Skip to main content
The /attacker-mind page surfaces toxic combinations — sets of findings that together enable a higher-impact compromise — across every connected repository’s latest scan.

Page structure

  1. Stat row — three cards: Toxic combinations (total), Critical, and High.
  2. Filter & sort controls — a repo-name search box, a criticality filter (All / Critical / High), and a sort toggle (Criticality or Name, ascending or descending). The criticality filter narrows the view to just combinations at the chosen level — repositories with none drop out, and the ones that remain show only their matching combinations; the stat row above stays at your account-wide totals.
  3. Per-repository sections — each repository with at least one combination gets a section listing its combination cards. Repositories with no combinations are omitted.
Each combination card shows:
  • a severity badge (CRITICAL / HIGH), the combination’s name, and its scope (a workflow file, or repository-wide);
  • a one-paragraph impact narrative;
  • an interactive attack-chain graph — left-to-right nodes for each stage of the attack, ending in the compromise. Hover/pan to explore; each non-terminal node is numbered and the final node is the impact;
  • a green Break the chain callout naming the single fix that defeats the whole scenario; and
  • an expandable contributing findings list with each finding’s rule ID, severity, and file:line.

On a single repository

The same combinations also appear on each repository’s detail page (/repositories/:id), in an Attacker Mind card scoped to just that repo’s latest scan. It uses the identical combination cards — severity badge, impact, attack-chain graph, break-the-chain fix, and contributing findings — and links back to the cross-repo dashboard. When a repo’s findings don’t chain into a higher-impact compromise, the card shows a reassuring empty state instead.

How the data is computed

The page calls GET /api/attack-paths, which loads each repository’s latest-scan findings server-side and runs the shared detection engine (pkg/scanner). Detection is identical to the CLI; the dashboard only groups results by repository and rolls up the counts. Because combinations derive from already-persisted findings, the page reflects your most recent scans. Run a scan from the Dashboard or Repositories view to refresh them. A combination never includes a finding from a rule you’ve turned off in Rule settings.

Empty state

If none of your repositories’ findings chain into a higher-impact compromise, the page shows a reassuring empty state. Fixing individual findings — especially the break-the-chain one on any combination — keeps it that way.