Metadata-Version: 2.4
Name: safecadence-netrisk
Version: 6.3.0
Summary: Free, open-source infrastructure + identity platform — 45 adapters (40 infra + 5 identity), 22 controls, 16 multi-vendor translators, AI policy intelligence, attack-path graph, KEV+EPSS-prioritized CVEs, cross-system drift detection, local-first, BYO-AI, never executes.
Project-URL: Homepage, https://safecadence.com/
Project-URL: Repository, https://github.com/safecadence/network-risk
Project-URL: Documentation, https://github.com/safecadence/network-risk#readme
Project-URL: Issues, https://github.com/safecadence/network-risk/issues
Project-URL: Changelog, https://github.com/safecadence/network-risk/blob/main/CHANGELOG.md
Author-email: SafeCadence <hello@safecadence.com>
License: MIT
License-File: LICENSE
Keywords: arista,aruba,audit,cisco,compliance,cve,firewall,infrastructure,network,security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Networking :: Monitoring
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.9
Requires-Dist: click>=8.1
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0
Provides-Extra: ai
Requires-Dist: httpx>=0.25; extra == 'ai'
Provides-Extra: all
Requires-Dist: safecadence-network-risk[ai,dev,server,ssh,vault]; extra == 'all'
Provides-Extra: dev
Requires-Dist: mypy>=1.0; extra == 'dev'
Requires-Dist: pytest-cov>=4.0; extra == 'dev'
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.1; extra == 'dev'
Provides-Extra: server
Requires-Dist: bcrypt>=4.0; extra == 'server'
Requires-Dist: cryptography>=42.0; extra == 'server'
Requires-Dist: fastapi>=0.110; extra == 'server'
Requires-Dist: httpx>=0.25; extra == 'server'
Requires-Dist: psycopg2-binary>=2.9; extra == 'server'
Requires-Dist: python-jose[cryptography]>=3.3; extra == 'server'
Requires-Dist: python-multipart>=0.0.9; extra == 'server'
Requires-Dist: sqlalchemy>=2.0; extra == 'server'
Requires-Dist: uvicorn[standard]>=0.27; extra == 'server'
Provides-Extra: ssh
Requires-Dist: paramiko>=3.0; extra == 'ssh'
Provides-Extra: vault
Requires-Dist: cryptography>=42.0; extra == 'vault'
Description-Content-Type: text/markdown

<div align="center">

# SafeCadence Device Intelligence Platform

**Free, open-source multi-vendor infrastructure platform — 40 vendor adapters across 6 domains, AI policy intelligence, multi-vendor remediation. Local-first. BYO-AI. Never executes.**

The features of AlgoSec, Tufin, FireMon, Tenable, Qualys, Wiz, NetBrain, and Itential — packaged into a single open-source CLI + local web UI you `pip install` in 30 seconds.

[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![PyPI version](https://img.shields.io/pypi/v/safecadence-netrisk.svg)](https://pypi.org/project/safecadence-netrisk/)
[![PyPI downloads](https://img.shields.io/pypi/dm/safecadence-netrisk.svg)](https://pypi.org/project/safecadence-netrisk/)
[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)

</div>

```bash
pip install 'safecadence-netrisk[server]'
safecadence ui     # opens http://127.0.0.1:8765
```

That's it. Discovery, identification, CVE matching, AI policy interpretation, drift detection, multi-vendor remediation generation, compliance reports — all running on your machine, no cloud, no signup, no telemetry.

---

## What it does

Three layers, one tool:

### v2 — Audit (the original)
- **Discovers every device on your LAN** — TCP probing + ARP cache + mDNS Bonjour + SNMP v2c
- **Identifies vendor + OS + model + version** — bundled OUI database, banner-grab, SNMP sysDescr, TLS cert subject, HTTP page-title
- **Matches against the live CISA KEV catalog** — flags known-exploited vulnerabilities
- **Toxic-combination detection** — *"Telnet AND HTTP admin AND SNMP exposed = compound critical"*
- **Compliance audit packs** — SOC 2, PCI-DSS, HIPAA, NIST 800-53, CIS Controls v8

### v4 — Device Intelligence Platform
- **40 vendor adapters across 6 infrastructure domains:**
  - **Network (8):** Cisco IOS/NX-OS/ASA, Arista EOS, Juniper Junos, Fortinet FortiGate, Palo Alto PAN-OS, Aruba CX, Brocade FabricOS, HPE ProCurve
  - **Servers (6):** Dell iDRAC, HPE iLO, Lenovo XClarity, Supermicro IPMI, Cisco UCS, IBM Power HMC
  - **Storage (9):** NetApp ONTAP, Pure Storage, Synology DSM, Dell EMC Unity + PowerStore, HPE Primera/3PAR + Nimble, IBM FlashSystem, Hitachi VSP
  - **Virtualization (5):** VMware vCenter, Nutanix Prism, Hyper-V, Proxmox VE, Citrix Hypervisor
  - **Cloud (6):** AWS, Azure, GCP, Kubernetes, OCI, Cloudflare
  - **Backup (6):** Veeam, Rubrik, Cohesity, Commvault, Veritas NetBackup, Acronis Cyber Protect
- **Universal asset schema** — every vendor's wildly different data normalized to one shape
- **Cross-domain correlation engine** — VM → host → datastore → array → backup chains
- **10 platform-wide reports** — lifecycle, security posture, capacity, backup compliance, vendor inventory, EOL/EOS, health summary, risk register, cloud exposure, executive overview

### v5 — Policy Intelligence Engine
- **22 atomic security controls** + **10 starter templates** (network hardening, firewall baseline, server hardening, cloud security, zero trust, etc.)
- **Plain-English → policy** via the AI interpreter (BYO-AI: OpenAI, Anthropic, or local Ollama). Offline keyword matcher always runs as a safety net so the AI can ADD controls but never drop one.
- **12 multi-vendor config translators** generate fix / rollback / verify commands per asset
- **7 export formats:** Ansible, Terraform, PowerShell, Bash, Markdown, PDF, raw configs
- **Continuous compliance + drift detection** + risk-acceptance exception workflow
- **GitOps for policies** — `safecadence policy git-sync git@github.com:org/policies.git`
- **Compliance attestation reports** — auditor-ready: NIST 800-53, CIS, PCI-DSS, HIPAA, ISO 27001
- **What-if simulator**, **CVE-driven auto-policies**, **shadow-IT detection**, **policy testing harness**, **multi-environment variants**, **violation webhooks**
- **NEVER executes commands.** Generated configs are exported for your existing change-management process (Ansible, Terraform, your runbook).

---

## Three install paths

| Method | Best for | One-liner |
|---|---|---|
| **Anyone** | Don't want to think about it | `curl -fsSL https://safecadence.com/install.sh \| bash` |
| **Python users** | Devs, sysadmins with Python on PATH | `pipx install safecadence-netrisk` |
| **Container/k8s** | Non-Python, ops, CI/CD | `docker run -p 8765:8765 -v sc-data:/data fkarim1/netrisk:latest ui --host 0.0.0.0` |

Then open `http://127.0.0.1:8765` and the sidebar will show three sections:
**Audit (v2)** · **Platform (v4)** · **Policy (v5)**.

Cross-platform: macOS (Intel + Apple Silicon), Linux (any glibc/musl distro), Windows via WSL or Git-Bash; physical or virtual.

---

## 60-second tour

```bash
# v2: discover every device on your LAN
safecadence discover 192.168.1.0/24

# v2: audit a config file
safecadence scan ~/configs/router.txt --html report.html

# v5: list the 10 built-in policy templates
safecadence policy templates

# v5: turn plain English into a policy (with BYO-AI if a key is set)
safecadence policy interpret --ai \
  "Disable Telnet, enforce SSHv2, require AAA/TACACS to 10.10.10.5,
   enable NTP, enforce SNMPv3, send logs to 10.10.10.50,
   restrict mgmt to 10.10.10.0/24"

# v5: evaluate a saved policy against your collected fleet
safecadence policy evaluate <policy_id>

# v5: generate the fix as an Ansible playbook
safecadence policy export <policy_id> --format ansible --out fix.yml

# Open the unified web UI (Audit + Platform + Policy in one sidebar)
safecadence ui
```

---

## Why this exists

Network configuration auditors — AlgoSec, Tufin, FireMon, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, Wiz, NetBrain, Itential — share three properties: they cost upwards of $50,000/year per license, they take 1-2 weeks of professional services to deploy, and they want your configuration data flowing through their cloud.

