Connectivity Scanner

Beyond Infrastructure as Code

Infrastructure as Code tools like Terraform define your cloud resources—but they don’t show the full attack surface. Your application code makes dozens of connections to databases, APIs, and external services that aren’t in your IaC files. ThreatMitigator’s Connectivity Scanner bridges this gap.

The Problem: Hidden Connections

What IaC misses:

• REST API calls to third-party services
• Database connections from application code
• Message queue publishers and consumers
• Cloud SDK usage (S3 uploads, Lambda invocations)
• Authentication endpoints (OAuth, SAML, LDAP)
• WebSocket and real-time communication
• Email services, SMS gateways, and notification APIs
• Caching layers and session stores

The gap:

1
2
3
4
5

# Your Terraform shows this:
resource "aws_instance" "app" {
  ami           = "ami-12345678"
  instance_type = "t3.medium"
}

But your Python code does this:

1
2
3
4
5
6
7
8

# Hidden connections not in IaC:
import stripe
import sendgrid
import psycopg2

stripe.api_key = os.getenv('STRIPE_KEY')  # Payment API
db = psycopg2.connect(os.getenv('DATABASE_URL'))  # External DB
sg = sendgrid.SendGridAPIClient(api_key=os.getenv('SENDGRID_KEY'))  # Email API

Result: Incomplete threat models that miss critical attack vectors.

How Connectivity Scanner Works

1. Automatic Discovery

The scanner analyzes your source code to find:

Database Connections

• Relational: PostgreSQL, MySQL, SQL Server, Oracle, SQLite
• NoSQL: MongoDB, Redis, Cassandra, DynamoDB
• Graph: Neo4j, ArangoDB
• Time-series: InfluxDB, TimescaleDB
• ORMs and database client libraries

HTTP/HTTPS APIs

• REST API calls
• GraphQL endpoints
• SOAP services
• Webhook configurations
• All major HTTP client libraries

Message Queues & Event Streams

• RabbitMQ, Apache Kafka, Amazon SQS/SNS
• Azure Service Bus, Google Pub/Sub
• Redis Pub/Sub, NATS, Apache Pulsar

Cloud Service SDKs

• AWS SDK (S3, Lambda, EC2, DynamoDB, etc.)
• Azure SDK (Blob Storage, Functions, Cosmos DB)
• Google Cloud SDK (GCS, Cloud Functions, BigQuery)

Authentication & Identity

• OAuth endpoints and providers
• SAML identity providers
• LDAP/Active Directory
• API key usage and JWT tokens

Real-Time Communication

• WebSocket connections
• Server-Sent Events (SSE)
• Socket.io, MQTT

Email, SMS & Notifications

• SMTP connections
• Email APIs (SendGrid, Mailgun, AWS SES)
• SMS gateways (Twilio, AWS SNS)
• Push notification services

Caching & Storage

• Redis, Memcached
• Network file systems (NFS, SMB)
• Object storage (S3, Azure Blob, GCS)
• FTP/SFTP connections

2. Protocol Classification

For every discovered connection, the scanner identifies:

Encryption Status:

• ✅ Encrypted: TLS/SSL, HTTPS, WSS, SFTP, encrypted database connections
• ⚠️ Unencrypted: HTTP, plain TCP, FTP, unencrypted database connections
• ❓ Configurable: Runtime-determined encryption settings

Connection Direction:

• Outbound: Your app connects to external services
• Inbound: Your app accepts connections (listeners/servers)
• Bidirectional: Both client and server capabilities

Port Classification:

• Standard ports: Well-known service ports (80, 443, 3306, 5432)
• Non-standard ports: Custom or unusual port assignments
• Dynamic ports: Environment variable or runtime-configured

3. Context for Threat Modeling

Each connection includes rich context:

• Source location: File path, line number, function/method
• Variable names: Endpoint URLs, connection strings
• Authentication indicators: Credential usage patterns
• Comments: Developer documentation near connection code

This context feeds directly into STRIDE threat analysis:

• Spoofing: Which endpoints authenticate? How?
• Tampering: Are connections encrypted? Can data be modified?
• Repudiation: Are API calls logged? Which message queues track events?
• Information Disclosure: What data flows to third parties?
• Denial of Service: Which dependencies could fail?
• Elevation of Privilege: Which services have elevated access?

Language Coverage

ThreatMitigator scans 25+ programming languages with framework-aware detection:

Tier 1 Support (Comprehensive)

• JavaScript/TypeScript: Node.js, React, Vue, Angular, Express, Next.js
• Python: Django, Flask, FastAPI, SQLAlchemy, requests
• Java: Spring Boot, Jakarta EE, JDBC, Hibernate
• C#: .NET, ASP.NET Core, Entity Framework
• Go: Standard library, Gin, Echo, GORM
• Rust: Tokio, async-std, Actix, Diesel
• PHP: Laravel, Symfony, WordPress, Doctrine
• Ruby: Rails, Sinatra, ActiveRecord

Tier 2 Support (Common Patterns)

• Kotlin: Spring Boot, Ktor, Android
• Swift: iOS/macOS URLSession, Alamofire
• C++: Boost, Qt, libcurl, POCO
• C: POSIX sockets, libcurl, database drivers
• Scala: Akka, Play Framework, Slick
• Elixir: Phoenix, Ecto

Tier 3 Support (Core Libraries)

• Perl, R, Objective-C, Dart, Haskell
• Clojure, Lua, Shell/Bash, PowerShell
• Groovy, MATLAB

Framework-Aware: Recognizes patterns specific to popular frameworks like Spring Boot, Django, Rails, Express, Laravel, and ASP.NET Core.

Example Output

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

# Connectivity Scan Results
scan_summary:
  languages_detected: [Python, JavaScript, Go]
  total_connections: 47
  scan_duration: 8.3s
  codebase_size: 42,381 lines

database_connections:
  - type: PostgreSQL
    encryption: encrypted
    location: src/db/repository.py:15
    connection_string: postgresql://user@db.example.com:5432/prod
    confidence: 95%

  - type: Redis
    encryption: unencrypted
    location: src/cache/client.go:23
    host: localhost:6379
    confidence: 100%
    threats:
      - category: InformationDisclosure
        severity: medium
        description: Unencrypted Redis connection exposes cached data

api_connections:
  - type: HTTPS
    protocol: REST
    location: src/api/client.py:45
    endpoint: https://api.stripe.com/v1/charges
    direction: outbound
    authentication: bearer_token
    confidence: 98%

  - type: HTTP
    protocol: REST
    location: src/integrations/webhook.js:12
    endpoint: http://internal-service:8080/events
    direction: outbound
    encryption: unencrypted
    confidence: 92%
    threats:
      - category: Tampering
        severity: high
        description: Unencrypted HTTP allows man-in-the-middle attacks

message_queues:
  - type: RabbitMQ
    encryption: amqps
    location: src/events/publisher.py:34
    host: rabbitmq.example.com:5671
    confidence: 97%

  - type: Kafka
    encryption: ssl
    location: src/streams/consumer.go:89
    brokers: [kafka-1:9093, kafka-2:9093]
    confidence: 100%

cloud_services:
  - provider: AWS
    service: S3
    location: src/storage/uploader.js:67
    bucket: user-uploads-prod
    encryption: aws:kms
    confidence: 100%

  - provider: Azure
    service: BlobStorage
    location: src/backup/sync.py:23
    container: backups
    encryption: microsoft_managed
    confidence: 95%

Integration with IaC Scanning

ThreatMitigator combines Infrastructure as Code scanning with Connectivity Scanner for complete coverage:

IaC Scanning Finds:

• Cloud resource configurations (EC2, S3, RDS, etc.)
• Network security groups and firewall rules
• IAM policies and permissions
• Encryption settings for infrastructure

Connectivity Scanner Adds:

• Application-level API connections
• Third-party service dependencies
• Database connections from code
• Message queue usage patterns
• Authentication flow details

Combined Result:

Complete attack surface map showing both infrastructure and application-level threats.

1
2
3
4

# Scan both IaC and application code
threatmitigator scan ./infrastructure --iac-only
threatmitigator scan ./src --code-only
threatmitigator scan ./ --full  # Scan everything

Performance & Accuracy

Speed

• 10,000 lines/second on standard hardware
• Microservices (5K-50K lines): < 10 seconds
• Large codebases (100K+ lines): < 5 minutes
• Parallel processing: Multi-core support for faster scanning

Accuracy

• <5% false positive rate: High precision connection detection
• <10% false negative rate: Catches well-formed connection code
• Confidence scoring: Every detection includes certainty percentage
• Pattern library: Continuously updated with new frameworks

Resource Usage

• <2GB RAM for codebases up to 500K lines
• Incremental scanning: Only re-scan changed files
• No compilation required: Static analysis of source code

Use Cases

Security Engineering

Challenge: “I need to know every external system our application talks to.”

Solution: Run connectivity scanner on your codebase to generate a complete inventory of all external connections, including those not documented or in IaC.

1
2

threatmitigator scan ./src --output connections.yaml
# Review all database connections, APIs, and third-party services

DevSecOps

Challenge: “Which services are making unencrypted external calls?”

Solution: Filter scan results to find unencrypted connections and prioritize remediation.

1
2

threatmitigator scan ./src --filter "encryption:unencrypted"
# Identify all HTTP, plain TCP, and unencrypted database connections

Compliance & Auditing

Challenge: “I need to document all third-party data sharing for GDPR compliance.”

Solution: Generate reports showing where your application sends data externally.

1
2

threatmitigator scan ./src --report-format sarif --output audit-report.json
# Export complete connection inventory for compliance documentation

Architecture Documentation

Challenge: “Our service dependency map is out of date.”

Solution: Automatically discover all service dependencies from source code.

1
2

threatmitigator scan ./microservices --graph-output
# Generate up-to-date dependency graph from actual code

Configuration & Customization

Exclusions

Skip directories that shouldn’t be scanned:

1
2
3
4
5
6
7

# .threatmitigator.yml
connectivity_scanner:
  exclude:
    - "**/test/**"
    - "**/vendor/**"
    - "**/node_modules/**"
    - "**/__mocks__/**"

Custom Patterns

Add patterns for proprietary frameworks:

1
2
3
4
5
6

connectivity_scanner:
  custom_patterns:
    - language: python
      pattern: 'our_custom_db.connect\((.*?)\)'
      type: database
      library: custom_orm

Filtering

Ignore localhost and internal connections:

1
2
3
4
5

connectivity_scanner:
  ignore_patterns:
    - "localhost"
    - "127.0.0.1"
    - "*.internal.company.com"

Integration Examples

CI/CD Pipeline (GitHub Actions)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

name: Security Scan
on: [push]

jobs:
  threat-model:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Install ThreatMitigator
        run: curl -sSL https://get.threatmitigator.com | sh

      - name: Scan Infrastructure
        run: threatmitigator scan ./terraform --format json -o iac-threats.json

      - name: Scan Application Code
        run: threatmitigator scan ./src --format json -o code-threats.json

      - name: Fail on Critical Threats
        run: threatmitigator check --severity critical --fail-on-issues

Pre-Commit Hook

1
2
3

#!/bin/bash
# .git/hooks/pre-commit
threatmitigator scan --changed-files --quick --fail-on critical

Docker Integration

1
2
3

FROM threatmitigator/scanner:latest
COPY . /workspace
RUN threatmitigator scan /workspace --output /results/threats.json

Roadmap

Current (v1.0)

✅ 25+ language support ✅ Database, API, message queue detection ✅ Encryption status classification ✅ JSON/YAML output formats

Coming Soon (v1.1)

🔄 Data flow tracking: Follow data through the application 🔄 Credential analysis: Identify hardcoded secrets 🔄 IDE extensions: Real-time detection in VS Code, IntelliJ

Future (v2.0)

📋 Runtime validation: Compare static analysis to actual behavior 📋 Auto-documentation: Generate architecture diagrams 📋 Dependency graphs: Complete service dependency maps

Getting Started

Installation

1
2
3
4
5

# Install ThreatMitigator CLI
curl -sSL https://get.threatmitigator.com | sh

# Verify installation
threatmitigator --version

First Scan

1
2
3
4
5
6

# Scan your application code
cd /path/to/your/project
threatmitigator scan ./src --connections-only

# Scan both IaC and code
threatmitigator scan ./ --full

View Results

1
2
3
4
5
6
7
8

# Generate human-readable report
threatmitigator scan ./src --format table

# Export to JSON for automation
threatmitigator scan ./src --format json --output connections.json

# Generate SARIF for GitHub Security
threatmitigator scan ./src --format sarif --output results.sarif

Why Connectivity Scanner Matters

Traditional threat modeling requires manual architecture documentation that quickly becomes outdated.

Infrastructure as Code scanning shows your cloud resources but misses application-level connections.

ThreatMitigator’s Connectivity Scanner bridges the gap by automatically discovering connections from source code—giving you a complete, accurate, and always up-to-date view of your attack surface.

With connectivity scanning, you can:

• ✅ Find hidden attack surfaces in application code
• ✅ Identify unencrypted connections that need remediation
• ✅ Document third-party dependencies for compliance
• ✅ Generate accurate threat models without manual work
• ✅ Keep security current as code changes

Complete visibility. Automated threat modeling. From infrastructure to application.