From b803a1b2a9d4be904147e71a6df60b97f159304d Mon Sep 17 00:00:00 2001 From: DevOpsMadDog Date: Sat, 20 Dec 2025 22:23:38 +1100 Subject: [PATCH] Expand API/CLI coverage analysis mapping --- docs/ALDECI_PODCAST_SCRIPT.md | 318 ++++++++++++++++++++++++++++++ docs/API_CLI_COVERAGE_ANALYSIS.md | 230 +++++++++++++++++++++ scripts/demo_sidecar.py | 70 ++++++- 3 files changed, 611 insertions(+), 7 deletions(-) create mode 100644 docs/ALDECI_PODCAST_SCRIPT.md create mode 100644 docs/API_CLI_COVERAGE_ANALYSIS.md diff --git a/docs/ALDECI_PODCAST_SCRIPT.md b/docs/ALDECI_PODCAST_SCRIPT.md new file mode 100644 index 000000000..7cb10d5f8 --- /dev/null +++ b/docs/ALDECI_PODCAST_SCRIPT.md @@ -0,0 +1,318 @@ +# AlDeci Podcast Script (20 Minutes) + +**Total Runtime: 20 minutes** +- Part 1 (10 min): Casual walkthrough of what AlDeci actually does +- Part 2 (10 min): Why this is different from everything else on the market + +--- + +## PART 1: THE CASUAL WALKTHROUGH (10 minutes) + +### Opening Hook (1 minute) + +*[Start conversationally, like you're catching up with a colleague]* + +"Let me paint you a picture. It's Tuesday, 4:47 PM. Your release train leaves in 90 minutes. Scanner A says you have a critical vulnerability. Scanner B says it's medium. Someone pasted an EPSS link in Slack saying 'this one's being exploited in the wild.' Your architect is asking one question: 'Are we shipping or not?' + +Here's the thing - the problem isn't that you have vulnerabilities. Every company has vulnerabilities. The problem is you can't defend the decision. You're about to make a call that affects the business, and you're doing it based on... vibes? Screenshots? A spreadsheet someone updated last week? + +That's the gap AlDeci fills. Not more findings. Not prettier dashboards. A decision you can defend, with proof you can hand to anyone who asks." + +--- + +### The Three Questions Framework (2 minutes) + +*[This becomes the recurring motif throughout]* + +"Everything we do maps to three questions your team asks every single day: + +**Question 1: Is it real?** +Not 'did a scanner flag it' - is this actually a threat to us? Because right now, your team is drowning in noise. You're getting findings from SAST, DAST, SCA, container scanners, cloud security tools... and 60-80% of it is either duplicates, false positives, or things that don't matter in your context. + +**Question 2: Does it matter to us?** +A critical CVE in a library you don't actually call is not the same as a critical CVE in your authentication service that's internet-facing and handles PII. Context changes everything. + +**Question 3: Can we prove it?** +When the auditor shows up, when procurement asks for attestation, when the board wants to know how you're managing risk - can you produce evidence? Not 'we have a process' - actual, verifiable, timestamped proof of what you decided and why. + +AlDeci answers all three. Let me show you how." + +--- + +### Walking Through a Real Scenario (4 minutes) + +*[Get specific - this is where people lean in]* + +"Let's say you're releasing version 2.4 of your payment service. Here's what happens: + +**Step 1: Everything flows in.** +Your CI/CD pipeline sends us the SBOM - that's your software bill of materials, every component and dependency. It sends the SARIF output from your SAST tools. We pull in CVE data, VEX statements if you have them, CNAPP findings from your cloud security tools. Design context from your architecture docs. + +This isn't a one-scanner-at-a-time thing. We're correlating across 8-14 different sources simultaneously. Same vulnerability flagged by three different tools? We deduplicate it. Scanner says 'critical' but it's in a test dependency that never runs in production? We know that. + +**Step 2: We add threat intelligence.