For 90% of the value those tools deliver, the architecture is overkill. Most audits flag the same handful of things every time: any/any firewall rules, missing logging, default SNMP communities, telnet still enabled, OSes years past end-of-life, no backup immutability, public S3 buckets, wildcard IAM. These are pattern-matchable from already-collected device state. They do not need a SaaS backend or a $50,000 license.

`safecadence-netrisk` is the open-source version. It's MIT-licensed. It runs 100% on the operator's machine. It supports 40 vendors out of the box, across 6 infrastructure domains. It's installable with one command. There is no telemetry, no cloud sync, no signup. And it does things the commercial tools don't — toxic combinations, AI policy interpretation, multi-vendor remediation generation, GitOps for security policy.

---

## How it compares

| Capability | safecadence-netrisk v5.x | Tenable Nessus | Qualys VMDR | Wiz | NetBrain | AlgoSec |
|---|---|---|---|---|---|---|
| Multi-domain inventory (network/server/storage/virt/cloud/backup) | ✅ 40 adapters / 6 domains | partial | partial | cloud-only | network-only | network-only |
| Cross-domain correlation (VM→host→array→backup) | ✅ | ❌ | ❌ | partial | partial | ❌ |
| Plain-English → policy (AI) | ✅ BYO-AI | ❌ | ❌ | ❌ | partial | ❌ |
| Multi-vendor config remediation generation | ✅ 12 translators | ❌ | ❌ | ❌ | ✅ | partial |
| Export: Ansible / Terraform / PowerShell / Bash / MD / PDF | ✅ all 7 | ❌ | ❌ | ❌ | ❌ | ❌ |
| GitOps for security policies | ✅ `policy git-sync` | ❌ | ❌ | ❌ | ❌ | ❌ |
| What-if policy simulator | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| CVE matching per device (KEV-prioritized) | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Toxic-combination detection | ✅ 10+ patterns | ❌ | ❌ | partial | ❌ | ❌ |
| Compliance packs (SOC 2/PCI/HIPAA/NIST/CIS/ISO) | ✅ all six | ✅ | ✅ | ✅ | partial | ✅ |
| Continuous monitoring + alerts | ✅ Slack/Teams/Email/webhook | ✅ | ✅ | ✅ | ✅ | ✅ |
| 100% local, no SaaS | ✅ | ❌ | ❌ | ❌ | partial | partial |
| Docker container (multi-arch) | ✅ amd64 + arm64 | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Price** | **Free, MIT-licensed** | **$3,990/yr** | **$2,800+/yr** | **$25k+/yr** | **$50k+/yr** | **$50k+/yr** |

---

## Documentation

| Topic | Where |
|---|---|
| **CLI commands** | `safecadence --help` (v2 audit + v5 `safecadence policy ...` subcommands) |
| **API endpoints** | `http://127.0.0.1:8765/api/docs` (after `safecadence ui`) |
| **Local UI tabs** | Run `safecadence ui` — sidebar shows all three eras |
| **Policy templates** | `safecadence policy templates` — or read `src/safecadence/policy/templates/*.yaml` |
| **Policy controls** | `safecadence policy controls` — 22 controls + their framework mappings |
| **Custom controls** | Drop YAML in `~/.safecadence/custom_controls/` — auto-loaded |
| **Compliance attestation** | `safecadence policy ...` then `/api/policy/<id>/attestation?format=markdown` |
| **Architecture (platform)** | `docs/PLATFORM_ARCHITECTURE.md` |

