Page structure
- Stat row — three cards: Toxic combinations (total), Critical, and High.
- Filter & sort controls — a repo-name search box, a criticality filter (All / Critical / High), and a sort toggle (Criticality or Name, ascending or descending). The criticality filter narrows the view to just combinations at the chosen level — repositories with none drop out, and the ones that remain show only their matching combinations; the stat row above stays at your account-wide totals.
- Per-repository sections — each repository with at least one combination gets a section listing its combination cards. Repositories with no combinations are omitted.
- a severity badge (
CRITICAL/HIGH), the combination’s name, and its scope (a workflow file, or repository-wide); - a one-paragraph impact narrative;
- an interactive attack-chain graph — left-to-right nodes for each stage of the attack, ending in the compromise. Hover/pan to explore; each non-terminal node is numbered and the final node is the impact;
- a green Break the chain callout naming the single fix that defeats the whole scenario; and
- an expandable contributing findings list with each finding’s rule ID,
severity, and
file:line.
On a single repository
The same combinations also appear on each repository’s detail page (/repositories/:id), in an Attacker Mind card scoped to just that repo’s latest scan. It uses the identical combination cards — severity badge, impact, attack-chain graph, break-the-chain fix, and contributing findings — and links back to the cross-repo dashboard. When a repo’s findings don’t chain into a higher-impact compromise, the card shows a reassuring empty state instead.How the data is computed
The page callsGET /api/attack-paths, which loads each repository’s
latest-scan findings server-side and runs the shared detection engine
(pkg/scanner). Detection is identical to the CLI; the dashboard
only groups results by repository and rolls up the counts.
Because combinations derive from already-persisted findings, the page reflects
your most recent scans. Run a scan from the Dashboard or Repositories
view to refresh them. A combination never includes a finding from a rule you’ve
turned off in Rule settings.