Skip to main content

Explore assets and their relationships across your technical infrastructure.

Project description

Cartography

Cartography is a Python tool that pulls infrastructure assets and their relationships into a Neo4j graph database.

What it connects: AWS, GCP, Azure, Kubernetes, GitHub, Okta, Entra ID, CrowdStrike, and 30+ more platforms.

Questions it answers:

  • Which identities have access to which datastores? How about across multiple tenants, or providers?
  • Am I affected by any critical vulnerabilities or compromised software packages?
  • What are the network paths in and out of my environment?
  • Which compute instances are exposed to the internet?
  • What AI agents are running in production, and what permissions do they have?

Visualization of RDS nodes and AWS nodes

Quick Start

Install Cartography

pip install cartography

Start Neo4j database

docker run -d --publish=7474:7474 --publish=7687:7687 -v data:/data --env=NEO4J_AUTH=none neo4j:5-community

Confirm that http://localhost:7474 is up.

Sync your first data source (AWS example)

Ensure your AWS credentials and default region are configured (e.g. via AWS_PROFILE, AWS_DEFAULT_REGION, or ~/.aws/config). See AWS credentials docs for reference.

Run Cartography:

cartography --neo4j-uri bolt://localhost:7687 --selected-modules aws

See the full install guide for other platforms.

Query the graph

Open http://localhost:7474 and try:

// Find unencrypted RDS instances by account
MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance{storage_encrypted:false})
RETURN a.name, rds.id
// Find EC2 instances exposed to the internet
MATCH (instance:EC2Instance{exposed_internet: true})
RETURN instance.instanceid, instance.publicdnsname

See the querying tutorial and data schema for more use-cases.

Run security rules

Check your environment against common security frameworks:

cartography-rules run all

See the rules docs for more detail.

Supported platforms

Click to expand full list of 30+ supported platforms
  • Airbyte - Organization, Workspace, User, Source, Destination, Connection, Tag, Stream
  • Amazon Web Services - ACM, API Gateway, Bedrock, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including multi-arch images, image layers, and attestations), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue, GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, SageMaker, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
  • AIBOM - AI component detections linked to ECR images
  • Anthropic - Organization, ApiKey, User, Workspace
  • BigFix - Computers
  • Cloudflare - Account, Role, Member, Zone, DNSRecord
  • Crowdstrike Falcon - Hosts, Spotlight vulnerabilities, CVEs
  • DigitalOcean
  • Duo - Users, Groups, Endpoints
  • GitHub - repos, branches, users, teams, dependency graph manifests, dependencies
  • Google Cloud Platform - Artifact Registry, Bigtable, Cloud Functions, Cloud Resource Manager, Cloud Run, Cloud SQL, Compute, DNS, IAM, KMS, Secret Manager, Storage, Google Kubernetes Engine, Vertex AI
  • Google Workspace - users, groups, devices, OAuth apps
  • Jumpcloud
  • Kandji - Devices
  • Keycloak - Realms, Users, Groups, Roles, Scopes, Clients, IdentityProviders, Authentication Flows, Authentication Executions, Organizations, Organization Domains
  • Kubernetes - Cluster, Namespace, Service, Pod, Container, ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding, OIDCProvider
  • Lastpass - users
  • Microsoft Azure - App Service, Container Instance, CosmosDB, Data Factory, Event Grid, Firewall, Firewall Policy, Functions, Key Vault, Azure Kubernetes Service (AKS), Load Balancer, Logic Apps, Management Groups, Resource Group, SQL, Storage, Virtual Machine, Virtual Networks
  • Microsoft Entra ID - Users, Groups, Applications, OUs, App Roles, federation to AWS Identity Center, Intune Managed Devices, Intune Detected Apps, Intune Compliance Policies
  • CVE Metadata - CVE enrichment with CVSS, EPSS scores, and CISA KEV data from NVD and FIRST.org
  • NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database (deprecated - use CVE Metadata instead)
  • Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs, federation to AWS roles, federation to AWS Identity Center
  • OpenAI - Organization, AdminApiKey, User, Project, ServiceAccount, ApiKey
  • Oracle Cloud Infrastructure - IAM
  • PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
  • Scaleway - Projects, IAM, Local Storage, Instances
  • SentinelOne - Accounts, Agents, Applications, Application Versions, CVEs
  • Slack - Teams, Users, UserGroups, Channels
  • SnipeIT - Users, Assets
  • Socket.dev - Organizations, Repositories, Dependencies, Security Alerts (CVE, malware, supply chain risks), Fixes
  • Spacelift - Accounts, Spaces,Users, Stacks, WorkerPools, Workers, Runs, GitCommits
  • SubImage - Tenant, TeamMember, APIKey, Neo4jUser, Module, Framework
  • Tailscale - Tailnet, Users, Devices, Groups, Tags, PostureIntegrations, DevicePostures, DevicePostureConditions, device posture compliance relationships
  • Trivy Scanner - AWS ECR Images

Community

Contributing

Thank you for considering contributing to Cartography!

All contributors and participants must follow the CNCF Code of Conduct.

Submit a GitHub issue to report a bug or request a new feature. Larger discussions happen in GitHub Discussions.

Get started with our developer documentation.

Who uses Cartography?

  1. Lyft
  2. Thought Machine
  3. MessageBird
  4. Cloudanix
  5. Corelight
  6. SubImage
  7. Superhuman
  8. {Your company here} :-)

If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!

License

This project is licensed under the Apache 2.0 License.


Cartography is a Cloud Native Computing Foundation sandbox project.

CNCF Logo

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cartography-0.138.1.tar.gz (9.8 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cartography-0.138.1-py3-none-any.whl (2.0 MB view details)

Uploaded Python 3

File details

Details for the file cartography-0.138.1.tar.gz.

File metadata

  • Download URL: cartography-0.138.1.tar.gz
  • Upload date:
  • Size: 9.8 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.23 {"installer":{"name":"uv","version":"0.11.23","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cartography-0.138.1.tar.gz
Algorithm Hash digest
SHA256 356e946a0bcac899cba293d57803c71bd35fdeabe623f5f67d9405d7a643af9f
MD5 e3f2ad510bd1721b69dac541f3bd548e
BLAKE2b-256 51cd0eb6a5a3c89cc179801d902ade9719af1a583c516c00f50d72b8207db1eb

See more details on using hashes here.

File details

Details for the file cartography-0.138.1-py3-none-any.whl.

File metadata

  • Download URL: cartography-0.138.1-py3-none-any.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.23 {"installer":{"name":"uv","version":"0.11.23","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cartography-0.138.1-py3-none-any.whl
Algorithm Hash digest
SHA256 88ec0898ea1a1b3f4653be9a3e7e61144f5cee20384b9040e92039617d39f029
MD5 2cadefae0143f7408428d1713a111d96
BLAKE2b-256 a8154447ec968825b2a19cba26ecb74964208aa3f941d9181a7782572e30b43d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page