K8sAttackMap
Architecture

Module Reference

Detailed breakdown of every source module, its responsibility, and key classes.

Source Tree

src/main/java/io/github/SaptarshiSarkar12/k8sattackmap/

├── K8sAttackMapApplication.java   # Entry point, top-level wiring
├── cli/                           # Argument parsing
├── ingestion/                     # Cluster data parsing
├── model/                         # Core domain types
├── security/                      # CVE scanning and risk scoring
├── analysis/                      # Core analysis algorithms
│   ├── graph/                     # Path discovery
│   ├── chokepoint/                # Choke point ranking + remediation
│   ├── blast/                     # Blast radius BFS
│   └── remediation/               # Remediation plan generation
├── export/                        # Output generation
└── util/                          # Shared utilities

Module Responsibilities

cli — Command-Line Interface

CommandParser parses and validates all CLI arguments using Apache Commons CLI. Supports short flags (-k, -s, -t, -m, -a, -o) and long forms. Returns true on success, false on error or when --help / --version is requested.

ingestion — Cluster Data Parsing

K8sJsonParser is the largest module. It parses the Kubernetes API JSON into a ClusterGraphData containing all node and edge lists. Handles: Pods, Deployments, ReplicaSets, StatefulSets, DaemonSets, Services, Ingresses, ServiceAccounts, Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, Secrets, ConfigMaps, Nodes, PersistentVolumes, and PersistentVolumeClaims.

KubectlExtractor runs kubectl get ... -A -o json to capture a live cluster snapshot.

model — Core Domain Types

ClassDescription
GraphNodeVertex: resource type, namespace, name, intrinsic friction, SecurityFacts
GraphEdgeEdge: EdgeType + label string
EdgeTypeEnum of all 19 semantic edge types
SecurityFactsRBAC flags, container security context, credential material
ClusterGraphFactoryBuilds the DirectedWeightedMultigraph from ClusterGraphData
ClusterGraphDataDTO: parsed nodes, edges, security facts, node lookup map

security — CVE Scanning & Risk Scoring

AttackSurfaceClassifier — Heuristic auto-discovery of entry points and crown jewels.

EdgeRiskScorer — Computes friction weights from node intrinsic friction, CVE scores, and security context deductions. Clamped to [0.1, 25.0].

TrivyScanner — Invokes Trivy CLI per unique container image; results cached in TrivyCache.

TrivyJsonParser — Parses Trivy JSON output, normalising CVSS scores from NVD, GHSA, Red Hat, Bitnami.

analysis — Core Algorithms

ClassAlgorithm
AttackPathDiscoveryDijkstra + AllDirectedPaths
ChokePointIdentifierRanking by path coverage
ChokePointRemediationAdvisorkubectl command generation per choke point type
BlastRadiusAnalyzerBFS with hop counting and ImpactSeverity classification
PrivilegeLoopDetectorJohnson's simple cycles on RBAC-filtered subgraph
ImpactRemediationAdvisorPer-path remediation plan records
AnalysisOrchestratorCoordinates all phases; produces AnalysisResult

export — Output Generation

ClassOutput
AnalysisSummaryPrinterANSI-coloured console
CytoscapeExporterk8s-threat-map.html
PdfReportEnginek8s-threat-report.pdf (via iText html2pdf)
ExportServiceOrchestrates all requested formats

util — Shared Utilities

ClassPurpose
AppConstantsVersion string, file names, resource paths, ASCII banner
ConsoleColorsANSI colour constants and disable switch
TerminalCapabilitiesDetect colour/Unicode support
RiskConfigCentralised risk thresholds (CVE cutoffs, friction clamp values)
TemplateStoreLoads HTML/PDF templates from classpath at runtime
JacksonConfigShared ObjectMapper configuration
NodeFinderLooks up GraphNode by string ID
WorkspaceManagerManages working directory for output files

Test Structure

Tests mirror the source structure under src/test/ and use the *Test.java naming convention. TestGraphHelper provides reusable mock nodes, edges, and cluster graphs shared across test classes.

src/test/java/.../k8sattackmap/
├── cli/CommandParserTest.java
├── ingestion/{K8sJsonParserTest,KubectlExtractorTest}.java
├── model/{GraphNodeTest,ClusterGraphFactoryTest}.java
├── security/{EdgeRiskScorerTest,AttackSurfaceClassifierTest,trivy/TrivyJsonParserTest}.java
├── analysis/
│   ├── graph/{AttackPathDiscoveryTest,DijkstraTest,PrivilegeLoopDetectorTest}.java
│   ├── chokepoint/{ChokePointIdentifierTest,ChokePointRemediationAdvisorTest}.java
│   ├── blast/BlastRadiusAnalyzerTest.java
│   └── remediation/ImpactRemediationAdvisorTest.java
├── util/{RiskConfigTest,NodeFinderTest,StringUtilsTest}.java
└── helper/TestGraphHelper.java

Architecture Overview

High-level pipeline and design patterns powering K8sAttackMap.

Graph Model

How the attack graph is structured — nodes, edges, weights, and the multigraph model.

On this page

Source TreeModule Responsibilitiescli — Command-Line Interfaceingestion — Cluster Data Parsingmodel — Core Domain Typessecurity — CVE Scanning & Risk Scoringanalysis — Core Algorithmsexport — Output Generationutil — Shared UtilitiesTest Structure