{"id":50992089,"url":"https://github.com/ugiordan/architecture-analyzer","last_synced_at":"2026-06-20T04:32:20.914Z","repository":{"id":343987448,"uuid":"1179990695","full_name":"ugiordan/architecture-analyzer","owner":"ugiordan","description":"Static analysis tool that extracts architecture data from Kubernetes repos, builds multi-language code property graphs (Go, Python, TS, Rust), and runs security/architecture queries with taint analysis","archived":false,"fork":false,"pushed_at":"2026-06-13T04:31:34.000Z","size":87031,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T06:21:26.938Z","etag":null,"topics":["architecture","code-property-graph","golang","kubernetes","python","sarif","sbom","security","static-analysis"],"latest_commit_sha":null,"homepage":"https://ugiordan.github.io/architecture-analyzer/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ugiordan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-12T15:32:41.000Z","updated_at":"2026-06-12T20:36:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ugiordan/architecture-analyzer","commit_stats":null,"previous_names":["ugiordan/rhoai-architecture-analyzer","ugiordan/architecture-analyzer"],"tags_count":41,"template":false,"template_full_name":null,"purl":"pkg:github/ugiordan/architecture-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ugiordan%2Farchitecture-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ugiordan%2Farchitecture-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ugiordan%2Farchitecture-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ugiordan%2Farchitecture-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ugiordan","download_url":"https://codeload.github.com/ugiordan/architecture-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ugiordan%2Farchitecture-analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34557551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["architecture","code-property-graph","golang","kubernetes","python","sarif","sbom","security","static-analysis"],"created_at":"2026-06-20T04:32:20.052Z","updated_at":"2026-06-20T04:32:20.906Z","avatar_url":"https://github.com/ugiordan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Architecture Analyzer\n\nA static analysis tool that extracts architecture data from Kubernetes/OpenShift component repositories and generates diagrams, security reports, and code property graphs. Works with any Go-based K8s operator ecosystem.\n\n**[Documentation](https://ugiordan.github.io/architecture-analyzer)** | **[GitHub](https://github.com/ugiordan/architecture-analyzer)**\n\n## Demo\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"site/docs/images/demo.gif\" alt=\"Architecture Analyzer Demo\" width=\"800\"\u003e\n\u003c/p\u003e\n\n## Features\n\n- **26 architecture extractors** covering CRDs, RBAC, deployments, services, network policies, controller watches, dependencies, secrets, Helm charts, Dockerfiles, webhooks, configmaps, HTTP endpoints, ingress, external connections (Go + Python), feature gates, cache architecture, operator config constants, reconciliation sequences, Prometheus metrics, status conditions, platform detection, Go CRD extraction, webhook behavioral analysis, and programmatic resource operations\n- **Go AST extraction** via `go/packages` for operators that `.gitignore` generated manifests. Extracts CRDs from Go types with kubebuilder markers, analyzes webhook method bodies for field-level mutations and validations, and detects programmatic `client.Create/Update/Patch/Delete` calls in reconcile methods. Security-hardened for untrusted repo analysis (CGO_ENABLED=0, module isolation, boundedFileSystem).\n- **Code property graph** with multi-language parsing (Go, Python, TypeScript, Rust), typed node model, edge confidence classification, intraprocedural data flow, control flow graphs, Python class hierarchy extraction (NodeClass with BaseClasses and EdgeContains), and two-phase taint propagation\n- **26 security queries** across 5 domains (security, testing, upgrade, architecture, netpolicy) detecting webhook gaps, RBAC bugs, secret leaks, taint paths, complexity hotspots, class hierarchies, factory patterns, external API surfaces, and more\n- **SARIF ingestion** mapping external scanner findings (Semgrep, gosec, etc.) to CPG nodes for unified analysis\n- **Structural diff engine** comparing code graphs across versions to detect regressions\n- **7 renderers** producing Mermaid diagrams, Structurizr C4 DSL, ASCII security views, and structured markdown reports\n- **CycloneDX SBOM generation** from extracted data (Go modules, Python deps, Dockerfile base images, deployment container images, operator image constants) with full operational metadata (security contexts, resource limits, health probes)\n- **Image \u0026 container analysis report** covering GPU/CUDA dependencies, base image registries, multi-arch support, Dockerfile issues, container security contexts, resource limits, health probes, sidecar inventory, and deployment issues\n- **CRD contract validation** detecting breaking schema changes across repos\n- **Platform aggregation** merging multiple component analyses into a cross-repo view\n\n## Architecture\n\n```mermaid\ngraph LR\n    subgraph Inputs\n        REPO[Git Repository]\n        SARIF[SARIF Files]\n    end\n\n    subgraph \"Architecture Extractors (26)\"\n        E1[CRDs \u0026 RBAC]\n        E2[Services \u0026 Deployments]\n        E3[Network Policies \u0026 Ingress]\n        E4[Controller Watches \u0026 