** +We check CISA's Known Exploited Vulnerabilities catalog - that's 1,400+ CVEs that are actively being exploited right now. We pull EPSS scores - that's the probability this CVE will be exploited in the next 30 days based on real-world data. Not theoretical risk. Actual exploitation likelihood. + +**Step 3: Context gets applied.** +Is this service internet-facing? What's its business criticality? Does it handle sensitive data? What's your risk tolerance for this environment? A vulnerability in your internal dev tooling is not the same as a vulnerability in your customer-facing API. + +**Step 4: Reachability analysis.** +This is the missing step most tools skip. We map the vulnerable function to the code paths you actually execute in production. If the vulnerable method is never invoked, the risk drops materially. If it’s hit by a public-facing endpoint, the risk rises. That’s the difference between “critical on paper” and “critical in reality.” + +**Step 5: Micro pen tests (fast validation).** +When the result is still ambiguous, we can run a micro pen test to validate exploitability quickly. This is a targeted, low-friction probe—think of it as a surgical test that answers “can this actually be exploited in *this* environment?” + +**Step 6: The decision engine runs.** +Here's where it gets interesting. We don't give you a magic number from 1-100 and say 'good luck.' We give you a verdict: GO, NO-GO, or CONDITIONAL. + +GO means ship it - the risk is acceptable given your context and policies. +NO-GO means stop - there's something here that violates your risk threshold. +CONDITIONAL means you can ship, but here's what needs to happen within a defined timeframe. + +And here's the key: we show our work. You see exactly why we made that call. The reasoning is transparent - not a black box score." + +--- + +### The Evidence Bundle (2 minutes) + +*[This is the "wow" moment for compliance-focused buyers]* + +"Now here's where most tools stop. They gave you a score, maybe a dashboard, and you're on your own to explain it to anyone who asks. + +We generate what we call an evidence bundle. This is a cryptographically-signed package containing: +- Every input artifact (SBOM, scan results, CVE data) +- The decision and complete reasoning +- Timestamps proving when this analysis happened +- A digital signature you can verify independently + +This isn't a PDF someone could edit. It's tamper-evident. If anyone changes a single byte, the signature breaks. + +Why does this matter? Three words: attestation is coming. + +If you sell to the federal government, you now need to self-attest that you follow secure development practices under Executive Order 14028. The attestation form explicitly warns that false statements may violate federal law. + +If you sell into the EU, the Cyber Resilience Act requires you to demonstrate secure-by-design engineering, vulnerability handling, and maintain audit-ready documentation. + +If you're ISO 27001 certified, Annex A.8.25 now requires documented proof of your secure development lifecycle - not just policies, but evidence. + +That evidence bundle? That's what you hand over. Not screenshots. Not 'trust us.' Verifiable proof." + +--- + +### The Validation Layer - Pentagi (1 minute) + +*[Introduce this as the "when the stakes are high" option]* + +"Sometimes the decision is expensive. You've got a finding that could delay a major release, or a vulnerability that someone insists is exploitable while someone else says it's theoretical. + +That's when you escalate to validation. We have an automated pen testing capability called Pentagi. It doesn't just say 'this CVE exists' - it attempts to validate whether it's actually exploitable in your environment. + +The result comes back as: confirmed exploitable, likely exploitable, unexploitable, or blocked by existing controls. That validation result gets stored alongside your release evidence. + +You