attackmap 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. attackmap-0.1.0/LICENSE +21 -0
  2. attackmap-0.1.0/PKG-INFO +257 -0
  3. attackmap-0.1.0/README.md +199 -0
  4. attackmap-0.1.0/pyproject.toml +99 -0
  5. attackmap-0.1.0/setup.cfg +4 -0
  6. attackmap-0.1.0/src/attackmap/__init__.py +2 -0
  7. attackmap-0.1.0/src/attackmap/analyzer.py +278 -0
  8. attackmap-0.1.0/src/attackmap/analyzer_contracts.py +104 -0
  9. attackmap-0.1.0/src/attackmap/analyzers.py +561 -0
  10. attackmap-0.1.0/src/attackmap/asset_model.py +245 -0
  11. attackmap-0.1.0/src/attackmap/attack_taxonomy.py +140 -0
  12. attackmap-0.1.0/src/attackmap/cli.py +185 -0
  13. attackmap-0.1.0/src/attackmap/context_pack.py +82 -0
  14. attackmap-0.1.0/src/attackmap/control_model.py +272 -0
  15. attackmap-0.1.0/src/attackmap/defensive_review.py +597 -0
  16. attackmap-0.1.0/src/attackmap/detection_opportunities.py +343 -0
  17. attackmap-0.1.0/src/attackmap/graph.py +26 -0
  18. attackmap-0.1.0/src/attackmap/insights.py +702 -0
  19. attackmap-0.1.0/src/attackmap/llm_review.py +346 -0
  20. attackmap-0.1.0/src/attackmap/models.py +352 -0
  21. attackmap-0.1.0/src/attackmap/recon_models.py +31 -0
  22. attackmap-0.1.0/src/attackmap/recon_to_analysis.py +121 -0
  23. attackmap-0.1.0/src/attackmap/report.py +74 -0
  24. attackmap-0.1.0/src/attackmap/review_eval.py +281 -0
  25. attackmap-0.1.0/src/attackmap/review_json.py +300 -0
  26. attackmap-0.1.0/src/attackmap/review_prompts.py +230 -0
  27. attackmap-0.1.0/src/attackmap/scanner.py +446 -0
  28. attackmap-0.1.0/src/attackmap/sdk/__init__.py +41 -0
  29. attackmap-0.1.0/src/attackmap/sdk/contracts.py +17 -0
  30. attackmap-0.1.0/src/attackmap/sdk/models.py +29 -0
  31. attackmap-0.1.0/src/attackmap/security_overlay.py +69 -0
  32. attackmap-0.1.0/src/attackmap/threat_model.py +919 -0
  33. attackmap-0.1.0/src/attackmap.egg-info/PKG-INFO +257 -0
  34. attackmap-0.1.0/src/attackmap.egg-info/SOURCES.txt +54 -0
  35. attackmap-0.1.0/src/attackmap.egg-info/dependency_links.txt +1 -0
  36. attackmap-0.1.0/src/attackmap.egg-info/entry_points.txt +2 -0
  37. attackmap-0.1.0/src/attackmap.egg-info/requires.txt +26 -0
  38. attackmap-0.1.0/src/attackmap.egg-info/top_level.txt +1 -0
  39. attackmap-0.1.0/tests/test_analyzer.py +106 -0
  40. attackmap-0.1.0/tests/test_analyzers.py +643 -0
  41. attackmap-0.1.0/tests/test_artifact_schemas.py +39 -0
  42. attackmap-0.1.0/tests/test_context_pack.py +46 -0
  43. attackmap-0.1.0/tests/test_defensive_review.py +359 -0
  44. attackmap-0.1.0/tests/test_graph.py +16 -0
  45. attackmap-0.1.0/tests/test_llm_review.py +348 -0
  46. attackmap-0.1.0/tests/test_recon_to_analysis.py +126 -0
  47. attackmap-0.1.0/tests/test_report.py +52 -0
  48. attackmap-0.1.0/tests/test_review_eval.py +68 -0
  49. attackmap-0.1.0/tests/test_review_json.py +92 -0
  50. attackmap-0.1.0/tests/test_review_prompts.py +87 -0
  51. attackmap-0.1.0/tests/test_scanner.py +427 -0
  52. attackmap-0.1.0/tests/test_security_overlay.py +353 -0
  53. attackmap-0.1.0/tests/test_shared_contract_imports.py +38 -0
  54. attackmap-0.1.0/tests/test_signal_v2.py +207 -0
  55. attackmap-0.1.0/tests/test_threat_intel.py +272 -0
  56. attackmap-0.1.0/tests/test_threat_model.py +189 -0
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Matthew Davis and AttackMap Contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,257 @@
1
+ Metadata-Version: 2.4
2
+ Name: attackmap
3
+ Version: 0.1.0
4
+ Summary: AI-assisted defensive security analyzer for codebases — scans a repository, models assets and controls, finds cross-cutting weaknesses, and generates an evidence-grounded review with MITRE ATT&CK mappings and detection-engineering hints.
