attackmap 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- attackmap-0.1.0/LICENSE +21 -0
- attackmap-0.1.0/PKG-INFO +257 -0
- attackmap-0.1.0/README.md +199 -0
- attackmap-0.1.0/pyproject.toml +99 -0
- attackmap-0.1.0/setup.cfg +4 -0
- attackmap-0.1.0/src/attackmap/__init__.py +2 -0
- attackmap-0.1.0/src/attackmap/analyzer.py +278 -0
- attackmap-0.1.0/src/attackmap/analyzer_contracts.py +104 -0
- attackmap-0.1.0/src/attackmap/analyzers.py +561 -0
- attackmap-0.1.0/src/attackmap/asset_model.py +245 -0
- attackmap-0.1.0/src/attackmap/attack_taxonomy.py +140 -0
- attackmap-0.1.0/src/attackmap/cli.py +185 -0
- attackmap-0.1.0/src/attackmap/context_pack.py +82 -0
- attackmap-0.1.0/src/attackmap/control_model.py +272 -0
- attackmap-0.1.0/src/attackmap/defensive_review.py +597 -0
- attackmap-0.1.0/src/attackmap/detection_opportunities.py +343 -0
- attackmap-0.1.0/src/attackmap/graph.py +26 -0
- attackmap-0.1.0/src/attackmap/insights.py +702 -0
- attackmap-0.1.0/src/attackmap/llm_review.py +346 -0
- attackmap-0.1.0/src/attackmap/models.py +352 -0
- attackmap-0.1.0/src/attackmap/recon_models.py +31 -0
- attackmap-0.1.0/src/attackmap/recon_to_analysis.py +121 -0
- attackmap-0.1.0/src/attackmap/report.py +74 -0
- attackmap-0.1.0/src/attackmap/review_eval.py +281 -0
- attackmap-0.1.0/src/attackmap/review_json.py +300 -0
- attackmap-0.1.0/src/attackmap/review_prompts.py +230 -0
- attackmap-0.1.0/src/attackmap/scanner.py +446 -0
- attackmap-0.1.0/src/attackmap/sdk/__init__.py +41 -0
- attackmap-0.1.0/src/attackmap/sdk/contracts.py +17 -0
- attackmap-0.1.0/src/attackmap/sdk/models.py +29 -0
- attackmap-0.1.0/src/attackmap/security_overlay.py +69 -0
- attackmap-0.1.0/src/attackmap/threat_model.py +919 -0
- attackmap-0.1.0/src/attackmap.egg-info/PKG-INFO +257 -0
- attackmap-0.1.0/src/attackmap.egg-info/SOURCES.txt +54 -0
- attackmap-0.1.0/src/attackmap.egg-info/dependency_links.txt +1 -0
- attackmap-0.1.0/src/attackmap.egg-info/entry_points.txt +2 -0
- attackmap-0.1.0/src/attackmap.egg-info/requires.txt +26 -0
- attackmap-0.1.0/src/attackmap.egg-info/top_level.txt +1 -0
- attackmap-0.1.0/tests/test_analyzer.py +106 -0
- attackmap-0.1.0/tests/test_analyzers.py +643 -0
- attackmap-0.1.0/tests/test_artifact_schemas.py +39 -0
- attackmap-0.1.0/tests/test_context_pack.py +46 -0
- attackmap-0.1.0/tests/test_defensive_review.py +359 -0
- attackmap-0.1.0/tests/test_graph.py +16 -0
- attackmap-0.1.0/tests/test_llm_review.py +348 -0
- attackmap-0.1.0/tests/test_recon_to_analysis.py +126 -0
- attackmap-0.1.0/tests/test_report.py +52 -0
- attackmap-0.1.0/tests/test_review_eval.py +68 -0
- attackmap-0.1.0/tests/test_review_json.py +92 -0
- attackmap-0.1.0/tests/test_review_prompts.py +87 -0
- attackmap-0.1.0/tests/test_scanner.py +427 -0
- attackmap-0.1.0/tests/test_security_overlay.py +353 -0
- attackmap-0.1.0/tests/test_shared_contract_imports.py +38 -0
- attackmap-0.1.0/tests/test_signal_v2.py +207 -0
- attackmap-0.1.0/tests/test_threat_intel.py +272 -0
- attackmap-0.1.0/tests/test_threat_model.py +189 -0
attackmap-0.1.0/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Matthew Davis and AttackMap Contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
attackmap-0.1.0/PKG-INFO
ADDED
|
@@ -0,0 +1,257 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: attackmap
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: AI-assisted defensive security analyzer for codebases — scans a repository, models assets and controls, finds cross-cutting weaknesses, and generates an evidence-grounded review with MITRE ATT&CK mappings and detection-engineering hints.
