Infrastructure-as-Code analyzer plugin for AttackMap (Dockerfile, docker-compose, GitHub Actions, .env templates, shell installers)
Project description
attackmap-analyzer-iac
Infrastructure-as-Code analyzer plugin for AttackMap.
Covers the class of files that live outside application source but drive the actual runtime posture:
- Dockerfile — non-root user, exposed ports,
COPY/ADDwith credentials,RUN curl | bash, missing healthchecks, base-image pinning - docker-compose.yaml — service list (feeds the topology graph),
env_filereferences, host-mount volumes, privileged containers,0.0.0.0port bindings,network_mode: host - GitHub Actions workflows —
pull_request_targetwith checkout, third-party actions pinned by tag vs SHA, secret exposure to fork PRs, step-levelpermissions: .envtemplates (.env.example,sample.env) — secret inventory (the shape, not the value)- Shell installers —
curl | bashpatterns,sudoscope, TLS material handling
Emits routes for exposed ports, external calls for third-party actions and curl fetches, SecretHint for env-template inventory, service-topology hints for compose services: — feeding the same pipeline as the source-code analyzers.
Bluesky FINDINGS §2 documented this as the biggest coverage gap: bluesky-social/pds (a deployment repo) was 95% invisible to AttackMap because every non-JS file was outside the analyzer model. This plugin closes that gap.
Install
pip install attackmap-analyzer-iac
# or as part of the bundle
pip install "attackmap[all]"
Usage
Runs automatically via the attackmap.analyzers entry-point group once installed:
attackmap analyze /path/to/deployment-repo --output reports
Contract
Implements AnalyzerProtocol from attackmap.sdk. See the external-analyzer guide.
Scope
In: patterns any competent operator recognizes on inspection — the docker-compose service graph, pull_request_target combined with untrusted checkout, non-root User directive presence, curl-piped installer scripts.
Out: deep semantic analysis of container image contents, live registry scanning, executed-runtime introspection. Those belong in other tools; AttackMap's differentiator is narrative attack-path reasoning over the code you can see.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attackmap_analyzer_iac-0.1.0.tar.gz.
File metadata
- Download URL: attackmap_analyzer_iac-0.1.0.tar.gz
- Upload date:
- Size: 12.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
093c3fb1c17ccbfd612e61205b32d93f6c5586e165fef86e98cd69a8fd1dd25a
|
|
| MD5 |
f7a6f36dfb54a56c05ea303b58720506
|
|
| BLAKE2b-256 |
3385798c0e984a0e3d03540eb22fccd0e17bb4e6fc61e3e116273fd1c7207986
|
Provenance
The following attestation bundles were made for attackmap_analyzer_iac-0.1.0.tar.gz:
Publisher:
release.yml on mlaify/attackmap-analyzer-iac
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_iac-0.1.0.tar.gz -
Subject digest:
093c3fb1c17ccbfd612e61205b32d93f6c5586e165fef86e98cd69a8fd1dd25a - Sigstore transparency entry: 2073900800
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-iac@139d43c3f0a77d2bd74093b684bd83a065961b12 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@139d43c3f0a77d2bd74093b684bd83a065961b12 -
Trigger Event:
push
-
Statement type:
File details
Details for the file attackmap_analyzer_iac-0.1.0-py3-none-any.whl.
File metadata
- Download URL: attackmap_analyzer_iac-0.1.0-py3-none-any.whl
- Upload date:
- Size: 10.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bf5aff5214dbf6968006c2a80324a39b1b7721d2958662628dfe1fad42d3491e
|
|
| MD5 |
e5f08731b811e374c2cb03efe6d81793
|
|
| BLAKE2b-256 |
9015752088a7d2243fc226b9af1b1225eb85da8295f3efd598027184beeb3c1f
|
Provenance
The following attestation bundles were made for attackmap_analyzer_iac-0.1.0-py3-none-any.whl:
Publisher:
release.yml on mlaify/attackmap-analyzer-iac
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_iac-0.1.0-py3-none-any.whl -
Subject digest:
bf5aff5214dbf6968006c2a80324a39b1b7721d2958662628dfe1fad42d3491e - Sigstore transparency entry: 2073900873
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-iac@139d43c3f0a77d2bd74093b684bd83a065961b12 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@139d43c3f0a77d2bd74093b684bd83a065961b12 -
Trigger Event:
push
-
Statement type: