diff_attack_paths
ActiveTool of io.github.Baneado98/cloud-pathfinder
DIFFERENTIAL attack-path analysis for a change to Infrastructure-as-Code — the CI/CD gate. Give it the IaC BEFORE and AFTER a change (e.g. a pull request's base and head trees, each a map of filename→content) and it builds the full resource graph + runs the internet→crown-jewel reachability search on BOTH states, then reports exactly what the change did to your attack surface: which breach chains it INTRODUCES (e.g. 'this PR opens a NEW Internet→admin route via a newly-public security group + an over-broad IAM grant'), which it ELIMINATES, and which it AGGRAVATES (makes more exploitable). Returns an INTRODUCES_BREACH / REDUCES_RISK / NEUTRAL / MIXED verdict — the single check to wire into PR review so a change that opens a path to your data/secrets/admin is caught before merge. This is something a per-file linter or a single-state scan cannot answer: it needs both graphs and a semantic cross-state path match. Heuristic static analysis of declared IaC.
Parameters schema
{
"type": "object",
"required": [
"before",
"after"
],
"properties": {
"deep": {
"type": "boolean",
"description": "When true, runs the PREMIUM deep diff: the full changed chains with per-hop file:line evidence, before→after exploitability scores, and which choke points newly matter. Requires CLOUD_PATHFINDER_KEY; without one you get unlock instructions. The free diff verdict + counts need no key."
},
"after": {
"type": "object",
"properties": {
"files": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"source": {
"type": "string"
},
"filename": {
"type": "string"
}
},
"description": "The IaC state AFTER the change (the PR head). Same shape as `before`."
},
"before": {
"type": "object",
"properties": {
"files": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"source": {
"type": "string"
},
"filename": {
"type": "string"
}
},
"description": "The IaC state BEFORE the change (the PR base). Provide { files: {filename: content} } or { source, filename }."
}
}
}Parent server
io.github.Baneado98/cloud-pathfinder
https://github.com/Baneado98/cloud-pathfinder
2/7 registries