|
|
5
|
+
Author: AttackMap Contributors
|
|
6
|
+
Author-email: Matthew Davis <matthewd@matthewd.xyz>
|
|
7
|
+
Maintainer-email: Matthew Davis <matthewd@matthewd.xyz>
|
|
8
|
+
License: MIT
|
|
9
|
+
Project-URL: Homepage, https://github.com/mlaify/AttackMap
|
|
10
|
+
Project-URL: Documentation, https://github.com/mlaify/AttackMap/wiki
|
|
11
|
+
Project-URL: Repository, https://github.com/mlaify/AttackMap
|
|
12
|
+
Project-URL: Issues, https://github.com/mlaify/AttackMap/issues
|
|
13
|
+
Project-URL: Changelog, https://github.com/mlaify/AttackMap/blob/main/CHANGELOG.md
|
|
14
|
+
Keywords: security,static-analysis,appsec,defensive-security,threat-modeling,attack-surface,mitre-attack,detection-engineering,code-review,llm,claude
|
|
15
|
+
Classifier: Development Status :: 4 - Beta
|
|
16
|
+
Classifier: Environment :: Console
|
|
17
|
+
Classifier: Intended Audience :: Developers
|
|
18
|
+
Classifier: Intended Audience :: Information Technology
|
|
19
|
+
Classifier: Intended Audience :: System Administrators
|
|
20
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
21
|
+
Classifier: Operating System :: OS Independent
|
|
22
|
+
Classifier: Programming Language :: Python :: 3
|
|
23
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
24
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
25
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
26
|
+
Classifier: Programming Language :: Python :: 3 :: Only
|
|
27
|
+
Classifier: Topic :: Security
|
|
28
|
+
Classifier: Topic :: Software Development :: Quality Assurance
|
|
29
|
+
Classifier: Topic :: Software Development :: Testing
|
|
30
|
+
Classifier: Typing :: Typed
|
|
31
|
+
Requires-Python: >=3.11
|
|
32
|
+
Description-Content-Type: text/markdown
|
|
33
|
+
License-File: LICENSE
|
|
34
|
+
Requires-Dist: typer>=0.12.3
|
|
35
|
+
Requires-Dist: pydantic>=2.7.0
|
|
36
|
+
Requires-Dist: networkx>=3.3
|
|
37
|
+
Provides-Extra: llm
|
|
38
|
+
Requires-Dist: anthropic>=0.40.0; extra == "llm"
|
|
39
|
+
Provides-Extra: all
|
|
40
|
+
Requires-Dist: attackmap[llm]; extra == "all"
|
|
41
|
+
Requires-Dist: attackmap-analyzer-python; extra == "all"
|
|
42
|
+
Requires-Dist: attackmap-analyzer-rust; extra == "all"
|
|
43
|
+
Requires-Dist: attackmap-analyzer-go; extra == "all"
|
|
44
|
+
Requires-Dist: attackmap-analyzer-java-spring; extra == "all"
|
|
45
|
+
Requires-Dist: attackmap-analyzer-dotnet; extra == "all"
|
|
46
|
+
Requires-Dist: attackmap-analyzer-terraform; extra == "all"
|
|
47
|
+
Requires-Dist: attackmap-analyzer-c; extra == "all"
|
|
48
|
+
Requires-Dist: attackmap-analyzer-cpp; extra == "all"
|
|
49
|
+
Requires-Dist: attackmap-analyzer-node-service; extra == "all"
|
|
50
|
+
Requires-Dist: attackmap-analyzer-atproto; extra == "all"
|
|
51
|
+
Requires-Dist: attackmap-analyzer-php-web; extra == "all"
|
|
52
|
+
Requires-Dist: attackmap-analyzer-php-laminas; extra == "all"
|
|
53
|
+
Requires-Dist: attackmap-analyzer-omeka-s; extra == "all"
|
|
54
|
+
Provides-Extra: dev
|
|
55
|
+
Requires-Dist: pytest>=8.0.0; extra == "dev"
|
|
56
|
+
Requires-Dist: build>=1.2.0; extra == "dev"
|
|
57
|
+
Dynamic: license-file
|
|
58
|
+
|
|
59
|
+
# AttackMap
|
|
60
|
+
|
|
61
|
+
**AI-assisted defensive security analysis for codebases.** AttackMap reads your
|
|
62
|
+
repository, models its assets and defensive controls, finds cross-cutting
|
|
63
|
+
weaknesses that single-file scanners miss, and produces an evidence-grounded
|
|
64
|
+
security review with MITRE ATT&CK mappings and detection-engineering hints.
|
|
65
|
+
|
|
66
|
+
Built for AppSec engineers, SOC and detection-engineering teams, and engineering
|
|
67
|
+
managers who need to triage an unfamiliar codebase.
|
|
68
|
+
|
|
69
|
+
> Story over checklist. Asset-aware. Control-absence-aware. Evidence-grounded.
|
|
70
|
+
|
|
71
|
+
[](LICENSE)
|
|
72
|
+
[](https://www.python.org/)
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## Quickstart
|
|
77
|
+
|
|
78
|
+
Install with all bundled analyzers:
|
|
79
|
+
|
|
80
|
+
```bash
|
|
81
|
+
pip install "attackmap[all]"
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
Run a review on a repository:
|
|
85
|
+
|
|
86
|
+
```bash
|
|
87
|
+
attackmap analyze /path/to/repo --output reports
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
Optional: add an AI-narrated review using Claude. Either set an
|
|
91
|
+
`ANTHROPIC_API_KEY`, or log in once with the [Claude Code CLI](https://docs.claude.com/claude-code)
|
|
92
|
+
to use your existing Pro/Max subscription:
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
attackmap analyze /path/to/repo --output reports --llm
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
Read `reports/defensive-review.md` (heuristic) and `reports/defensive-review-llm.md`
|
|
99
|
+
(LLM-narrated) side by side.
|
|
100
|
+
|
|
101
|
+
---
|
|
102
|
+
|
|
103
|
+
## Install
|
|
104
|
+
|
|
105
|
+
### From PyPI
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
pip install attackmap # core only
|
|
109
|
+
pip install "attackmap[llm]" # add LLM narrative support
|
|
110
|
+
pip install "attackmap[all]" # core + LLM + all 11 analyzer plugins
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
You can also install individual analyzer plugins on demand:
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
pip install attackmap-analyzer-python attackmap-analyzer-go
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
### With Docker
|
|
120
|
+
|
|
121
|
+
```bash
|
|
122
|
+
docker run --rm -v "$PWD:/src" ghcr.io/mlaify/attackmap:latest analyze /src --output /src/reports
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
### With Homebrew (macOS)
|
|
126
|
+
|
|
127
|
+
```bash
|
|
128
|
+
brew install mlaify/tap/attackmap
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### From source
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
git clone https://github.com/mlaify/AttackMap.git
|
|
135
|
+
cd AttackMap
|
|
136
|
+
pip install -e ".[llm]"
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
## What you get
|
|
142
|
+
|
|
143
|
+
Every `attackmap analyze` run writes:
|
|
144
|
+
|
|
145
|
+
| File | What it is |
|
|
146
|
+
|---|---|
|
|
147
|
+
| `architecture.md` | High-level summary of the repository |
|
|
148
|
+
| `attack-surface.md` | Surfaces classified by category, exposure, and risk |
|
|
149
|
+
| `defensive-review.md` | Notable Observations, Asset Inventory, Defensive Controls, Strengths, Weaknesses, Detection Opportunities, Recommendations |
|
|
150
|
+
| `defensive-review.json` | Structured equivalent (schema v1.2.0) |
|
|
151
|
+
| `review-context-pack.json` | Structured evidence pack consumed by the LLM stage |
|
|
152
|
+
| `attackmap-report.json` | Everything bundled |
|
|
153
|
+
| `defensive-review-llm.md` *(with `--llm`)* | Claude-narrated review |
|
|
154
|
+
| `defensive-review-llm.meta.json` *(with `--llm`)* | Backend, model, token usage |
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## How it works
|
|
159
|
+
|
|
160
|
+
AttackMap is built as four layers, each grounded in the layer below.
|
|
161
|
+
|
|
162
|
+
**1. Heuristic scanner + analyzer plugins.** Language-aware extraction of routes,
|
|
163
|
+
databases, external calls, auth signals, secrets, frameworks, and entrypoints.
|
|
164
|
+
Every signal carries a `file:line` citation, an evidence-text snippet, and a
|
|
165
|
+
confidence score. Plugins are auto-discovered through the `attackmap.analyzers`
|
|
166
|
+
entry-point group.
