MCPcopy Index your code
hub / github.com/github/gh-aw / NewAuditDiffSubcommand

Function NewAuditDiffSubcommand

pkg/cli/audit_diff_command.go:18–110  ·  view source on GitHub ↗

NewAuditDiffSubcommand creates the audit diff subcommand. Deprecated: pass multiple run IDs directly to `audit` instead (e.g. `gh aw audit `). This subcommand is hidden and kept for backward compatibility only.

()

Source from the content-addressed store, hash-verified

16// Deprecated: pass multiple run IDs directly to `audit` instead (e.g. `gh aw audit <base> <compare...>`).
17// This subcommand is hidden and kept for backward compatibility only.
18func NewAuditDiffSubcommand() *cobra.Command {
19 cmd := &cobra.Command{
20 Use: "diff <base-run-id> <compare-run-id>...",
21 Short: "Compare behavior across workflow runs",
22 Hidden: true,
23 Long: `Deprecated: pass multiple run IDs directly to the audit command instead.
24
25 gh aw audit <base-run-id> <compare-run-id>...
26
27Compare workflow run behavior between a base run and one or more comparison runs
28to detect policy regressions, new unauthorized domains, behavioral drift, and changes in
29MCP tool usage, token usage, or run metrics.
30
31The first argument is the base (reference) run. All subsequent arguments are compared
32against that base. This enables tracking behavioral drift across multiple runs at once.
33
34This command downloads artifacts for all runs (using cached data when available),
35analyzes their data, and produces a diff showing:
36- New domains that appeared in the comparison run
37- Removed domains that were in the base run but not the comparison
38- Status changes (domains that flipped between allowed and denied)
39- Volume changes (significant request count changes, >100% threshold)
40- Anomaly flags (new denied domains, previously-denied now allowed)
41- MCP tool invocation changes (new/removed tools, call count and error count diffs)
42- Run metrics comparison (token usage, duration, turns) when cached data is available
43- Detailed token usage breakdown (input/output/cache + AI Credits) from firewall proxy`,
44 Example: ` ` + string(constants.CLIExtensionPrefix) + ` audit diff 12345 12346 # Compare two runs
45 ` + string(constants.CLIExtensionPrefix) + ` audit diff 12345 12346 12347 12348 # Compare base against 3 runs
46 ` + string(constants.CLIExtensionPrefix) + ` audit diff 12345 12346 --format markdown # Markdown output for PR comments
47 ` + string(constants.CLIExtensionPrefix) + ` audit diff 12345 12346 --json # JSON for CI integration
48 ` + string(constants.CLIExtensionPrefix) + ` audit diff 12345 12346 --repo owner/repo # Specify repository`,
49 Args: cobra.MinimumNArgs(2),
50 RunE: func(cmd *cobra.Command, args []string) error {
51 baseRunID, err := strconv.ParseInt(args[0], 10, 64)
52 if err != nil {
53 return fmt.Errorf("invalid base run ID %q: must be a numeric run ID", args[0])
54 }
55
56 compareRunIDs := make([]int64, 0, len(args)-1)
57 seen := make(map[int64]bool)
58 for _, arg := range args[1:] {
59 id, err := strconv.ParseInt(arg, 10, 64)
60 if err != nil {
61 return fmt.Errorf("invalid run ID %q: must be a numeric run ID", arg)
62 }
63 if id == baseRunID {
64 return fmt.Errorf("comparison run ID %d is the same as the base run ID: cannot diff a run against itself", id)
65 }
66 if seen[id] {
67 return fmt.Errorf("duplicate comparison run ID %d: each run ID must appear only once", id)
68 }
69 seen[id] = true
70 compareRunIDs = append(compareRunIDs, id)
71 }
72
73 outputDir, _ := cmd.Flags().GetString("output")
74 verbose, _ := cmd.Flags().GetBool("verbose")
75 jsonOutput, _ := cmd.Flags().GetBool("json")

Callers 1

NewAuditCommandFunction · 0.85

Calls 8

RunAuditDiffFunction · 0.85
addOutputFlagFunction · 0.85
addJSONFlagFunction · 0.85
addRepoFlagFunction · 0.85
ValidArtifactSetNamesFunction · 0.85
GetStringMethod · 0.65
ErrorfMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected