-
Notifications
You must be signed in to change notification settings - Fork 671
doc: add table comparing ways to consume capa output #2874
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking "Sign up for GitHub", you agree to our terms of service and privacy statement. We'll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
mike-hunhoff
merged 4 commits into
mandiant:master
from
devs6186:fix/2273-doc-output-consumption-table
Mar 2, 2026
Merged
doc: add table comparing ways to consume capa output #2874
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
733b864
doc: add table comparing ways to consume capa output
devs6186 ea88b74
doc: add links to each option in the ways-to-consume table
devs6186 a8c85b1
doc: add Binary Ninja to ways-to-consume table
devs6186 ff56a13
Merge upstream/master into fix/2273-doc-output-consumption-table
devs6186 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -54,6 +54,7 @@ | |
|
|
||
| - doc: document that default output shows top-level matches only; -v/-vv show nested matches @devs6186 #1410 | ||
| - doc: fix typo in usage.md, add documentation links to README @devs6186 #2274 | ||
| - doc: add table comparing ways to consume capa output (CLI, IDA, Ghidra, dynamic sandbox, web) @devs6186 #2273 | ||
| - binja: add mypy config for top-level binaryninja module to fix mypy issues @devs6186 #2399 | ||
| - ci: deprecate macos-13 runner and use Python v3.13 for testing @mike-hunhoff #2777 | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,17 @@ | |
|
|
||
| See `capa -h` for all supported arguments and usage examples. | ||
|
|
||
| ## Ways to consume capa output | ||
|
|
||
| | Method | Output / interface | Typical use | | ||
mike-hunhoff marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| |--------|--------------------|-------------| | ||
| | **CLI** | Text (default, `-v`, `-vv`), JSON (`-j`), or other formats | Scripting, CI, one-off analysis | | ||
| | [**IDA Pro**](https://github.com/mandiant/capa/tree/master/capa/ida/plugin) | capa Explorer plugin inside IDA | Interactive analysis with jump-to-address | | ||
| | [**Ghidra**](https://github.com/mandiant/capa/tree/master/capa/ghidra/plugin) | capa Explorer plugin inside Ghidra | Interactive analysis with Ghidra integration | | ||
| | [**Binary Ninja**](https://github.com/mandiant/capa/tree/master/capa/features/extractors/binja) | capa run using Binary Ninja as the analysis backend | Interactive analysis with Binary Ninja integration | | ||
| | [**Dynamic (Sandbox)**](https://www.mandiant.com/resources/blog/dynamic-capa-executable-behavior-cape-sandbox) | capa run on dynamic sandbox report (CAPE, VMRay, etc.) | Dynamic analysis of sandbox output | | ||
| | [**Web (capa Explorer)**](https://mandiant.github.io/capa/explorer/) | Web UI (upload JSON or load from URL) | Sharing results, viewing from VirusTotal or similar | | ||
|
|
||
| ## Default vs verbose output | ||
|
|
||
| By default, capa shows only *top-level* rule matches: capabilities that are not already implied by another displayed rule. For example, if a rule "persist via Run registry key" matches and it *contains* a match for "set registry value", the default output lists only "persist via Run registry key". This keeps the default output short while still reflecting all detected capabilities at the top level. Use **`-v`** to see all rule matches, including nested ones. Use **`-vv`** for an even more detailed view that shows how each rule matched. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.