|
|
167
|
+
|
|
168
|
+
**2. Asset and control overlay.** Identifies *what's at risk* (credentials,
|
|
169
|
+
sessions, PII, payment records, internal secrets — with criticality tiers) and
|
|
170
|
+
*what protects it* (authentication, authorization, input validation, rate
|
|
171
|
+
limiting, CSRF, encryption, audit logging, RBAC, MFA), including detection of
|
|
172
|
+
*absent* expected controls.
|
|
173
|
+
|
|
174
|
+
**3. Cross-cutting insight engine.** Connects findings into narratives —
|
|
175
|
+
sensitive-asset reachability, shared-secret blast radius, defense gaps in attack
|
|
176
|
+
chains, control-strength mismatches, asymmetric protection, audit gaps,
|
|
177
|
+
trust-boundary violations, and more.
|
|
178
|
+
|
|
179
|
+
**4. LLM narrative review.** With `--llm`, Claude Opus generates a final review
|
|
180
|
+
from the structured evidence pack. The model is forced to cite real
|
|
181
|
+
surface/asset/control IDs, so it can't invent findings.
|
|
182
|
+
|
|
183
|
+
Layered on top: **MITRE ATT&CK technique mappings** on every insight and
|
|
184
|
+
**detection opportunities** (Sigma/KQL/Splunk-style hints) for each weakness.
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Supported ecosystems
|
|
189
|
+
|
|
190
|
+
Eleven official analyzer plugins, each distributable as a separate package:
|
|
191
|
+
|
|
192
|
+
| Plugin | Coverage |
|
|
193
|
+
|---|---|
|
|
194
|
+
| `attackmap-analyzer-python` | Django, Starlette, AIOHTTP, Sanic, Litestar, DRF; SQLAlchemy/asyncpg/motor; passlib/PyJWT/authlib; httpx/aiohttp |
|
|
195
|
+
| `attackmap-analyzer-rust` | axum, actix-web, rocket; sqlx, diesel, sea-orm; jsonwebtoken, argon2; reqwest |
|
|
196
|
+
| `attackmap-analyzer-go` | net/http, chi, gin, echo, fiber, gorilla/mux; database/sql, gorm, pgx; golang-jwt; resty |
|
|
197
|
+
| `attackmap-analyzer-java-spring` | Java/Kotlin Spring Boot, JAX-RS, Ktor; Spring Data; Spring Security; jjwt |
|
|
198
|
+
| `attackmap-analyzer-dotnet` | ASP.NET Core minimal APIs and attribute routing, EF Core, Identity, JwtBearer |
|
|
199
|
+
| `attackmap-analyzer-terraform` | AWS, Azure, GCP resources; IAM wildcards; open SGs; secrets |
|
|
200
|
+
| `attackmap-analyzer-c` | libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/libsodium; sqlite3/libpq/mysql |
|
|
201
|
+
| `attackmap-analyzer-cpp` | Crow, Pistache, Drogon, cpprestsdk; libcurl/cpr; OpenSSL/Botan/libsodium; libpqxx/mongocxx |
|
|
202
|
+
| `attackmap-analyzer-node-service` | Node.js / TypeScript service ecosystems |
|
|
203
|
+
| `attackmap-analyzer-atproto` | AT Protocol (Bluesky) services |
|
|
204
|
+
| `attackmap-analyzer-php-web` / `-php-laminas` / `-omeka-s` | Generic PHP web, Laminas/Zend MVC, Omeka-S |
|
|
205
|
+
|
|
206
|
+
`pip install "attackmap[all]"` installs every official plugin.
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## CLI reference
|
|
211
|
+
|
|
212
|
+
```bash
|
|
213
|
+
attackmap analyze <path> # run a review on a repository
|
|
214
|
+
attackmap analyze <path> --output dir # write outputs to `dir/`
|
|
215
|
+
attackmap analyze <path> --module python --module rust # only these analyzers
|
|
216
|
+
attackmap analyze <path> --llm # add LLM narrative (auto-resolve auth)
|
|
217
|
+
attackmap analyze <path> --llm --llm-backend cli # force Claude CLI
|
|
218
|
+
attackmap modules # list installed analyzers
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
`--module` is repeatable. Missing requested external analyzers can be
|
|
222
|
+
auto-installed (when possible) from the `mlaify` GitHub organization.