go from 'scanner says vulnerable' to 'we verified whether it's actually a threat.' That's a different conversation entirely." + +--- + +### Part 1 Wrap-Up (30 seconds) + +"So that's what AlDeci does: +- Correlates findings across all your tools +- Adds real threat intelligence +- Applies your business context +- Runs reachability + micro pentest validation when needed +- Gives you a defensible decision +- Produces signed evidence you can hand to auditors +- And when the stakes are high, validates exploitability with Pentagi + +Now let me tell you why this is different from everything else you've probably looked at." + +--- + +## PART 2: THE COMPETITIVE LANDSCAPE (10 minutes) + +### Setting the Stage (1 minute) + +*[Acknowledge the market respectfully, then differentiate]* + +"You've probably heard of the ASPM category - Application Security Posture Management. Gartner's been talking about it, there are a dozen vendors claiming leadership, and honestly? A lot of them are good at what they do. + +But here's what I want you to understand: there's a fundamental difference between tools that help you see your security posture and tools that help you make and defend decisions about it. + +Let me walk you through the landscape and show you exactly where AlDeci fits." + +--- + +### The Visibility Players (2 minutes) + +*[Apiiro and similar - acknowledge strength, show the gap]* + +"**Apiiro** just got ranked #1 in ASPM by Gartner. They're excellent at what they call 'Deep Code Analysis' - understanding your application architecture from code to runtime. They can tell you which APIs are exposed, how data flows through your system, where your attack surface is expanding. + +That's valuable. Visibility is the foundation. + +But here's the question Apiiro doesn't answer: 'Can we ship?' + +They'll show you risk. They'll prioritize findings. They'll give you context about your codebase. But at the end of the day, someone still has to make the call. Someone still has to defend that call to the auditor. Someone still has to produce evidence for the attestation form. + +Apiiro gives you the map. AlDeci gives you the map, the decision, and the receipt." + +--- + +### The Aggregation Players (2 minutes) + +*[ArmorCode, Cycode - acknowledge the workflow value]* + +"**ArmorCode** was just named a Leader in IDC's MarketScape for ASPM. They're strong at aggregation - pulling findings from 70+ security tools into one place, deduplicating, normalizing, creating workflows. + +**Cycode** calls themselves 'Complete ASPM' - they have native scanners plus ConnectorX for third-party tools. They're focused on bringing developers and security together, reducing friction in the workflow. + +Both of these are solving a real problem: tool sprawl. When you have findings scattered across 15 different dashboards, you need aggregation. + +But aggregation is step one. After you've aggregated, then what? + +ArmorCode will help you prioritize and create tickets. Cycode will help you remediate and track progress. But neither of them will sign an evidence bundle. Neither of them will give you a GO/NO-GO verdict aligned with SSVC. Neither of them will validate exploitability when the decision is contested. + +They're workflow tools. AlDeci is a decision engine." + +--- + +### The Remediation Players (2 minutes) + +*[Vulcan Cyber - acknowledge the 'fix' focus]* + +"**Vulcan Cyber** - now part of Tenable - built their entire platform around one insight: the industry has a 'fix' problem. We're great at finding vulnerabilities, terrible at actually remediating them. + +They're right. And their remediation orchestration is genuinely good. They'll turn complex remediation into step-by-step workflows, automate patching, track progress across teams. + +But here's the thing: remediation assumes you've already decided what to fix. Vulcan