Thanks for contributing.
This document covers the practical workflow for local development, testing, and pull requests.
- Privilege escalation route submissions (OpenGraph edges/pathing).
- Lateral movement route submissions (OpenGraph edges/pathing).
- Bug reports and regressions.
- Feature requests.
- New/updated enum module behavior.
- New/updated config audit checks.
- Test and fixture maintenance.
- Documentation and wiki improvements.
- Keep changes focused and easy to review.
- Prefer small PRs over large multi-area refactors.
- Update docs (
README.mdandwiki/) when behavior or flags change. - Add or update tests for behavioral changes.
python3 -m venv .venv
source .venv/bin/activate
python -m pip install -U pip
python -m pip install .[dev]Run unit tests (same scope as CI):
python -m pytest -q -ra tests/unitIf you are working on integration behavior, run only the relevant integration tests for your change.
CI runs unit tests on:
- 3.10
- 3.11
- 3.12
Please avoid introducing version-specific behavior unless guarded and tested.
- Keep CLI output stable and readable.
- Avoid adding deprecated aliases unless explicitly requested.
- Preserve existing user-facing command behavior unless the change is intentional and documented.
- Unit tests pass locally.
- New behavior is covered by tests.
- Docs updated where needed (
README.md,wiki/). - No unrelated formatting or broad refactors mixed into the PR.
- Changelog/roadmap notes added when relevant.
Use this process when proposing or implementing new OpenGraph route logic.
- If this warrants a vulnerable disclosure to OCI themselves, follow these guidelines.
- Open an issue first with a clear route proposal.
- Include the route category:
privilege-escalationorlateral-movement. - Include source and destination node types (what can reach what).
- Include minimum required permissions/actions and OCI scope requirements.
- Include a minimal reproducible policy example using obfuscated values.
- Include why the route is valid and what guardrails prevent false positives.
- Implement the route in code, favoring existing helpers/rule tables where possible.
- Add or update tests that prove positive and negative cases.
- Update OpenGraph golden scenarios/outputs when behavior changes.
- In the PR, link the issue and summarize the exact edge(s) added/changed.
For OpenGraph route changes, include these artifacts in the PR:
- Updated scenario fixtures/statements under
tests/integration/opengraph_golden_iam/scenarios/when applicable. - Updated goldens under
tests/integration/opengraph_golden_iam/golden/when applicable. - Unit tests for rule/exclusion behavior under
tests/unit/.
Recommended validation commands:
pytest -q tests/unit
pytest -q tests/integration/opengraph_golden_iam
pytest -q tests/integration/opengraph_basic_group_membership
pytest -q tests/integration/opengraph_dynamic_group_membershipWhen filing issues, include:
- Command used
- Expected behavior
- Actual behavior
- Full error output
- Python version
- OS details
Use issues for all non-trivial submissions before opening a large PR.
- Bug report: include repro steps, expected vs actual, and logs/errors.
- Route correctness report: identify false-positive or false-negative edge behavior and include policy examples.
- Feature request: describe user outcome, not just implementation details.
- Refactor proposal: include risk, expected benefit, and impacted modules.
If you can, include:
- Scope of impact (
enum_all, specific enum module, OpenGraph, config audit, exports). - Whether behavior is breaking, additive, or a bug fix.
- Suggested acceptance criteria.
For non-route contributions, use the same quality bar:
- Docs: update
README.mdandwiki/pages tied to the behavior. - Tests only: explain what behavior is now protected and why it matters.
- Enum/config-audit changes: include sample command usage and expected output deltas.
- Performance work: include before/after measurements and test coverage.
By contributing, you agree your contributions are licensed under the project BSD-3-Clause license.