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
## What AttackMap is *not*
|
|
227
|
+
|
|
228
|
+
- **A runtime detector.** AttackMap is static. The detection opportunities it
|
|
229
|
+
emits are *hints* for your SIEM team — they are not deployable rules.
|
|
230
|
+
- **A vulnerability scanner.** AttackMap models architecture, assets, and
|
|
231
|
+
controls. It does not match known-CVE patterns.
|
|
232
|
+
- **Exhaustive.** AttackMap is heuristic by design. Findings are confidence-tiered
|
|
233
|
+
with explicit guardrails for stale signals.
|
|
234
|
+
|
|
235
|
+
---
|
|
236
|
+
|
|
237
|
+
## Documentation
|
|
238
|
+
|
|
239
|
+
- [`CHANGELOG.md`](CHANGELOG.md) — release notes
|
|
240
|
+
- [`CONTRIBUTING.md`](CONTRIBUTING.md) — development setup and PR process
|
|
241
|
+
- [`SECURITY.md`](SECURITY.md) — vulnerability disclosure
|
|
242
|
+
- [`AGENTS.md`](AGENTS.md) — agent-facing repo guide
|
|
243
|
+
- [`VISION.md`](VISION.md) — project direction
|
|
244
|
+
- [GitHub wiki](https://github.com/mlaify/AttackMap/wiki) — deeper architecture
|
|
245
|
+
and analyzer-contract references
|
|
246
|
+
|
|
247
|
+
---
|
|
248
|
+
|
|
249
|
+
## Contributing
|
|
250
|
+
|
|
251
|
+
Issues and pull requests are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md)
|
|
252
|
+
for setup, testing, and submission guidelines. By contributing you agree that
|
|
253
|
+
your contributions will be MIT-licensed.
|
|
254
|
+
|
|
255
|
+
## License
|
|
256
|
+
|
|
257
|
+
[MIT](LICENSE). Copyright (c) 2026 Matthew Davis and AttackMap Contributors.
|
|
@@ -0,0 +1,199 @@
|
|
|
1
|
+
# AttackMap
|
|
2
|
+
|
|
3
|
+
**AI-assisted defensive security analysis for codebases.** AttackMap reads your
|
|
4
|
+
repository, models its assets and defensive controls, finds cross-cutting
|
|
5
|
+
weaknesses that single-file scanners miss, and produces an evidence-grounded
|
|
6
|
+
security review with MITRE ATT&CK mappings and detection-engineering hints.
|
|
7
|
+
|
|
8
|
+
Built for AppSec engineers, SOC and detection-engineering teams, and engineering
|
|
9
|
+
managers who need to triage an unfamiliar codebase.
|
|
10
|
+
|
|
11
|
+
> Story over checklist. Asset-aware. Control-absence-aware. Evidence-grounded.
|
|
12
|
+
|
|
13
|
+
[](LICENSE)
|
|
14
|
+
[](https://www.python.org/)
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Quickstart
|
|
19
|
+
|
|
20
|
+
Install with all bundled analyzers:
|
|
21
|
+
|
|
22
|
+
```bash
|
|
23
|
+
pip install "attackmap[all]"
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
Run a review on a repository:
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
attackmap analyze /path/to/repo --output reports
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Optional: add an AI-narrated review using Claude. Either set an
|
|
33
|
+
`ANTHROPIC_API_KEY`, or log in once with the [Claude Code CLI](https://docs.claude.com/claude-code)
|
|
34
|
+
to use your existing Pro/Max subscription:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
attackmap analyze /path/to/repo --output reports --llm
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
Read `reports/defensive-review.md` (heuristic) and `reports/defensive-review-llm.md`
|
|
41
|
+
(LLM-narrated) side by side.