5
+ Author: AttackMap Contributors
6
+ Author-email: Matthew Davis <matthewd@matthewd.xyz>
7
+ Maintainer-email: Matthew Davis <matthewd@matthewd.xyz>
8
+ License: MIT
9
+ Project-URL: Homepage, https://github.com/mlaify/AttackMap
10
+ Project-URL: Documentation, https://github.com/mlaify/AttackMap/wiki
11
+ Project-URL: Repository, https://github.com/mlaify/AttackMap
12
+ Project-URL: Issues, https://github.com/mlaify/AttackMap/issues
13
+ Project-URL: Changelog, https://github.com/mlaify/AttackMap/blob/main/CHANGELOG.md
14
+ Keywords: security,static-analysis,appsec,defensive-security,threat-modeling,attack-surface,mitre-attack,detection-engineering,code-review,llm,claude
15
+ Classifier: Development Status :: 4 - Beta
16
+ Classifier: Environment :: Console
17
+ Classifier: Intended Audience :: Developers
18
+ Classifier: Intended Audience :: Information Technology
19
+ Classifier: Intended Audience :: System Administrators
20
+ Classifier: License :: OSI Approved :: MIT License
21
+ Classifier: Operating System :: OS Independent
22
+ Classifier: Programming Language :: Python :: 3
23
+ Classifier: Programming Language :: Python :: 3.11
24
+ Classifier: Programming Language :: Python :: 3.12
25
+ Classifier: Programming Language :: Python :: 3.13
26
+ Classifier: Programming Language :: Python :: 3 :: Only
27
+ Classifier: Topic :: Security
28
+ Classifier: Topic :: Software Development :: Quality Assurance
29
+ Classifier: Topic :: Software Development :: Testing
30
+ Classifier: Typing :: Typed
31
+ Requires-Python: >=3.11
32
+ Description-Content-Type: text/markdown
33
+ License-File: LICENSE
34
+ Requires-Dist: typer>=0.12.3
35
+ Requires-Dist: pydantic>=2.7.0
36
+ Requires-Dist: networkx>=3.3
37
+ Provides-Extra: llm
38
+ Requires-Dist: anthropic>=0.40.0; extra == "llm"
39
+ Provides-Extra: all
40
+ Requires-Dist: attackmap[llm]; extra == "all"
41
+ Requires-Dist: attackmap-analyzer-python; extra == "all"
42
+ Requires-Dist: attackmap-analyzer-rust; extra == "all"
43
+ Requires-Dist: attackmap-analyzer-go; extra == "all"
44
+ Requires-Dist: attackmap-analyzer-java-spring; extra == "all"
45
+ Requires-Dist: attackmap-analyzer-dotnet; extra == "all"
46
+ Requires-Dist: attackmap-analyzer-terraform; extra == "all"
47
+ Requires-Dist: attackmap-analyzer-c; extra == "all"
48
+ Requires-Dist: attackmap-analyzer-cpp; extra == "all"
49
+ Requires-Dist: attackmap-analyzer-node-service; extra == "all"
50
+ Requires-Dist: attackmap-analyzer-atproto; extra == "all"
51
+ Requires-Dist: attackmap-analyzer-php-web; extra == "all"
52
+ Requires-Dist: attackmap-analyzer-php-laminas; extra == "all"
53
+ Requires-Dist: attackmap-analyzer-omeka-s; extra == "all"
54
+ Provides-Extra: dev
55
+ Requires-Dist: pytest>=8.0.0; extra == "dev"
56
+ Requires-Dist: build>=1.2.0; extra == "dev"
57
+ Dynamic: license-file
58
+
59
+ # AttackMap
60
+
61
+ **AI-assisted defensive security analysis for codebases.** AttackMap reads your
62
+ repository, models its assets and defensive controls, finds cross-cutting
63
+ weaknesses that single-file scanners miss, and produces an evidence-grounded
64
+ security review with MITRE ATT&CK mappings and detection-engineering hints.
65
+
66
+ Built for AppSec engineers, SOC and detection-engineering teams, and engineering
67
+ managers who need to triage an unfamiliar codebase.
68
+
69
+ > Story over checklist. Asset-aware. Control-absence-aware. Evidence-grounded.
70
+
71
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
72
+ [![Python: 3.11+](https://img.shields.io/badge/Python-3.11%2B-blue.svg)](https://www.python.org/)
73
+
74
+ ---
75
+
76
+ ## Quickstart
77
+
78
+ Install with all bundled analyzers:
79
+
80
+ ```bash
81
+ pip install "attackmap[all]"
82
+ ```
83
+
84
+ Run a review on a repository:
85
+
86
+ ```bash
87
+ attackmap analyze /path/to/repo --output reports
88
+ ```
89
+
90
+ Optional: add an AI-narrated review using Claude. Either set an
91
+ `ANTHROPIC_API_KEY`, or log in once with the [Claude Code CLI](https://docs.claude.com/claude-code)
92
+ to use your existing Pro/Max subscription:
93
+
94
+ ```bash
95
+ attackmap analyze /path/to/repo --output reports --llm
96
+ ```
97
+
98
+ Read `reports/defensive-review.md` (heuristic) and `reports/defensive-review-llm.md`
99
+ (LLM-narrated) side by side.
100
+
101
+ ---
102
+
103
+ ## Install
104
+
105
+ ### From PyPI
106
+
107
+ ```bash
108
+ pip install attackmap # core only
109
+ pip install "attackmap[llm]" # add LLM narrative support
110
+ pip install "attackmap[all]" # core + LLM + all 11 analyzer plugins
111
+ ```
112
+
113
+ You can also install individual analyzer plugins on demand:
114
+
115
+ ```bash
116
+ pip install attackmap-analyzer-python attackmap-analyzer-go
117
+ ```
118
+
119
+ ### With Docker
120
+
121
+ ```bash
122
+ docker run --rm -v "$PWD:/src" ghcr.io/mlaify/attackmap:latest analyze /src --output /src/reports
123
+ ```
124
+
125
+ ### With Homebrew (macOS)
126
+
127
+ ```bash
128
+ brew install mlaify/tap/attackmap
129
+ ```
130
+
131
+ ### From source
132
+
133
+ ```bash
134
+ git clone https://github.com/mlaify/AttackMap.git
135
+ cd AttackMap
136
+ pip install -e ".[llm]"
137
+ ```
138
+
139
+ ---
140
+
141
+ ## What you get
142
+
143
+ Every `attackmap analyze` run writes:
144
+
145
+ | File | What it is |
146
+ |---|---|
147
+ | `architecture.md` | High-level summary of the repository |
148
+ | `attack-surface.md` | Surfaces classified by category, exposure, and risk |
149
+ | `defensive-review.md` | Notable Observations, Asset Inventory, Defensive Controls, Strengths, Weaknesses, Detection Opportunities, Recommendations |
150
+ | `defensive-review.json` | Structured equivalent (schema v1.2.0) |
151
+ | `review-context-pack.json` | Structured evidence pack consumed by the LLM stage |
152
+ | `attackmap-report.json` | Everything bundled |
153
+ | `defensive-review-llm.md` *(with `--llm`)* | Claude-narrated review |
154
+ | `defensive-review-llm.meta.json` *(with `--llm`)* | Backend, model, token usage |
155
+
156
+ ---
157
+
158
+ ## How it works
159
+
160
+ AttackMap is built as four layers, each grounded in the layer below.
