Skip to main content

Infrastructure-as-Code analyzer plugin for AttackMap (Dockerfile, docker-compose, GitHub Actions, .env templates, shell installers)

Project description

attackmap-analyzer-iac

Infrastructure-as-Code analyzer plugin for AttackMap.

Covers the class of files that live outside application source but drive the actual runtime posture:

  • Dockerfile — non-root user, exposed ports, COPY/ADD with credentials, RUN curl | bash, missing healthchecks, base-image pinning
  • docker-compose.yaml — service list (feeds the topology graph), env_file references, host-mount volumes, privileged containers, 0.0.0.0 port bindings, network_mode: host
  • GitHub Actions workflowspull_request_target with checkout, third-party actions pinned by tag vs SHA, secret exposure to fork PRs, step-level permissions:
  • .env templates (.env.example, sample.env) — secret inventory (the shape, not the value)
  • Shell installerscurl | bash patterns, sudo scope, TLS material handling

Emits routes for exposed ports, external calls for third-party actions and curl fetches, SecretHint for env-template inventory, service-topology hints for compose services: — feeding the same pipeline as the source-code analyzers.

Bluesky FINDINGS §2 documented this as the biggest coverage gap: bluesky-social/pds (a deployment repo) was 95% invisible to AttackMap because every non-JS file was outside the analyzer model. This plugin closes that gap.

Install

pip install attackmap-analyzer-iac
# or as part of the bundle
pip install "attackmap[all]"

Usage

Runs automatically via the attackmap.analyzers entry-point group once installed:

attackmap analyze /path/to/deployment-repo --output reports

Contract

Implements AnalyzerProtocol from attackmap.sdk. See the external-analyzer guide.

Scope

In: patterns any competent operator recognizes on inspection — the docker-compose service graph, pull_request_target combined with untrusted checkout, non-root User directive presence, curl-piped installer scripts.

Out: deep semantic analysis of container image contents, live registry scanning, executed-runtime introspection. Those belong in other tools; AttackMap's differentiator is narrative attack-path reasoning over the code you can see.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attackmap_analyzer_iac-0.1.0.tar.gz (12.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attackmap_analyzer_iac-0.1.0-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file attackmap_analyzer_iac-0.1.0.tar.gz.

File metadata

  • Download URL: attackmap_analyzer_iac-0.1.0.tar.gz
  • Upload date:
  • Size: 12.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for attackmap_analyzer_iac-0.1.0.tar.gz
Algorithm Hash digest
SHA256 093c3fb1c17ccbfd612e61205b32d93f6c5586e165fef86e98cd69a8fd1dd25a
MD5 f7a6f36dfb54a56c05ea303b58720506
BLAKE2b-256 3385798c0e984a0e3d03540eb22fccd0e17bb4e6fc61e3e116273fd1c7207986

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_iac-0.1.0.tar.gz:

Publisher: release.yml on mlaify/attackmap-analyzer-iac

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file attackmap_analyzer_iac-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for attackmap_analyzer_iac-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bf5aff5214dbf6968006c2a80324a39b1b7721d2958662628dfe1fad42d3491e
MD5 e5f08731b811e374c2cb03efe6d81793
BLAKE2b-256 9015752088a7d2243fc226b9af1b1225eb85da8295f3efd598027184beeb3c1f

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_iac-0.1.0-py3-none-any.whl:

Publisher: release.yml on mlaify/attackmap-analyzer-iac

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page