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## Install
|
|
46
|
+
|
|
47
|
+
### From PyPI
|
|
48
|
+
|
|
49
|
+
```bash
|
|
50
|
+
pip install attackmap # core only
|
|
51
|
+
pip install "attackmap[llm]" # add LLM narrative support
|
|
52
|
+
pip install "attackmap[all]" # core + LLM + all 11 analyzer plugins
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
You can also install individual analyzer plugins on demand:
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
pip install attackmap-analyzer-python attackmap-analyzer-go
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
### With Docker
|
|
62
|
+
|
|
63
|
+
```bash
|
|
64
|
+
docker run --rm -v "$PWD:/src" ghcr.io/mlaify/attackmap:latest analyze /src --output /src/reports
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### With Homebrew (macOS)
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
brew install mlaify/tap/attackmap
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
### From source
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
git clone https://github.com/mlaify/AttackMap.git
|
|
77
|
+
cd AttackMap
|
|
78
|
+
pip install -e ".[llm]"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## What you get
|
|
84
|
+
|
|
85
|
+
Every `attackmap analyze` run writes:
|
|
86
|
+
|
|
87
|
+
| File | What it is |
|
|
88
|
+
|---|---|
|
|
89
|
+
| `architecture.md` | High-level summary of the repository |
|
|
90
|
+
| `attack-surface.md` | Surfaces classified by category, exposure, and risk |
|
|
91
|
+
| `defensive-review.md` | Notable Observations, Asset Inventory, Defensive Controls, Strengths, Weaknesses, Detection Opportunities, Recommendations |
|
|
92
|
+
| `defensive-review.json` | Structured equivalent (schema v1.2.0) |
|
|
93
|
+
| `review-context-pack.json` | Structured evidence pack consumed by the LLM stage |
|
|
94
|
+
| `attackmap-report.json` | Everything bundled |
|
|
95
|
+
| `defensive-review-llm.md` *(with `--llm`)* | Claude-narrated review |
|
|
96
|
+
| `defensive-review-llm.meta.json` *(with `--llm`)* | Backend, model, token usage |
|
|
97
|
+
|
|
98
|
+
---
|
|
99
|
+
|
|
100
|
+
## How it works
|
|
101
|
+
|
|
102
|
+
AttackMap is built as four layers, each grounded in the layer below.
|
|
103
|
+
|
|
104
|
+
**1. Heuristic scanner + analyzer plugins.** Language-aware extraction of routes,
|
|
105
|
+
databases, external calls, auth signals, secrets, frameworks, and entrypoints.
|
|
106
|
+
Every signal carries a `file:line` citation, an evidence-text snippet, and a
|
|
107
|
+
confidence score. Plugins are auto-discovered through the `attackmap.analyzers`
|
|
108
|
+
entry-point group.
|
|
109
|
+
|
|
110
|
+
**2. Asset and control overlay.** Identifies *what's at risk* (credentials,
|
|
111
|
+
sessions, PII, payment records, internal secrets — with criticality tiers) and
|
|
112
|
+
*what protects it* (authentication, authorization, input validation, rate
|
|
113
|
+
limiting, CSRF, encryption, audit logging, RBAC, MFA), including detection of
|
|
114
|
+
*absent* expected controls.
|
|
115
|
+
|
|
116
|
+
**3. Cross-cutting insight engine.** Connects findings into narratives —
|
|
117
|
+
sensitive-asset reachability, shared-secret blast radius, defense gaps in attack
|
|
118
|
+
chains, control-strength mismatches, asymmetric protection, audit gaps,
|
|
119
|
+
trust-boundary violations, and more.
|
|
120
|
+
|
|
121
|
+
**4. LLM narrative review.** With `--llm`, Claude Opus generates a final review
|
|
122
|
+
from the structured evidence pack. The model is forced to cite real
|
|
123
|
+
surface/asset/control IDs, so it can't invent findings.
|
|
124
|
+
|
|
125
|
+
Layered on top: **MITRE ATT&CK technique mappings** on every insight and
|
|
126
|
+
**detection opportunities** (Sigma/KQL/Splunk-style hints) for each weakness.
|
|
127
|
+
|
|
128
|
+
---
|
|
129
|
+
|
|
130
|
+
## Supported ecosystems
|
|
131
|
+
|
|
132
|
+
Eleven official analyzer plugins, each distributable as a separate package:
|
|
133
|
+
|
|
134
|
+
| Plugin | Coverage |
|
|
135
|
+
|---|---|
|
|
136
|
+
| `attackmap-analyzer-python` | Django, Starlette, AIOHTTP, Sanic, Litestar, DRF; SQLAlchemy/asyncpg/motor; passlib/PyJWT/authlib; httpx/aiohttp |
|
|
137
|
+
| `attackmap-analyzer-rust` | axum, actix-web, rocket; sqlx, diesel, sea-orm; jsonwebtoken, argon2; reqwest |
|
|
138
|
+
| `attackmap-analyzer-go` | net/http, chi, gin, echo, fiber, gorilla/mux; database/sql, gorm, pgx; golang-jwt; resty |
|
|
139
|
+
| `attackmap-analyzer-java-spring` | Java/Kotlin Spring Boot, JAX-RS, Ktor; Spring Data; Spring Security; jjwt |
|
|
140
|
+
| `attackmap-analyzer-dotnet` | ASP.NET Core minimal APIs and attribute routing, EF Core, Identity, JwtBearer |
|
|
141
|
+
| `attackmap-analyzer-terraform` | AWS, Azure, GCP resources; IAM wildcards; open SGs; secrets |
|
|
142
|
+
| `attackmap-analyzer-c` | libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/libsodium; sqlite3/libpq/mysql |
|
|
143
|
+
| `attackmap-analyzer-cpp` | Crow, Pistache, Drogon, cpprestsdk; libcurl/cpr; OpenSSL/Botan/libsodium; libpqxx/mongocxx |
|
|
144
|
+
| `attackmap-analyzer-node-service` | Node.js / TypeScript service ecosystems |
|
|
145
|
+
| `attackmap-analyzer-atproto` | AT Protocol (Bluesky) services |
|
|
146
|
+
| `attackmap-analyzer-php-web` / `-php-laminas` / `-omeka-s` | Generic PHP web, Laminas/Zend MVC, Omeka-S |
|
|
147
|
+
|
|
148
|
+
`pip install "attackmap[all]"` installs every official plugin.
