth` leverages the Docker Keychain to authenticate image pulls. \n\u003e This option may expose sensitive auth tokens to a malicious registry but is not materially different from other image pull mechanisms (e.g., Docker or `google/go-containerregistry` which malcontent leverages via the `crane` package). \n\u003e Malcontent defaults to anonymous pulls and authentication is opt-in when needing to scan OCI images from private, trusted registries.\n\n## Modes\n\n### Analyze\n\nTo enumerate the capabilities of a program, use `mal analyze`. \n\nmalcontent is pretty paranoid in this mode as well as `scan` given the lack of differential context, so expect some false positives.\n\nFor example:\n![analyze screenshot](./images/analyze.png)\n\n`mal analyze` emits a list of capabilities often seen in malware, categorized by risk level. It works with programs in a wide variety of file formats and scripting languages.\n\n\u003e `CRITICAL` findings should be considered malicious. \n\n```text\nNAME:\n malcontent analyze - fully interrogate a path\n\nUSAGE:\n malcontent analyze [options]\n\nOPTIONS:\n --image string, -i string [ --image string, -i string ] Scan one or more images\n --processes Scan the commands (paths) of running processes\n --help, -h show help\n```\n\n### Diff\n\n```text\n ________ ________ ________ ________\n| | | | | | | |\n| v1.0.0 | =\u003e | v1.0.1 | =\u003e | v1.0.2 | =\u003e | v1.0.3 |\n|________| |________| |________| |________|\n\n unchanged HIGH-RISK decreased\n risk increase risk\n\n```\n\nmalcontent's most powerful method for discovering malware is through differential analysis against CI/CD artifacts. When used within a build system, malcontent has two significant contextual advantages over a traditional malware scanner:\n\n* Baseline of expected behavior (previous, known-good release)\n* Semantic versioning that describes how large of a change to expect\n\nUsing the [3CX Compromise](https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised) as an example, malcontent trivially surfaces unexpectedly high-risk changes to libffmpeg:\n\n![diff screenshot](./images/diff.png)\n\nEach line that begins with a \"+\" represents a new behavior; each behavior has a risk score based on how unique it is to malware.\n\nLike the `diff(1)` command it is based on, malcontent can diff two binaries or directories. Additionally, malcontent can also diff two archive files and even OCI images.\n\n```text\nNAME:\n malcontent diff - scan and diff two paths\n\nUSAGE:\n malcontent diff [options]\n\nOPTIONS:\n --file-risk-change Only show diffs when file risk changes\n --file-risk-increase Only show diffs when file risk increases\n --image, -i Scan an image\n --report, -r Diff existing analyze/scan reports\n --sensitivity int, --sens int Control the sensitivity when diffing two files, paths, etc. (default: 5)\n --help, -h show help\n```\n\n### Scan\n\nmalcontent's most basic feature scans targets for possible malware with a default risk threshold of `HIGH` (i.e., harmless, low, and medium behaviors or files are filtered out).\n\n![scan screenshot](./images/scan.png)\n\n```text\nNAME:\n malcontent scan - tersely scan a path and return findings of the highest severity\n\nUSAGE:\n malcontent scan [options]\n\nOPTIONS:\n --image string, -i string [ --image string, -i string ] Scan one or more images\n --processes Scan the commands (paths) of running processes\n --help, -h show help\n```\n\n## Installation\n\n### Container\n\n`docker pull cgr.dev/chainguard/malcontent:latest`\n\n### Local\n\nRequirements:\n\n* [Go](https://go.dev/dl) - the programming language\n* [Rust](https://rust-lang.org/tools/install/) - YARA-X requirement\n* [YARA-X](https://virustotal.github.io/yara-x/docs/intro/installation/) - Rust implementation of YARA\n* [pkgconf](https://github.com/pkgconf/pkgconf) - required by Go to find C dependencies, included in many UNIX distributions\n* [libssl-dev](https://packages.debian.org/sid/libssl-dev) package\n* [UPX](https://upx.github.io/)* - required for refreshing sample testdata\n\n\u003e \\* By default, malcontent will look for a UPX binary at /usr/bin/upx; to specify a different, [trusted] location, use `MALCONTENT_UPX_PATH=/path/to/upx`\n\nTo install YARA-X, first install Rust and then run `make install-yara-x` which will clone the YARA-X repository and install its dependencies and C API.\n\n### Building locally in Debian/Ubuntu\n\n1. Install the dependencies. On Debian/Ubuntu you can run:\n\n ```bash\n sudo apt-get install -y pkgconf libssl-dev\n ```\n\n Make sure [Go](https://go.dev/doc/install) and [Rust](https://www.rust-lang.org/tools/install) are installed\n\n1. Run `make install-yara-x` to build the yara-x C API. (The\n `yara_xcapi.pc` file will be generated under `./out/lib/pkgconfig`.\n \n For more information about the yara-x C API, reference the documentation here: https://virustotal.github.io/yara-x/docs/api/c/c-/#building-the-c-library.).\n\n1. Build the malcontent binary with:\n\n ```bash\n make out/mal\n ```\n\n The resulting binary is `out/mal`. \n\n1. Install the binary (optional):\n\n ```bash\n sudo install out/mal /usr/local/bin\n ```\n\n## Help Wanted\n\nmalcontent is open source! If you are interested in contributing, check out [our development guide](DEVELOPMENT.md). Send us a pull request, and we'll help you with the rest!\n\n## ⚠️ Malware Disclaimer ⚠️\n\nDue to how malcontent operates, other malware scanners can detect malcontent as malicious.\n\nPrograms that leverage YARA will often see other programs that also use YARA as malicious due to the strings looking for problematic behavior(s).\n\nFor example, Elastic's agent has historically detected malcontent because of this: https://github.com/chainguard-dev/malcontent/issues/78.\n\n\u003e \\*Additional scanner findings can be seen in [this](https://www.virustotal.com/gui/file/b6f90aa5b9e7f3a5729a82f3ea35f96439691e150e0558c577a8541d3a187ba4/detection) VirusTotal scan.\n","funding_links":[],"categories":["YARA","Other Lists"],"sub_categories":["🛡️ DFIR:"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fmalcontent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fmalcontent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fmalcontent/lists"}