161
+
162
+ **1. Heuristic scanner + analyzer plugins.** Language-aware extraction of routes,
163
+ databases, external calls, auth signals, secrets, frameworks, and entrypoints.
164
+ Every signal carries a `file:line` citation, an evidence-text snippet, and a
165
+ confidence score. Plugins are auto-discovered through the `attackmap.analyzers`
166
+ entry-point group.
167
+
168
+ **2. Asset and control overlay.** Identifies *what's at risk* (credentials,
169
+ sessions, PII, payment records, internal secrets — with criticality tiers) and
170
+ *what protects it* (authentication, authorization, input validation, rate
171
+ limiting, CSRF, encryption, audit logging, RBAC, MFA), including detection of
172
+ *absent* expected controls.
173
+
174
+ **3. Cross-cutting insight engine.** Connects findings into narratives —
175
+ sensitive-asset reachability, shared-secret blast radius, defense gaps in attack
176
+ chains, control-strength mismatches, asymmetric protection, audit gaps,
177
+ trust-boundary violations, and more.
178
+
179
+ **4. LLM narrative review.** With `--llm`, Claude Opus generates a final review
180
+ from the structured evidence pack. The model is forced to cite real
181
+ surface/asset/control IDs, so it can't invent findings.
182
+
183
+ Layered on top: **MITRE ATT&CK technique mappings** on every insight and
184
+ **detection opportunities** (Sigma/KQL/Splunk-style hints) for each weakness.
185
+
186
+ ---
187
+
188
+ ## Supported ecosystems
189
+
190
+ Eleven official analyzer plugins, each distributable as a separate package:
191
+
192
+ | Plugin | Coverage |
193
+ |---|---|
194
+ | `attackmap-analyzer-python` | Django, Starlette, AIOHTTP, Sanic, Litestar, DRF; SQLAlchemy/asyncpg/motor; passlib/PyJWT/authlib; httpx/aiohttp |
195
+ | `attackmap-analyzer-rust` | axum, actix-web, rocket; sqlx, diesel, sea-orm; jsonwebtoken, argon2; reqwest |
196
+ | `attackmap-analyzer-go` | net/http, chi, gin, echo, fiber, gorilla/mux; database/sql, gorm, pgx; golang-jwt; resty |
197
+ | `attackmap-analyzer-java-spring` | Java/Kotlin Spring Boot, JAX-RS, Ktor; Spring Data; Spring Security; jjwt |
198
+ | `attackmap-analyzer-dotnet` | ASP.NET Core minimal APIs and attribute routing, EF Core, Identity, JwtBearer |
199
+ | `attackmap-analyzer-terraform` | AWS, Azure, GCP resources; IAM wildcards; open SGs; secrets |
200
+ | `attackmap-analyzer-c` | libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/libsodium; sqlite3/libpq/mysql |
201
+ | `attackmap-analyzer-cpp` | Crow, Pistache, Drogon, cpprestsdk; libcurl/cpr; OpenSSL/Botan/libsodium; libpqxx/mongocxx |
202
+ | `attackmap-analyzer-node-service` | Node.js / TypeScript service ecosystems |
203
+ | `attackmap-analyzer-atproto` | AT Protocol (Bluesky) services |
204
+ | `attackmap-analyzer-php-web` / `-php-laminas` / `-omeka-s` | Generic PHP web, Laminas/Zend MVC, Omeka-S |
205
+
206
+ `pip install "attackmap[all]"` installs every official plugin.