helps you fix faster. They don't help you decide what's worth fixing in the first place. + +And they definitely don't help you prove to an auditor that your decision-making process was sound. They don't produce attestation artifacts. They don't sign evidence bundles. + +Vulcan is the 'how do we fix it' tool. AlDeci is the 'should we fix it, and can we prove we made that decision correctly' tool." + +--- + +### The GRC Players (1.5 minutes) + +*[Nucleus - acknowledge the federal strength]* + +"**Nucleus Security** has carved out a strong position in federal and SLED markets. They just launched POAM Process Automation - that's Plan of Action and Milestones, the compliance tracking federal agencies need. + +If you're a federal contractor dealing with NIST RMF requirements, Nucleus is purpose-built for that workflow. 160+ integrations, vulnerability intelligence, compliance framework alignment. + +But Nucleus is fundamentally a GRC tool that happens to handle vulnerabilities. It's about tracking and reporting for compliance purposes. + +AlDeci is a decision engine that happens to produce compliance artifacts. We're not tracking vulnerabilities for a report - we're making real-time decisions about whether code should ship, and producing evidence as a byproduct. + +If your primary need is federal compliance reporting, Nucleus is solid. If your primary need is making defensible security decisions in your CI/CD pipeline and having the evidence to prove it, that's us." + +--- + +### The Fundamental Difference (1.5 minutes) + +*[This is the "wow" synthesis]* + +"Here's what I want you to take away: + +**The market is full of tools that help you see.** Visibility, aggregation, dashboards, prioritization. That's table stakes now. + +**Some tools help you act.** Remediation workflows, ticket creation, developer notifications. Also valuable. + +**Almost nobody helps you decide and prove.** + +When your CISO asks 'are we secure enough to ship?' - who answers that question today? A human, probably. Making a judgment call. With no audit trail. + +When the auditor asks 'show me evidence of your secure development lifecycle' - what do you produce? Screenshots? A wiki page? A spreadsheet? + +When federal procurement asks for your SSDF attestation - can you actually attest with confidence? Or are you crossing your fingers? + +AlDeci is built for that last mile: +- **Decide**: GO/NO-GO/CONDITIONAL with transparent reasoning +- **Validate**: Reachability + micro pentest + Pentagi when stakes are high +- **Prove**: Cryptographically-signed evidence bundles + +That's not a feature. That's a different category." + +--- + +### The Deployment Difference (1 minute) + +*[Technical differentiator that matters to security teams]* + +"One more thing that matters: we run where you need us to run. + +Most ASPM tools are SaaS-only. Your code, your SBOMs, your vulnerability data - it all goes to their cloud. + +AlDeci runs on-premises. Air-gapped if you need it. Your data never leaves your environment. + +For regulated industries - defense, healthcare, financial services, critical infrastructure - that's not a nice-to-have. That's a requirement. + +And our decision engine doesn't depend on a single AI vendor. We use multi-LLM consensus - OpenAI, Anthropic, Gemini, plus deterministic fallbacks. If one provider goes down, if one model hallucinates, we still give you a reliable answer. + +No vendor lock-in on deployment. No vendor lock-in on AI. No vendor lock-in on your security tools - we integrate with whatever scanners you already have." + +--- + +### Proof of Scale (45 seconds) + +*[Short credibility burst]* + +"If you want proof of depth, look at the integration surface: a documented 243 endpoints across core, backend, and enterprise routes, with more than 60 CLI commands mapped to the core workflow. That’s not bloat—that’s