Cycode RIG (Risk Information Graph) Integration

This repository contains comprehensive tools for fetching vulnerability data from Cycode using their modern RIG GraphQL API and legacy report-based queries.

🚀 Quick Start

Prerequisites

pip install -r requirements.txt

Configuration

1. Create secret.yaml with your Cycode credentials:

cycode:
  client_id: "your-client-id"
  client_secret: "your-client-secret"

Basic Usage

# Get all open violations (default)
python3 fetch_violations.py

# Get specific violation types (open violations by default)
python3 fetch_violations.py --type SAST
python3 fetch_violations.py --type SCA
python3 fetch_violations.py --type IAC
python3 fetch_violations.py --type LICENSE

# Get violations by status
python3 fetch_violations.py --type SAST --status OPEN
python3 fetch_violations.py --type SAST --status ALL
python3 fetch_violations.py --type SAST --status DISMISSED

# Using RIG reports for bulk exports
python3 fetch_violations_rig.py -q rig_queries/sast_violations.json

📁 Repository Structure

Core Tools

• fetch_violations.py - Primary tool with comprehensive filtering
  • Types: ALL, SAST, IAC, SCA, LICENSE, SECRETS, CICD
  • Status: OPEN (default), DISMISSED, RESOLVED, CLOSED, ALL
  • Severity: Critical, High, Medium, Low, Info (comma-separated)
  • Tiers: Filter by repository tier (tier1, tier2, tier3, other, all)
• fetch_violations_rig.py - Secondary tool using RIG report exports

Supporting Files

• assets/ - Supporting libraries and assets
  • cycode_lib/ - Cycode API authentication and RIG functions
  • rig_queries/ - Pre-built RIG query templates for different violation types
• cycode_policy_sync.py - SAST policy management tool
• comprehensive_test/ - Sample output data
• sast_policies.yaml - SAST policy configurations

🔧 Tools Comparison

Direct GraphQL (fetch_violations.py)

Best for: Real-time security monitoring and detailed analysis

✅ Advantages:

• Rich vulnerability metadata (EPSS scores, CVE advisories)
• Real-time data (38ms response time)
• Exploitability information
• Full dependency paths
• Future-proof (Cycode's preferred approach)

📊 Data Quality:

{
  "vulnerability_id": "CVE-2024-12798",
  "package_name": "ch.qos.logback:logback-core",
  "severity": "Medium",
  "epss_info": {"epss": 0.00174},
  "advisory": {
    "summary": "Expression Language Injection vulnerability",
    "description": "Full CVE description..."
  }
}

RIG Reports (fetch_violations_rig.py)

Best for: Bulk exports and compliance reporting

✅ Advantages:

• Large dataset exports (6,563 SAST violations)
• CSV format support
• Historical reporting capabilities
• Simple flat data structure

📋 Use Cases:

• Monthly compliance reports
• Historical trend analysis
• Executive dashboards
• Audit documentation

🎯 Usage Examples

Comprehensive Filtering (Primary Approach)

# Get all open violations (default behavior)
python3 fetch_violations.py --type ALL

# Get SAST violations only (open by default)
python3 fetch_violations.py --type SAST --output-dir sast_results

# Get SCA vulnerabilities with rich CVE data
python3 fetch_violations.py --type SCA --max-pages 5

# Get all SAST violations regardless of status
python3 fetch_violations.py --type SAST --status ALL

# Get dismissed violations for analysis
python3 fetch_violations.py --type SAST --status DISMISSED

# Get Infrastructure as Code violations
python3 fetch_violations.py --type IAC

# Get license violations (subset of SCA)
python3 fetch_violations.py --type LICENSE

# Get secrets detection violations
python3 fetch_violations.py --type SECRETS

# Get CI/CD security violations
python3 fetch_violations.py --type CICD

# 🔍 Severity filtering - Focus on critical issues only
python3 fetch_violations.py --type SAST --severity critical

# 🔍 Multiple severity levels - Critical and High
python3 fetch_violations.py --type SCA --severity critical,high

# 🏷️ Tier filtering - Show only non-tiered repositories
python3 fetch_violations.py --type ALL --per-tier other

# 🏷️ Specific tier filtering - Show only tier1 and tier2
python3 fetch_violations.py --type SAST --per-tier tier1,tier2

# 🏷️ All tiers with detailed breakdown
python3 fetch_violations.py --type SCA --per-tier all

# 🚀 Advanced combinations
python3 fetch_violations.py --type ALL --severity critical --per-tier other
python3 fetch_violations.py --type SECRETS --severity high,medium --per-repo
python3 fetch_violations.py --type CICD --status ALL --per-tier tier1,tier2

RIG Reports (Secondary Approach)

# Export SAST violations to JSON
python3 fetch_violations_rig.py -q assets/rig_queries/sast_violations.json -o sast_report.json

# Export to CSV for spreadsheets
python3 fetch_violations_rig.py -q assets/rig_queries/all_violations.json -o compliance_report.csv -f CSV

# Get secrets detection data
python3 fetch_violations_rig.py -q assets/rig_queries/secrets_violations.json -o secrets_report.json

📋 Available RIG Query Templates

• assets/rig_queries/sast_violations.json - SAST (Static Analysis) violations only
• assets/rig_queries/secrets_violations.json - Secrets detection violations only
• assets/rig_queries/all_violations.json - All violation types (SAST + SCA + Secrets)

🏷️ Tier Filtering Feature

The --per-tier flag allows you to filter repositories by their tier classification:

Tier Classification

• TIER1, TIER2, TIER3: Repositories with explicit tier tags/labels
• OTHER: Repositories without explicit tier classification

Usage Patterns

# Find all non-tiered repositories (identify unclassified repos)
python3 fetch_violations.py --per-tier other

# Focus on production tiers only
python3 fetch_violations.py --per-tier tier1,tier2

# Complete analysis of all tiers
python3 fetch_violations.py --per-tier all

# Critical issues in non-tiered repositories
python3 fetch_violations.py --severity critical --per-tier other

Benefits

• 🎯 Targeted Analysis: Focus on specific repository groups
• 📊 Repository Classification: Identify repos needing tier assignment
• 🔍 Risk Assessment: Prioritize by tier importance
• 📈 Governance: Track tier-specific security metrics

🏆 Recommendations

Primary Approach: Direct GraphQL

Use fetch_violations.py for:

• Daily security monitoring
• Detailed vulnerability analysis
• Risk assessment with EPSS scoring
• Real-time security dashboards

Secondary Approach: RIG Reports

Use fetch_violations_rig.py for:

• Compliance reporting
• Historical analysis
• Bulk data exports
• CSV format requirements

📊 Sample Results

Comprehensive Analysis Output

🔢 Total Unique Vulnerabilities: 201
🎯 Total Detection Instances: 201

⚠️ By Severity:
   Critical: 19
   High: 101
   Medium: 69
   Low: 12

📦 By Ecosystem:
   Maven: 113
   NPM: 35
   PyPI: 45
   Composer: 8

🎯 Exploitability Analysis:
   High Risk (>0.1 EPSS): 48
   Medium Risk (0.01-0.1): 25
   Low Risk (<0.01): 128

🔐 Security Notes

• Keep secret.yaml secure and never commit to version control
• Credentials are automatically loaded from environment or config file
• All API calls use proper authentication headers

🤝 Support

Both approaches are fully functional and complementary. Choose based on your specific use case:

• Real-time analysis → Direct GraphQL
• Bulk reporting → RIG Reports

---

This implementation successfully integrates with Cycode's RIG (Risk Information Graph) system using both modern GraphQL endpoints and legacy report-based queries.