Skip to main content

Explore assets and their relationships across your technical infrastructure.

Project description

Cartography

Cartography is a Python tool that pulls infrastructure assets and their relationships into a Neo4j graph database.

What it connects: AWS, GCP, Azure, Kubernetes, GitHub, Okta, Entra ID, CrowdStrike, and 30+ more platforms.

Questions it answers:

  • Which identities have access to which datastores? How about across multiple tenants, or providers?
  • Am I affected by any critical vulnerabilities or compromised software packages?
  • What are the network paths in and out of my environment?
  • Which compute instances are exposed to the internet?
  • What AI agents are running in production, and what permissions do they have?

Visualization of RDS nodes and AWS nodes

Quick Start

Install Cartography

pip install cartography

Start Neo4j database

docker run -d --publish=7474:7474 --publish=7687:7687 -v data:/data --env=NEO4J_AUTH=none neo4j:5-community

Confirm that http://localhost:7474 is up.

Sync your first data source (AWS example)

Ensure your AWS credentials and default region are configured (e.g. via AWS_PROFILE, AWS_DEFAULT_REGION, or ~/.aws/config). See AWS credentials docs for reference.

Run Cartography:

cartography --neo4j-uri bolt://localhost:7687 --selected-modules aws

See the full install guide for other platforms.

Query the graph

Open http://localhost:7474 and try:

// Find unencrypted RDS instances by account
MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance{storage_encrypted:false})
RETURN a.name, rds.id
// Find EC2 instances exposed to the internet
MATCH (instance:EC2Instance{exposed_internet: true})
RETURN instance.instanceid, instance.publicdnsname

See the querying tutorial and data schema for more use-cases.

Run security rules

Check your environment against common security frameworks:

cartography-rules run all

See the rules docs for more detail.

Supported platforms

Click to expand full list of 30+ supported platforms
  • Airbyte - Organization, Workspace, User, Source, Destination, Connection, Tag, Stream
  • Amazon Web Services - ACM, API Gateway, Bedrock, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including multi-arch images, image layers, and attestations), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue, GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, SageMaker, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
  • AIBOM - AI component detections linked to ECR images
  • Anthropic - Organization, ApiKey, User, Workspace
  • BigFix - Computers
  • Cloudflare - Account, Role, Member, Zone, DNSRecord
  • Crowdstrike Falcon - Hosts, Spotlight vulnerabilities, CVEs
  • DigitalOcean
  • Duo - Users, Groups, Endpoints
  • GitHub - repos, branches, users, teams, dependency graph manifests, dependencies
  • Google Cloud Platform - Artifact Registry, Bigtable, Cloud Functions, Cloud Resource Manager, Cloud Run, Cloud SQL, Compute, DNS, IAM, KMS, Secret Manager, Storage, Google Kubernetes Engine, Vertex AI
  • Google Workspace - users, groups, devices, OAuth apps
  • Jumpcloud
  • Kandji - Devices
  • Keycloak - Realms, Users, Groups, Roles, Scopes, Clients, IdentityProviders, Authentication Flows, Authentication Executions, Organizations, Organization Domains
  • Kubernetes - Cluster, Namespace, Service, Pod, Container, ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding, OIDCProvider
  • Lastpass - users
  • Microsoft Azure - App Service, Container Instance, CosmosDB, Data Factory, Event Grid, Firewall, Firewall Policy, Functions, Key Vault, Azure Kubernetes Service (AKS), Load Balancer, Logic Apps, Resource Group, SQL, Storage, Virtual Machine, Virtual Networks
  • Microsoft Entra ID - Users, Groups, Applications, OUs, App Roles, federation to AWS Identity Center, Intune Managed Devices, Intune Detected Apps, Intune Compliance Policies
  • CVE Metadata - CVE enrichment with CVSS, EPSS scores, and CISA KEV data from NVD and FIRST.org
  • NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database (deprecated - use CVE Metadata instead)
  • Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs, federation to AWS roles, federation to AWS Identity Center
  • OpenAI - Organization, AdminApiKey, User, Project, ServiceAccount, ApiKey
  • Oracle Cloud Infrastructure - IAM
  • PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
  • Scaleway - Projects, IAM, Local Storage, Instances
  • SentinelOne - Accounts, Agents, Applications, Application Versions, CVEs
  • Slack - Teams, Users, UserGroups, Channels
  • SnipeIT - Users, Assets
  • Socket.dev - Organizations, Repositories, Dependencies, Security Alerts (CVE, malware, supply chain risks), Fixes
  • Spacelift - Accounts, Spaces,Users, Stacks, WorkerPools, Workers, Runs, GitCommits
  • SubImage - Tenant, TeamMember, APIKey, Neo4jUser, Module, Framework
  • Tailscale - Tailnet, Users, Devices, Groups, Tags, PostureIntegrations, DevicePostures, DevicePostureConditions, device posture compliance relationships
  • Trivy Scanner - AWS ECR Images

Community

Contributing

Thank you for considering contributing to Cartography!

All contributors and participants must follow the CNCF Code of Conduct.

Submit a GitHub issue to report a bug or request a new feature. Larger discussions happen in GitHub Discussions.

Get started with our developer documentation.

Who uses Cartography?

  1. Lyft
  2. Thought Machine
  3. MessageBird
  4. Cloudanix
  5. Corelight
  6. SubImage
  7. Superhuman
  8. {Your company here} :-)

If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!

License

This project is licensed under the Apache 2.0 License.


Cartography is a Cloud Native Computing Foundation sandbox project.

CNCF Logo

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cartography-0.137.0.tar.gz (9.6 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cartography-0.137.0-py3-none-any.whl (1.9 MB view details)

Uploaded Python 3

File details

Details for the file cartography-0.137.0.tar.gz.

File metadata

  • Download URL: cartography-0.137.0.tar.gz
  • Upload date:
  • Size: 9.6 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.18 {"installer":{"name":"uv","version":"0.11.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cartography-0.137.0.tar.gz
Algorithm Hash digest
SHA256 777253121addf7f76f7550e177b1e3995ad69a72facc296a83bdb4300c35c6b8
MD5 45b9a5d22c3730113cddd20cf6dbf6f4
BLAKE2b-256 72181a4aa5f87009831a7fb2c29bb5b56cd6f1f78d558450d342f86ddf5fce1c

See more details on using hashes here.

File details

Details for the file cartography-0.137.0-py3-none-any.whl.

File metadata

  • Download URL: cartography-0.137.0-py3-none-any.whl
  • Upload date:
  • Size: 1.9 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.18 {"installer":{"name":"uv","version":"0.11.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cartography-0.137.0-py3-none-any.whl
Algorithm Hash digest
SHA256 79c6f1f940ec3a7d203fb491b63ee8c1801dae99f45a57a22f9117f6462b4a05
MD5 4a4420948407389829d79ec14d8c5594
BLAKE2b-256 3e7df88563d3a6033da6ec0cedc00eff2e26da1637e87a7c110af3780b16825b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page