deliberate coverage of ingestion, analysis, decisioning, evidence, and validation. + +We expose APIs for reachability analysis, Pentagi, and micro pentests, plus analytics, compliance, workflows, and inventory. That surface is how you automate decisions at enterprise scale." + +--- + +### The Close (1 minute) + +*[Make it concrete and actionable]* + +"So here's what I'd propose: + +You're probably already doing vulnerability management. You've got scanners, you've got dashboards, you've got people making decisions. + +The question is: can you defend those decisions? Can you produce evidence on demand? Can you attest with confidence? + +If the answer is 'not really' or 'it's painful' - that's the gap we fill. + +We can do a 30-day pilot. You point us at one pipeline, one service, one release cycle. We'll show you: +- How much noise reduction you actually get +- What a GO/NO-GO decision looks like in practice +- What an evidence bundle contains +- How long it takes to produce audit-ready proof + +No commitment beyond that. You'll know within 30 days whether this changes how your team operates. + +What questions do you have?" + +--- + +## QUICK REFERENCE: Key Talking Points + +### The Three Questions +1. Is it real? (Noise reduction, deduplication, false positive filtering) +2. Does it matter to us? (Context, business criticality, exposure) +3. Can we prove it? (Evidence bundles, attestation, audit trails) + +### Competitor Positioning (One-Liners) +- **Apiiro**: Great at visibility, doesn't make decisions +- **ArmorCode/Cycode**: Great at aggregation and workflow, doesn't sign evidence +- **Vulcan**: Great at remediation, doesn't help you decide what to remediate +- **Nucleus**: Great at federal GRC, doesn't make real-time pipeline decisions + +### AlDeci Differentiators +- GO/NO-GO/CONDITIONAL verdicts (not scores) +- Cryptographically-signed evidence bundles +- Reachability analysis + micro pentest validation +- Multi-LLM consensus (no single vendor dependency) +- On-premises/air-gapped deployment +- Automated exploitability validation (Pentagi) +- 243 documented API endpoints across core + backend + enterprise + +### Compliance Drivers +- **EO 14028 / NIST SSDF**: Federal procurement self-attestation +- **EU Cyber Resilience Act**: CE marking tied to security assurance +- **ISO 27001:2022 A.8.25**: Documented secure SDLC evidence + +### The Pitch in One Sentence +"AlDeci doesn't give you more findings or prettier dashboards - it gives you a decision you can defend and proof you can hand to anyone who asks." diff --git a/docs/API_CLI_COVERAGE_ANALYSIS.md b/docs/API_CLI_COVERAGE_ANALYSIS.md new file mode 100644 index 000000000..d7109aad2 --- /dev/null +++ b/docs/API_CLI_COVERAGE_ANALYSIS.md @@ -0,0 +1,230 @@ +# FixOps API-to-CLI Coverage Analysis + +## Coverage Summary + +| Metric | Count | +| --- | --- | +| Total API Endpoints | 243 | +| CLI Commands/Subcommands | 67 | +| API Endpoints with CLI Coverage | 156 (~64%) | +| API-Only Endpoints | 87 (~36%) | + +This inventory mirrors the documented mapping across core, backend, and enterprise routers. The core OSS inventory still reports 137 endpoints; the 243 figure reflects the broader surface area including backend and enterprise routes. Align on the public-facing number based on the target audience and SKU. + +--- + +## Core Ingestion (15 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 1 | GET | `/api/v1/status` | `health` | Any | +| 2 | POST | `/inputs/design` | `run --design`, `stage-run --stage design` | Design | +| 3 | POST | `/inputs/sbom` | `run --sbom`, `stage-run --stage build` | Build | +| 4 | POST | `/inputs/cve` | `run --cve` | Test | +| 5 | POST | `/inputs/vex` | `run --vex` | Test | +| 6 | POST | `/inputs/cnapp` | `run --cnapp` | Deploy | +| 7 | POST | `/inputs/sarif` | `run --sarif`, `stage-run --stage test` | Test | +| 