207
+
208
+ ---
209
+
210
+ ## CLI reference
211
+
212
+ ```bash
213
+ attackmap analyze <path> # run a review on a repository
214
+ attackmap analyze <path> --output dir # write outputs to `dir/`
215
+ attackmap analyze <path> --module python --module rust # only these analyzers
216
+ attackmap analyze <path> --llm # add LLM narrative (auto-resolve auth)
217
+ attackmap analyze <path> --llm --llm-backend cli # force Claude CLI
218
+ attackmap modules # list installed analyzers
219
+ ```
220
+
221
+ `--module` is repeatable. Missing requested external analyzers can be
222
+ auto-installed (when possible) from the `mlaify` GitHub organization.
223
+
224
+ ---
225
+
226
+ ## What AttackMap is *not*
227
+
228
+ - **A runtime detector.** AttackMap is static. The detection opportunities it
229
+ emits are *hints* for your SIEM team — they are not deployable rules.
230
+ - **A vulnerability scanner.** AttackMap models architecture, assets, and
231
+ controls. It does not match known-CVE patterns.
232
+ - **Exhaustive.** AttackMap is heuristic by design. Findings are confidence-tiered
233
+ with explicit guardrails for stale signals.
234
+
235
+ ---
236
+
237
+ ## Documentation
238
+
239
+ - [`CHANGELOG.md`](CHANGELOG.md) — release notes
240
+ - [`CONTRIBUTING.md`](CONTRIBUTING.md) — development setup and PR process
241
+ - [`SECURITY.md`](SECURITY.md) — vulnerability disclosure
242
+ - [`AGENTS.md`](AGENTS.md) — agent-facing repo guide
243
+ - [`VISION.md`](VISION.md) — project direction
244
+ - [GitHub wiki](https://github.com/mlaify/AttackMap/wiki) — deeper architecture
245
+ and analyzer-contract references
246
+
247
+ ---
248
+
249
+ ## Contributing
250
+
251
+ Issues and pull requests are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md)
252
+ for setup, testing, and submission guidelines. By contributing you agree that
253
+ your contributions will be MIT-licensed.
254
+
255
+ ## License
256
+
257
+ [MIT](LICENSE). Copyright (c) 2026 Matthew Davis and AttackMap Contributors.
@@ -0,0 +1,199 @@
1
+ # AttackMap
2
+
3
+ **AI-assisted defensive security analysis for codebases.** AttackMap reads your
4
+ repository, models its assets and defensive controls, finds cross-cutting
5
+ weaknesses that single-file scanners miss, and produces an evidence-grounded
6
+ security review with MITRE ATT&CK mappings and detection-engineering hints.
7
+
8
+ Built for AppSec engineers, SOC and detection-engineering teams, and engineering
9
+ managers who need to triage an unfamiliar codebase.
10
+
11
+ > Story over checklist. Asset-aware. Control-absence-aware. Evidence-grounded.
12
+
13
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
14
+ [![Python: 3.11+](https://img.shields.io/badge/Python-3.11%2B-blue.svg)](https://www.python.org/)
15
+
16
+ ---
17
+
18
+ ## Quickstart
19
+
20
+ Install with all bundled analyzers:
21
+
22
+ ```bash
23
+ pip install "attackmap[all]"
24
+ ```
25
+
26
+ Run a review on a repository:
27
+
28
+ ```bash
29
+ attackmap analyze /path/to/repo --output reports
30
+ ```
31
+
32
+ Optional: add an AI-narrated review using Claude. Either set an
33
+ `ANTHROPIC_API_KEY`, or log in once with the [Claude Code CLI](https://docs.claude.com/claude-code)
34
+ to use your existing Pro/Max subscription:
35
+
36
+ ```bash
37
+ attackmap analyze /path/to/repo --output reports --llm
38
+ ```
39
+
40
+ Read `reports/defensive-review.md` (heuristic) and `reports/defensive-review-llm.md`
41
+ (LLM-narrated) side by side.