---

## Architecture

```
safecadence-netrisk/
├── core/             v2 vendor adapter framework, registry, schema
├── adapters/         v2 audit adapters (config-file based)
├── engines/          v2 audit rule engine (regex + absent + custom)
├── discovery/        v2 LAN scan (ARP/mDNS/TCP/SNMP/OUI/CVE/AI)
├── enrichment/       CVE + EOL data refreshers
├── reports/          HTML / Markdown / JSON / DOCX / PDF renderers
├── ai/               Provider-agnostic LLM client (OpenAI / Anthropic / Ollama)
├── platform/         v4 Device Intelligence Platform
│   ├── schema.py        UnifiedAsset (12 dataclasses)
│   ├── adapter_base.py  BaseAdapter + registry
│   ├── connection_manager.py
│   ├── credential_vault.py  Fernet-encrypted multi-vendor creds
│   ├── health_scoring.py    4-dim score + grade A-F
│   ├── correlation.py       Cross-domain dependency walker
│   └── adapters/            40 vendor adapters across 6 domains
├── policy/           v5 Policy Intelligence Engine
│   ├── schema.py            SecurityPolicy / Control / Violation / Plan
│   ├── controls/            22 atomic security controls
│   ├── templates/           10 starter policy templates (YAML)
│   ├── frameworks/          NIST/CIS/PCI/HIPAA/ISO mappings
│   ├── translators/         12 vendor → config translators
│   ├── exporters/           7 output formats
│   ├── interpreter.py       Plain-English → policy (BYO-AI)
│   ├── evaluator.py         Run policy vs fleet
│   ├── drift.py             Regression detection
│   ├── remediation.py       Per-asset fix plan
│   ├── simulator.py         What-if rollout preview
│   ├── attestation.py       Auditor-ready evidence packs
│   ├── git_sync.py          Pull policies from a git repo
│   ├── exceptions.py        Risk-acceptance with auto-expiry
│   ├── cve_policies.py      Auto-generate from active CVEs
│   ├── webhooks.py          Splunk/Sentinel/Slack on violation
│   ├── shadow_it.py         Assets covered by no policy
│   ├── testing.py           Unit-test policies against fixtures
│   ├── audit.py             Append-only JSONL audit log
│   └── store.py             Local JSON store
├── server/           FastAPI server-mode API (multi-user, JWT)
├── ui/               Local single-user UI (`safecadence ui`)
│   ├── app.py               40+ endpoints incl. /api/platform/* + /api/policy/*
│   ├── templates/index.html Sidebar with Audit · Platform · Policy
│   ├── platform_ui.py       9-tab platform dashboard
│   └── policy_ui.py         7-tab policy dashboard
├── storage/          SQLite + SQLAlchemy backends
├── security/         Encrypted vault for credentials
├── cli.py            v2 CLI commands
└── cli_policy.py     v5 `safecadence policy ...` subcommands
```

---

## Need help running it?

SafeCadence offers fixed-scope remediation engagements. We use the same open-source engine you ran. The tool is and will stay free + MIT — our only revenue is doing the remediation work.

[**Email hello@safecadence.com →**](mailto:hello@safecadence.com)

---

## Contributing

PRs welcome — especially:
- **New vendor adapters** for the v4 platform (clone the closest match in `src/safecadence/platform/adapters/` and submit). 13 adapters in v5.0 are flagged as beta and need real-hardware validation.
- **New vendor translators** for v5 policy remediation (Cisco SD-WAN / Meraki / Mist / MikroTik / Ubiquiti are next).
- **Additional policy controls** — drop a YAML in `~/.safecadence/custom_controls/`, contribute upstream once it's proven.
- **Audit rules** for the v2 layer (drop YAML in `src/safecadence/data/rules/`).
- **Compliance framework mappings** — add to `src/safecadence/policy/frameworks/mappings.yaml`.
- **Policy templates** — add a YAML in `src/safecadence/policy/templates/`.

---

## License

MIT — see [LICENSE](LICENSE).