|
|
149
|
+
|
|
150
|
+
---
|
|
151
|
+
|
|
152
|
+
## CLI reference
|
|
153
|
+
|
|
154
|
+
```bash
|
|
155
|
+
attackmap analyze <path> # run a review on a repository
|
|
156
|
+
attackmap analyze <path> --output dir # write outputs to `dir/`
|
|
157
|
+
attackmap analyze <path> --module python --module rust # only these analyzers
|
|
158
|
+
attackmap analyze <path> --llm # add LLM narrative (auto-resolve auth)
|
|
159
|
+
attackmap analyze <path> --llm --llm-backend cli # force Claude CLI
|
|
160
|
+
attackmap modules # list installed analyzers
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
`--module` is repeatable. Missing requested external analyzers can be
|
|
164
|
+
auto-installed (when possible) from the `mlaify` GitHub organization.
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## What AttackMap is *not*
|
|
169
|
+
|
|
170
|
+
- **A runtime detector.** AttackMap is static. The detection opportunities it
|
|
171
|
+
emits are *hints* for your SIEM team — they are not deployable rules.
|
|
172
|
+
- **A vulnerability scanner.** AttackMap models architecture, assets, and
|
|
173
|
+
controls. It does not match known-CVE patterns.
|
|
174
|
+
- **Exhaustive.** AttackMap is heuristic by design. Findings are confidence-tiered
|
|
175
|
+
with explicit guardrails for stale signals.
|
|
176
|
+
|
|
177
|
+
---
|
|
178
|
+
|
|
179
|
+
## Documentation
|
|
180
|
+
|
|
181
|
+
- [`CHANGELOG.md`](CHANGELOG.md) — release notes
|
|
182
|
+
- [`CONTRIBUTING.md`](CONTRIBUTING.md) — development setup and PR process
|
|
183
|
+
- [`SECURITY.md`](SECURITY.md) — vulnerability disclosure
|
|
184
|
+
- [`AGENTS.md`](AGENTS.md) — agent-facing repo guide
|
|
185
|
+
- [`VISION.md`](VISION.md) — project direction
|
|
186
|
+
- [GitHub wiki](https://github.com/mlaify/AttackMap/wiki) — deeper architecture
|
|
187
|
+
and analyzer-contract references
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
## Contributing
|
|
192
|
+
|
|
193
|
+
Issues and pull requests are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md)
|
|
194
|
+
for setup, testing, and submission guidelines. By contributing you agree that
|
|
195
|
+
your contributions will be MIT-licensed.
|
|
196
|
+
|
|
197
|
+
## License
|
|
198
|
+
|
|
199
|
+
[MIT](LICENSE). Copyright (c) 2026 Matthew Davis and AttackMap Contributors.
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
[build-system]
|
|
2
|
+
requires = ["setuptools>=68", "wheel"]
|
|
3
|
+
build-backend = "setuptools.build_meta"
|
|
4
|
+
|
|
5
|
+
[project]
|
|
6
|
+
name = "attackmap"
|
|
7
|
+
version = "0.1.0"
|
|
8
|
+
description = "AI-assisted defensive security analyzer for codebases — scans a repository, models assets and controls, finds cross-cutting weaknesses, and generates an evidence-grounded review with MITRE ATT&CK mappings and detection-engineering hints."
