Infrastructure Graph¶
The infrastructure graph turns Terraform analysis into a topology view. Instead of showing only "resource X has finding Y", SecureObs connects findings to the relationships between virtual networks, subnets, network security groups, private endpoints, databases, storage accounts, role assignments, and related Azure resources.
What It Helps Answer¶
- Which public entry points connect to sensitive resources?
- Which resources are exposed by broad network rules?
- Which private endpoints reach storage or database services?
- Which findings are on infrastructure chokepoints?
- What attack path does a misconfiguration make plausible?
Analysis Modes¶
| Mode | Where it runs | Fidelity | Current use |
|---|---|---|---|
| Managed static analysis | SecureObs-managed short-lived runner | Medium | Fast GitHub setup without cloud credentials |
| Customer CI plan mode | Customer CI runner | High | Best Terraform topology and resolved references |
| Existing plan JSON | Customer CI runner | High | Teams that already produce Terraform plans |
In all modes, raw Terraform plans and credentials must stay outside the SecureObs SaaS backend. The scanner uploads sanitized topology and findings only.
flowchart LR
Source["Terraform plan or static HCL"] --> Sanitizer["Local sanitizer"]
Sanitizer --> Topology["Allowlisted topology"]
Sanitizer --> Findings["IaC findings"]
Topology --> GraphApi["Graph API"]
Findings --> GraphApi
GraphApi --> Canvas["Infrastructure graph"]
GraphApi --> Narrative["Evidence-qualified narrative"]Data Boundary¶
SecureObs graph ingestion keeps allowlisted topology fields such as resource names, resource types, regions, network relationships, selected security flags, and finding references. It drops raw variables, provider configuration, backend configuration, outputs, and obvious secret-like values.
Interpreting The Graph¶
Graph edges describe observed or inferred relationships:
| Edge family | Meaning |
|---|---|
| Containment | Resource group, VNet, subnet, and parent-child placement |
| Network association | NSG associations, NIC/subnet links, public IP attachment |
| Private access | Private endpoint to target service |
| Identity | Role assignments and managed identity relationships |
| Finding | Security finding attached to one or more resources |
Graph narratives are evidence-qualified. Treat them as triage guidance, not as a proof of exploitability.