42
+
43
+ ---
44
+
45
+ ## Install
46
+
47
+ ### From PyPI
48
+
49
+ ```bash
50
+ pip install attackmap # core only
51
+ pip install "attackmap[llm]" # add LLM narrative support
52
+ pip install "attackmap[all]" # core + LLM + all 11 analyzer plugins
53
+ ```
54
+
55
+ You can also install individual analyzer plugins on demand:
56
+
57
+ ```bash
58
+ pip install attackmap-analyzer-python attackmap-analyzer-go
59
+ ```
60
+
61
+ ### With Docker
62
+
63
+ ```bash
64
+ docker run --rm -v "$PWD:/src" ghcr.io/mlaify/attackmap:latest analyze /src --output /src/reports
65
+ ```
66
+
67
+ ### With Homebrew (macOS)
68
+
69
+ ```bash
70
+ brew install mlaify/tap/attackmap
71
+ ```
72
+
73
+ ### From source
74
+
75
+ ```bash
76
+ git clone https://github.com/mlaify/AttackMap.git
77
+ cd AttackMap
78
+ pip install -e ".[llm]"
79
+ ```
80
+
81
+ ---
82
+
83
+ ## What you get
84
+
85
+ Every `attackmap analyze` run writes:
86
+
87
+ | File | What it is |
88
+ |---|---|
89
+ | `architecture.md` | High-level summary of the repository |
90
+ | `attack-surface.md` | Surfaces classified by category, exposure, and risk |
91
+ | `defensive-review.md` | Notable Observations, Asset Inventory, Defensive Controls, Strengths, Weaknesses, Detection Opportunities, Recommendations |
92
+ | `defensive-review.json` | Structured equivalent (schema v1.2.0) |
93
+ | `review-context-pack.json` | Structured evidence pack consumed by the LLM stage |
94
+ | `attackmap-report.json` | Everything bundled |
95
+ | `defensive-review-llm.md` *(with `--llm`)* | Claude-narrated review |
96
+ | `defensive-review-llm.meta.json` *(with `--llm`)* | Backend, model, token usage |
97
+
98
+ ---
99
+
100
+ ## How it works
101
+
102
+ AttackMap is built as four layers, each grounded in the layer below.
103
+
104
+ **1. Heuristic scanner + analyzer plugins.** Language-aware extraction of routes,
105
+ databases, external calls, auth signals, secrets, frameworks, and entrypoints.
106
+ Every signal carries a `file:line` citation, an evidence-text snippet, and a
107
+ confidence score. Plugins are auto-discovered through the `attackmap.analyzers`
108
+ entry-point group.
109
+
110
+ **2. Asset and control overlay.** Identifies *what's at risk* (credentials,
111
+ sessions, PII, payment records, internal secrets — with criticality tiers) and
112
+ *what protects it* (authentication, authorization, input validation, rate
113
+ limiting, CSRF, encryption, audit logging, RBAC, MFA), including detection of
114
+ *absent* expected controls.
115
+
116
+ **3. Cross-cutting insight engine.** Connects findings into narratives —
117
+ sensitive-asset reachability, shared-secret blast radius, defense gaps in attack
118
+ chains, control-strength mismatches, asymmetric protection, audit gaps,
119
+ trust-boundary violations, and more.
120
+
121
+ **4. LLM narrative review.** With `--llm`, Claude Opus generates a final review
122
+ from the structured evidence pack. The model is forced to cite real
123
+ surface/asset/control IDs, so it can't invent findings.
124
+
125
+ Layered on top: **MITRE ATT&CK technique mappings** on every insight and
126
+ **detection opportunities** (Sigma/KQL/Splunk-style hints) for each weakness.