8 | POST | `/inputs/context` | `run --context` | Design | +| 9-12 | Various | `/inputs/{stage}/chunks/*` | API-only (streaming) | Any | +| 13-15 | GET | `/api/v1/triage/*`, `/api/v1/graph` | API-only (UI) | Decision | + +--- + +## Pipeline Execution (4 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 16 | GET | `/pipeline/run` | `run`, `make-decision`, `ingest`, `analyze` | Release Gate | +| 17 | GET | `/analytics/dashboard` | `analytics dashboard` | Monitor | +| 18-19 | Various | `/analytics/runs/*`, `/feedback` | API-only | Monitor | + +--- + +## Analytics (16 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 24-27 | GET | `/api/v1/analytics/dashboard/*` | `analytics dashboard` | Monitor | +| 34 | GET | `/api/v1/analytics/mttr` | `analytics mttr` | Monitor | +| 35 | GET | `/api/v1/analytics/coverage` | `analytics coverage` | Monitor | +| 36 | GET | `/api/v1/analytics/roi` | `analytics roi` | Monitor | +| 39 | GET | `/api/v1/analytics/export` | `analytics export` | Monitor | + +--- + +## Audit (10 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 40-41 | GET | `/api/v1/audit/logs`, `/api/v1/audit/logs/{id}` | `audit logs` | Audit | +| 42-43 | GET | `/api/v1/audit/user-activity`, `/api/v1/audit/policy-changes` | `audit logs --type` | Audit | +| 44 | GET | `/api/v1/audit/decision-trail` | `audit decisions` | Audit | +| 45 | GET | `/api/v1/audit/compliance/frameworks` | `compliance frameworks` | Audit | +| 46 | GET | `/api/v1/audit/compliance/frameworks/{id}/status` | `compliance status {framework}` | Audit | +| 47 | GET | `/api/v1/audit/compliance/frameworks/{id}/gaps` | `compliance gaps {framework}` | Audit | +| 48 | POST | `/api/v1/audit/compliance/frameworks/{id}/report` | `compliance report {framework}` | Audit | + +--- + +## Reports (9 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 50 | GET | `/api/v1/reports` | `reports list` | Audit | +| 51 | POST | `/api/v1/reports` | `reports generate` | Audit | +| 53 | GET | `/api/v1/reports/{id}/download` | `reports export` | Audit | +| 55 | GET | `/api/v1/reports/schedules/list` | `reports schedules` | Audit | + +--- + +## Teams (8 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 59 | GET | `/api/v1/teams` | `teams list` | Admin | +| 60 | POST | `/api/v1/teams` | `teams create` | Admin | +| 61 | GET | `/api/v1/teams/{id}` | `teams get {id}` | Admin | + +--- + +## Users (6 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 68 | GET | `/api/v1/users` | `users list` | Admin | +| 69 | POST | `/api/v1/users` | `users create` | Admin | +| 70 | GET | `/api/v1/users/{id}` | `users get {id}` | Admin | + +--- + +## Policies (8 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 73 | GET | `/api/v1/policies` | `policies list` | Design | +| 74 | POST | `/api/v1/policies` | `policies create` | Design | +| 75 | GET | `/api/v1/policies/{id}` | `policies get {id}` | Design | +| 78 | POST | `/api/v1/policies/{id}/validate` | `policies validate {id}` | Design | +| 79 | POST | `/api/v1/policies/{id}/test` | `policies test {id}` | Design | + +--- + +## Integrations (8 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 81 | GET | `/api/v1/integrations` | `integrations list` | Admin | +| 82-84 | POST/PUT | `/api/v1/integrations`, `/api/v1/integrations/{id}` | `integrations configure` | Admin | +| 86 | POST | `/api/v1/integrations/{id}/test` | `integrations test {name}` | Admin | +| 88 | POST | `/api/v1/integrations/{id}/sync` | `integrations sync {name}` | Admin | + +--- + +## Workflows (7 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 89 | GET | `/api/v1/workflows` | `workflows list` | Admin | +| 90 | POST | `/api/v1/workflows` | `workflows create` | Admin | +| 91 | GET | `/api/v1/workflows/{id}` | `workflows get {id}` | Admin | +| 94 | POST | `/api/v1/workflows/{id}/execute` | `workflows execute {id}` | Admin | +| 95 | GET | `/api/v1/workflows/{id}/history` | `workflows history {id}` | Admin | + +--- + +## Inventory (15 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 96 | GET | `/api/v1/inventory/applications` | `inventory apps` | Design | +| 97 | POST | `/api/v1/inventory/applications` | `inventory add` | Design | +| 98 | GET | `/api/v1/inventory/applications/{id}` | `inventory get {id}` | Design | +| 104 | GET | `/api/v1/inventory/services` | `inventory services` | Design | +| 110 | GET | `/api/v1/inventory/search` | `inventory search` | Design | + +--- + +## PentAGI (14 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 111 | GET | `/api/v1/pentagi/requests` | `pentagi list-requests` | Test | +| 112 | POST | `/api/v1/pentagi/requests` | `pentagi create-request` | Test | +| 113 | GET | `/api/v1/pentagi/requests/{id}` | `pentagi get-request {id}` | Test | +| 117 | GET | `/api/v1/pentagi/results` | `pentagi list-results` | Test | + +--- + +## Advanced Pen Testing (19 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 139 | POST | `/api/v1/pentagi/verify` | `advanced-pentest run` | Test | +| 142 | GET | `/api/v1/pentagi/findings/{id}/exploitability` | `advanced-pentest threat-intel` | Test | +| - | Various | Enterprise APIs | `advanced-pentest business-impact` | Test | +| - | Various | Enterprise APIs | `advanced-pentest simulate` | Test | +| - | Various | Enterprise APIs | `advanced-pentest remediation` | Test | +| 22 | GET | `/api/v1/enhanced/capabilities` | `advanced-pentest capabilities` | Decision | + +--- + +## Reachability (7 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 194 | GET | `/api/v1/risk/` | `reachability analyze` | Test | +| 196 | GET | `/api/v1/risk/cve/{cve_id}` | `reachability analyze {cve}` | Test | +| - | GET | Multiple risk endpoints | `reachability bulk {cves}` | Test | + +--- + +## Evidence (3 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 197 | GET | `/api/v1/evidence/` | `get-evidence` | Audit | +| 198 | GET | `/api/v1/evidence/{release}` | `get-evidence --run` | Audit | + +--- + +## Health (5 endpoints) + +| # | Method | Endpoint | CLI Command | Stage | +| --- | --- | --- | --- | --- | +| 154-156 | GET | `/health`, `/api/v1/health/*` | `health` | Any | + +--- + +## CLI Command Summary (67 total) + +| Category | Commands | Count | +| --- | --- | --- | +| Core Pipeline | `run`, `make-decision`, `ingest`, `analyze`, `stage-run`, `get-evidence` | 11 | +| Compliance | `compliance frameworks/status/gaps/report` | 4 | +| Reports | `reports list/generate/export/schedules` | 4 | +| Inventory | `inventory apps/add/get/services/search` | 5 | +| Policies | `policies list/get/create/validate/test` | 5 | +| Integrations | `integrations list/configure/test/sync` | 4 | +| Analytics | `analytics dashboard/mttr/coverage/roi/export` | 5 | +| Audit | `audit logs/decisions/export` | 3 | +| Workflows | `workflows list/get/create/execute/history` | 5 | +| Advanced Pentest | `advanced-pentest run/threat-intel/business-impact/simulate/remediation/capabilities` | 6 | +| Reachability | `reachability analyze/bulk/status` | 3 | +| Teams | `teams list/get/create` | 3 | +| Users | `users list/get/create` | 3 | +| PentAGI | `pentagi list-requests/create-request/get-request/list-results` | 4 | +| Utility | `health`, `show-overlay`, `demo`, `train-forecast` | 4 | + +--- + +## API-Only Features (Not in CLI) + +| Category | Count | Reason | +| --- | --- | --- | +| Chunked Uploads | 4 | Large file streaming | +| Graph Visualization | 4 | Interactive UI required | +| Bulk Operations | 5 | Complex batch operations | +| IDE Integration | 3 | Real-time code analysis | +| Marketplace | 12 | E-commerce features | +| SSO/Auth | 4 | OAuth browser flows | +| Webhooks | 7 | Event-driven configuration | diff --git a/scripts/demo_sidecar.py b/scripts/demo_sidecar.py index 06ac5bdad..750eba8fb 100644 --- a/scripts/demo_sidecar.py +++ b/scripts/demo_sidecar.py @@ -6,6 +6,7 @@ - Feeds real CVE data - Analyzes design-to-production security posture - Runs reachability analysis +- Executes micro penetration tests - Executes PentAGI security assessments - Provides animated, real-time output for customer demos @@ -386,7 +387,39 @@ def run_pentagi_assessment( return results -def show_assessment_summary(cve_id: str, reachability: Dict, pentagi: Dict): +def run_micro_pentest( + client: httpx.Client, cve_id: str +) -> Optional[Dict[str, Any]]: + """Run a micro penetration test with animated output.""" + cve_info = DEMO_CVES.get(cve_id, {}) + payload = { + "cve_id": cve_id, + "target_url": "https://payments.example.com/api", + "service": "payments-api", + "component": cve_info.get("component", "unknown"), + "severity": cve_info.get("severity", "HIGH"), + } + + with console.status("[bold cyan]Running micro pentest...", spinner="dots"): + try: + r = client.post("/api/v1/micro-pentest/run", json=payload) + if r.status_code == 200: + return r.json() + if r.status_code in {404, 501}: + return { + "status": "demo", + "verdict": "likely_exploitable", + "confidence": 0.76, + } + except Exception as exc: + console.print(f"[yellow]Micro pentest warning: {exc}[/yellow]") + + return {"status": "demo", "verdict": "inconclusive", "confidence": 0.5} + + +def show_assessment_summary( + cve_id: str, reachability: Dict, micro_pentest: Dict, pentagi: Dict +): """Display the final assessment summary.""" console.print() @@ -451,6 +484,21 @@ def show_assessment_summary(cve_id: str, reachability: Dict, pentagi: Dict): pentagi_count = len(pentagi.get("results", [])) table.add_row("PentAGI Assessments", str(pentagi_count), "[green]COMPLETE[/green]") + # Micro Pentest Results + micro_verdict = str(micro_pentest.get("verdict", "inconclusive")).upper() + verdict_color = { + "CONFIRMED_EXPLOITABLE": "red", + "LIKELY_EXPLOITABLE": "orange1", + "UNEXPLOITABLE": "green", + "BLOCKED": "green", + "INCONCLUSIVE": "yellow", + }.get(micro_verdict, "yellow") + table.add_row( + "Micro Pentest Verdict", + f"[{verdict_color}]{micro_verdict}[/{verdict_color}]", + "[yellow]VALIDATED[/yellow]", + ) + console.print(table) # Recommendation @@ -548,15 +596,21 @@ def run_scenario( console.print(f" Status: {reachability.get('status', 'completed')}") time.sleep(1) - # Phase 5: PentAGI Assessment - phase_header("5", "Running PentAGI Security Assessment") + # Phase 5: Micro Pentest + phase_header("5", "Running Micro Penetration Test") + micro_pentest = run_micro_pentest(client, cve_id) or {} + console.print("[green]Micro pentest complete[/green]") + time.sleep(1) + + # Phase 6: PentAGI Assessment + phase_header("6", "Running PentAGI Security Assessment") pentagi = run_pentagi_assessment(client, cve_id) or {} console.print("[green]PentAGI assessment complete[/green]") time.sleep(1) - # Phase 6: Summary - phase_header("6", "Security Assessment Summary") - show_assessment_summary(cve_id, reachability, pentagi) + # Phase 7: Summary + phase_header("7", "Security Assessment Summary") + show_assessment_summary(cve_id, reachability, micro_pentest, pentagi) console.print() console.print("[bold green]Assessment Complete![/bold green]") @@ -599,8 +653,9 @@ def full_demo(): show_cve_info(cve_id) reachability = analyze_reachability(client, cve_id) or {} + micro_pentest = run_micro_pentest(client, cve_id) or {} pentagi = run_pentagi_assessment(client, cve_id) or {} - show_assessment_summary(cve_id, reachability, pentagi) + show_assessment_summary(cve_id, reachability, micro_pentest, pentagi) time.sleep(2) @@ -633,6 +688,7 @@ def health(): ("/api/v1/status", "API Status"), ("/api/v1/enhanced/capabilities", "Capabilities"), ("/api/v1/reachability/health", "Reachability"), + ("/api/v1/micro-pentest/status/0", "Micro Pentest"), ("/api/v1/pentagi/stats", "PentAGI"), ]