Repository files navigation

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by aNeo4j database.

Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.

Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.

Cartography is not the onlysecuritygraphtooloutthere, but it differentiates itself by being fully-featured yet generic andextensible enough to help make anyone better understand their risk exposure, regardless of what platforms they use. Rather than being focused on one core scenario or attack vector like the other linked tools, Cartography focuses on flexibility and exploration.

You can learn more about the story behind Cartography in ourpresentation at BSidesSF 2019.

Starthere.

• Amazon Web Services - API Gateway, Config, EC2, ECS, ECR, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager, Security Hub, SQS, SSM, STS, Tags
• Google Cloud Platform - Cloud Resource Manager, Compute, DNS, Storage, Google Kubernetes Engine
• Google GSuite - users, groups
• Duo CRXcavator - Chrome extensions, GSuite users
• Oracle Cloud Infrastructure - IAM
• Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs
• Github - repos, branches, users
• DigitalOcean
• Microsoft Azure - CosmosDB, SQL, Storage, Virtual Machine
• Kubernetes - Cluster, Namespace, Service, Pod, Container
• PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
• Crowdstrike Falcon - Hosts, Spotlight vulnerabilites, CVEs
• NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database

Start with ourtutorial. Ourdata schema is a helpful reference when you get stuck.

• Join us on#cartography on theLyft OSS Slack.

Talk to us and see what we're working on at ourmonthly community meeting.

• Meeting minutes arehere.
• Recorded videos are postedhere.
• Our current project road map ishere.

Thank you for considering contributing to Cartography!

Legal stuff: This project is governed byLyft's code of conduct.All contributors and participants agree to abide by its terms.

Get started with ourdeveloper documentation.

We require a CLA for code contributions, so before we can accept a pull requestwe need to have a signed CLA. Pleasevisit our CLA serviceand follow the instructions to sign the CLA.

1. Lyft
2. Thought Machine
3. MessageBird
4. Cloudanix
5. {Your company here} :-)

If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!