127
+
128
+ ---
129
+
130
+ ## Supported ecosystems
131
+
132
+ Eleven official analyzer plugins, each distributable as a separate package:
133
+
134
+ | Plugin | Coverage |
135
+ |---|---|
136
+ | `attackmap-analyzer-python` | Django, Starlette, AIOHTTP, Sanic, Litestar, DRF; SQLAlchemy/asyncpg/motor; passlib/PyJWT/authlib; httpx/aiohttp |
137
+ | `attackmap-analyzer-rust` | axum, actix-web, rocket; sqlx, diesel, sea-orm; jsonwebtoken, argon2; reqwest |
138
+ | `attackmap-analyzer-go` | net/http, chi, gin, echo, fiber, gorilla/mux; database/sql, gorm, pgx; golang-jwt; resty |
139
+ | `attackmap-analyzer-java-spring` | Java/Kotlin Spring Boot, JAX-RS, Ktor; Spring Data; Spring Security; jjwt |
140
+ | `attackmap-analyzer-dotnet` | ASP.NET Core minimal APIs and attribute routing, EF Core, Identity, JwtBearer |
141
+ | `attackmap-analyzer-terraform` | AWS, Azure, GCP resources; IAM wildcards; open SGs; secrets |
142
+ | `attackmap-analyzer-c` | libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/libsodium; sqlite3/libpq/mysql |
143
+ | `attackmap-analyzer-cpp` | Crow, Pistache, Drogon, cpprestsdk; libcurl/cpr; OpenSSL/Botan/libsodium; libpqxx/mongocxx |
144
+ | `attackmap-analyzer-node-service` | Node.js / TypeScript service ecosystems |
145
+ | `attackmap-analyzer-atproto` | AT Protocol (Bluesky) services |
146
+ | `attackmap-analyzer-php-web` / `-php-laminas` / `-omeka-s` | Generic PHP web, Laminas/Zend MVC, Omeka-S |
147
+
148
+ `pip install "attackmap[all]"` installs every official plugin.
149
+
150
+ ---
151
+
152
+ ## CLI reference
153
+
154
+ ```bash
155
+ attackmap analyze <path> # run a review on a repository
156
+ attackmap analyze <path> --output dir # write outputs to `dir/`
157
+ attackmap analyze <path> --module python --module rust # only these analyzers
158
+ attackmap analyze <path> --llm # add LLM narrative (auto-resolve auth)
159
+ attackmap analyze <path> --llm --llm-backend cli # force Claude CLI
160
+ attackmap modules # list installed analyzers
161
+ ```
162
+
163
+ `--module` is repeatable. Missing requested external analyzers can be
164
+ auto-installed (when possible) from the `mlaify` GitHub organization.
165
+
166
+ ---
167
+
168
+ ## What AttackMap is *not*
169
+
170
+ - **A runtime detector.** AttackMap is static. The detection opportunities it
171
+ emits are *hints* for your SIEM team — they are not deployable rules.
172
+ - **A vulnerability scanner.** AttackMap models architecture, assets, and
173
+ controls. It does not match known-CVE patterns.
174
+ - **Exhaustive.** AttackMap is heuristic by design. Findings are confidence-tiered
175
+ with explicit guardrails for stale signals.
176
+
177
+ ---
178
+
179
+ ## Documentation
180
+
181
+ - [`CHANGELOG.md`](CHANGELOG.md) — release notes
182
+ - [`CONTRIBUTING.md`](CONTRIBUTING.md) — development setup and PR process
183
+ - [`SECURITY.md`](SECURITY.md) — vulnerability disclosure
184
+ - [`AGENTS.md`](AGENTS.md) — agent-facing repo guide
185
+ - [`VISION.md`](VISION.md) — project direction
186
+ - [GitHub wiki](https://github.com/mlaify/AttackMap/wiki) — deeper architecture
187
+ and analyzer-contract references
188
+
189
+ ---
190
+
191
+ ## Contributing
192
+
193
+ Issues and pull requests are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md)
194
+ for setup, testing, and submission guidelines. By contributing you agree that
195
+ your contributions will be MIT-licensed.
196
+
197
+ ## License
198
+
199
+ [MIT](LICENSE). Copyright (c) 2026 Matthew Davis and AttackMap Contributors.
@@ -0,0 +1,99 @@
1
+ [build-system]
2
+ requires = ["setuptools>=68", "wheel"]
3
+ build-backend = "setuptools.build_meta"
4
+
5
+ [project]
6
+ name = "attackmap"
7
+ version = "0.1.0"
8
+ description = "AI-assisted defensive security analyzer for codebases — scans a repository, models assets and controls, finds cross-cutting weaknesses, and generates an evidence-grounded review with MITRE ATT&CK mappings and detection-engineering hints."