|
|
9
|
+
readme = "README.md"
|
|
10
|
+
requires-python = ">=3.11"
|
|
11
|
+
license = {text = "MIT"}
|
|
12
|
+
authors = [
|
|
13
|
+
{name = "Matthew Davis", email = "matthewd@matthewd.xyz"},
|
|
14
|
+
{name = "AttackMap Contributors"},
|
|
15
|
+
]
|
|
16
|
+
maintainers = [
|
|
17
|
+
{name = "Matthew Davis", email = "matthewd@matthewd.xyz"},
|
|
18
|
+
]
|
|
19
|
+
keywords = [
|
|
20
|
+
"security",
|
|
21
|
+
"static-analysis",
|
|
22
|
+
"appsec",
|
|
23
|
+
"defensive-security",
|
|
24
|
+
"threat-modeling",
|
|
25
|
+
"attack-surface",
|
|
26
|
+
"mitre-attack",
|
|
27
|
+
"detection-engineering",
|
|
28
|
+
"code-review",
|
|
29
|
+
"llm",
|
|
30
|
+
"claude",
|
|
31
|
+
]
|
|
32
|
+
classifiers = [
|
|
33
|
+
"Development Status :: 4 - Beta",
|
|
34
|
+
"Environment :: Console",
|
|
35
|
+
"Intended Audience :: Developers",
|
|
36
|
+
"Intended Audience :: Information Technology",
|
|
37
|
+
"Intended Audience :: System Administrators",
|
|
38
|
+
"License :: OSI Approved :: MIT License",
|
|
39
|
+
"Operating System :: OS Independent",
|
|
40
|
+
"Programming Language :: Python :: 3",
|
|
41
|
+
"Programming Language :: Python :: 3.11",
|
|
42
|
+
"Programming Language :: Python :: 3.12",
|
|
43
|
+
"Programming Language :: Python :: 3.13",
|
|
44
|
+
"Programming Language :: Python :: 3 :: Only",
|
|
45
|
+
"Topic :: Security",
|
|
46
|
+
"Topic :: Software Development :: Quality Assurance",
|
|
47
|
+
"Topic :: Software Development :: Testing",
|
|
48
|
+
"Typing :: Typed",
|
|
49
|
+
]
|
|
50
|
+
dependencies = [
|
|
51
|
+
"typer>=0.12.3",
|
|
52
|
+
"pydantic>=2.7.0",
|
|
53
|
+
"networkx>=3.3",
|
|
54
|
+
]
|
|
55
|
+
|
|
56
|
+
[project.optional-dependencies]
|
|
57
|
+
llm = [
|
|
58
|
+
"anthropic>=0.40.0",
|
|
59
|
+
]
|
|
60
|
+
all = [
|
|
61
|
+
"attackmap[llm]",
|
|
62
|
+
"attackmap-analyzer-python",
|
|
63
|
+
"attackmap-analyzer-rust",
|
|
64
|
+
"attackmap-analyzer-go",
|
|
65
|
+
"attackmap-analyzer-java-spring",
|
|
66
|
+
"attackmap-analyzer-dotnet",
|
|
67
|
+
"attackmap-analyzer-terraform",
|
|
68
|
+
"attackmap-analyzer-c",
|
|
69
|
+
"attackmap-analyzer-cpp",
|
|
70
|
+
"attackmap-analyzer-node-service",
|
|
71
|
+
"attackmap-analyzer-atproto",
|
|
72
|
+
"attackmap-analyzer-php-web",
|
|
73
|
+
"attackmap-analyzer-php-laminas",
|
|
74
|
+
"attackmap-analyzer-omeka-s",
|
|
75
|
+
]
|
|
76
|
+
dev = [
|
|
77
|
+
"pytest>=8.0.0",
|
|
78
|
+
"build>=1.2.0",
|
|
79
|
+
]
|
|
80
|
+
|
|
81
|
+
[project.urls]
|
|
82
|
+
Homepage = "https://github.com/mlaify/AttackMap"
|
|
83
|
+
Documentation = "https://github.com/mlaify/AttackMap/wiki"
|
|
84
|
+
Repository = "https://github.com/mlaify/AttackMap"
|
|
85
|
+
Issues = "https://github.com/mlaify/AttackMap/issues"
|
|
86
|
+
Changelog = "https://github.com/mlaify/AttackMap/blob/main/CHANGELOG.md"
|
|
87
|
+
|
|
88
|
+
[project.scripts]
|
|
89
|
+
attackmap = "attackmap.cli:app"
|
|
90
|
+
|
|
91
|
+
[tool.setuptools]
|
|
92
|
+
package-dir = {"" = "src"}
|
|
93
|
+
|
|
94
|
+
[tool.setuptools.packages.find]
|
|
95
|
+
where = ["src"]
|
|
96
|
+
|
|
97
|
+
[tool.pytest.ini_options]
|
|
98
|
+
pythonpath = ["src"]
|
|
99
|
+
testpaths = ["tests"]
|