9
+ readme = "README.md"
10
+ requires-python = ">=3.11"
11
+ license = {text = "MIT"}
12
+ authors = [
13
+ {name = "Matthew Davis", email = "matthewd@matthewd.xyz"},
14
+ {name = "AttackMap Contributors"},
15
+ ]
16
+ maintainers = [
17
+ {name = "Matthew Davis", email = "matthewd@matthewd.xyz"},
18
+ ]
19
+ keywords = [
20
+ "security",
21
+ "static-analysis",
22
+ "appsec",
23
+ "defensive-security",
24
+ "threat-modeling",
25
+ "attack-surface",
26
+ "mitre-attack",
27
+ "detection-engineering",
28
+ "code-review",
29
+ "llm",
30
+ "claude",
31
+ ]
32
+ classifiers = [
33
+ "Development Status :: 4 - Beta",
34
+ "Environment :: Console",
35
+ "Intended Audience :: Developers",
36
+ "Intended Audience :: Information Technology",
37
+ "Intended Audience :: System Administrators",
38
+ "License :: OSI Approved :: MIT License",
39
+ "Operating System :: OS Independent",
40
+ "Programming Language :: Python :: 3",
41
+ "Programming Language :: Python :: 3.11",
42
+ "Programming Language :: Python :: 3.12",
43
+ "Programming Language :: Python :: 3.13",
44
+ "Programming Language :: Python :: 3 :: Only",
45
+ "Topic :: Security",
46
+ "Topic :: Software Development :: Quality Assurance",
47
+ "Topic :: Software Development :: Testing",
48
+ "Typing :: Typed",
49
+ ]
50
+ dependencies = [
51
+ "typer>=0.12.3",
52
+ "pydantic>=2.7.0",
53
+ "networkx>=3.3",
54
+ ]
55
+
56
+ [project.optional-dependencies]
57
+ llm = [
58
+ "anthropic>=0.40.0",
59
+ ]
60
+ all = [
61
+ "attackmap[llm]",
62
+ "attackmap-analyzer-python",
63
+ "attackmap-analyzer-rust",
64
+ "attackmap-analyzer-go",
65
+ "attackmap-analyzer-java-spring",
66
+ "attackmap-analyzer-dotnet",
67
+ "attackmap-analyzer-terraform",
68
+ "attackmap-analyzer-c",
69
+ "attackmap-analyzer-cpp",
70
+ "attackmap-analyzer-node-service",
71
+ "attackmap-analyzer-atproto",
72
+ "attackmap-analyzer-php-web",
73
+ "attackmap-analyzer-php-laminas",
74
+ "attackmap-analyzer-omeka-s",
75
+ ]
76
+ dev = [
77
+ "pytest>=8.0.0",
78
+ "build>=1.2.0",
79
+ ]
80
+
81
+ [project.urls]
82
+ Homepage = "https://github.com/mlaify/AttackMap"
83
+ Documentation = "https://github.com/mlaify/AttackMap/wiki"
84
+ Repository = "https://github.com/mlaify/AttackMap"
85
+ Issues = "https://github.com/mlaify/AttackMap/issues"
86
+ Changelog = "https://github.com/mlaify/AttackMap/blob/main/CHANGELOG.md"
87
+
88
+ [project.scripts]
89
+ attackmap = "attackmap.cli:app"
90
+
91
+ [tool.setuptools]
92
+ package-dir = {"" = "src"}
93
+
94
+ [tool.setuptools.packages.find]
95
+ where = ["src"]
96
+
97
+ [tool.pytest.ini_options]
98
+ pythonpath = ["src"]
99
+ testpaths = ["tests"]
@@ -0,0 +1,4 @@
1
+ [egg_info]
2
+ tag_build =
3
+ tag_date = 0
4
+
@@ -0,0 +1,2 @@
1
+ __all__ = ["__version__"]
2
+ __version__ = "0.1.0"