Dependencies]\n        E5[Cache Config \u0026 Operator Config]\n        E6[Reconcile Sequences \u0026 Status Conditions]\n        E7[Prometheus Metrics \u0026 Platform Detection]\n        E8[Secrets, Helm, Dockerfiles, Webhooks, ConfigMaps, HTTP Endpoints, External Connections, Feature Gates]\n    end\n\n    subgraph \"Code Property Graph\"\n        PARSE[Multi-Language Parsers\u003cbr/\u003eGo, Python, TS, Rust]\n        CPG[Typed Node Model\u003cbr/\u003eEdge Confidence]\n        DF[Data Flow Analysis]\n        CFG[Control Flow Graphs]\n        TAINT[Taint Propagation Engine]\n        DOMAINS[Domain Queries\u003cbr/\u003eSecurity, Testing, Upgrade,\u003cbr/\u003eArchitecture, NetPolicy]\n    end\n\n    subgraph Outputs\n        JSON[component-architecture.json]\n        GRAPH[code-graph.json]\n        FINDINGS[security-findings.json/sarif]\n        DIAGRAMS[Diagrams \u0026 Reports]\n    end\n\n    REPO --\u003e E1 \u0026 E2 \u0026 E3 \u0026 E4 \u0026 E5 \u0026 E6 \u0026 E7 \u0026 E8 --\u003e JSON --\u003e DIAGRAMS\n    REPO --\u003e PARSE --\u003e CPG --\u003e DF --\u003e CFG --\u003e TAINT --\u003e DOMAINS --\u003e FINDINGS\n    SARIF --\u003e CPG\n    CPG --\u003e GRAPH\n\n    classDef extractor fill:#3498db,stroke:#2980b9,color:#fff\n    classDef cpg fill:#9b59b6,stroke:#8e44ad,color:#fff\n    classDef output fill:#2ecc71,stroke:#27ae60,color:#fff\n\n    class E1,E2,E3,E4,E5,E6,E7,E8 extractor\n    class PARSE,CPG,DF,CFG,TAINT,DOMAINS cpg\n    class JSON,GRAPH,FINDINGS,DIAGRAMS output\n```\n\n## Installation\n\nDownload the latest binary from [GitHub Releases](https://github.com/ugiordan/architecture-analyzer/releases):\n\n```bash\n# Linux\ncurl -L https://github.com/ugiordan/architecture-analyzer/releases/latest/download/arch-analyzer-linux-amd64 -o arch-analyzer\nchmod +x arch-analyzer\n\n# macOS (Apple Silicon)\ncurl -L https://github.com/ugiordan/architecture-analyzer/releases/latest/download/arch-analyzer-darwin-arm64 -o arch-analyzer\nchmod +x arch-analyzer\n```\n\nOr build from source (requires Go 1.25+):\n\n```bash\ngit clone https://github.com/ugiordan/architecture-analyzer.git\ncd architecture-analyzer\ngo build -o arch-analyzer ./cmd/arch-analyzer/\n```\n\n## Usage\n\n### Analyze a repository (extract + render)\n\n```bash\n./arch-analyzer analyze /path/to/repo --output-dir output/\n```\n\nProduces:\n- `output/component-architecture.json` (extracted architecture data)\n- `output/diagrams/rbac.mmd` (Mermaid RBAC graph)\n- `output/diagrams/component.mmd` (Mermaid component diagram)\n- `output/diagrams/dependencies.mmd` (Mermaid dependency graph)\n- `output/diagrams/dataflow.mmd` (Mermaid sequence diagram)\n- `output/diagrams/security-network.txt` (ASCII security/network diagram)\n- `output/diagrams/c4-context.dsl` (Structurizr C4 DSL)\n- `output/diagrams/report.md` (structured markdown report)\n\n### Extract only (no diagrams)\n\n```bash\n./arch-analyzer extract /path/to/repo --output component-architecture.json\n\n# Run only specific extractor groups (faster for targeted analysis)\n./arch-analyzer extract /path/to/repo --extractors dockerfiles,kustomize --output component-architecture.json\n```\n\n### Generate SBOM (CycloneDX 1.5)\n\n```bash\n# From existing extraction\n./arch-analyzer sbom component-architecture.json --output sbom.json\n\n# Pipe to stdout\n./arch-analyzer sbom component-architecture.json | jq '.components | length'\n```\n\nIncludes Go modules, Python deps, Dockerfile base images, deployment container images, and operator image constants. Each component carries operational metadata: security context, resource limits, health probes, Dockerfile issues.\n\n### Image \u0026 Container Analysis Report\n\n```bash\n# Single component\n./arch-analyzer report component-architecture.json --output report.md\n\n# Cross-component analysis (multiple inputs)\n./arch-analyzer report results/*/component-architecture.json --output platform-report.md\n```\n\n10-section report: GPU/CUDA dependencies, base image registries, multi-arch support, Dockerfile issues, security contexts, resource limits, health probes, sidecars, deployment issues, operator image constants.\n\n### Code graph security scan\n\n```bash\n./arch-analyzer scan /path/to/repo --format json --output findings.json\n./arch-analyzer scan /path/to/repo --format sarif --output findings.sarif\n\n# With specific domains\n./arch-analyzer scan /path/to/repo --domains security,testing,upgrade\n\n# Import SARIF from external scanners alongside the scan\n./arch-analyzer scan /path/to/repo --import-sarif gosec.sarif,semgrep.sarif\n\n# With architecture context for richer queries\n./arch-analyzer scan /path/to/repo --with-arch\n```\n\n### Export code property graph\n\n```bash\n./arch-analyzer graph /path/to/repo --output code-graph.json\n./arch-analyzer graph /path/to/repo --format dot --output code-graph.dot\n```\n\n### Structural diff between code graphs\n\n```bash\n./arch-analyzer diff base.json head.json --format text\n./arch-analyzer diff base.json head.json --format json --output diff.json\n```\n\n### Ingest external SARIF findings\n\n```bash\n./arch-analyzer ingest gosec.sarif --graph code-graph.json --output enriched-graph.json\n```\n\n### Full analysis (architecture + code graph + schemas)\n\n```bash\n./arch-analyzer full-analysis /path/to/repo --output-dir output/\n./arch-analyzer full-analysis /path/to/repo --import-sarif gosec.sarif --domains security\n```\n\n### CRD contract validation\n\n```bash\n# Extract schemas as baseline\n./arch-analyzer extract-schema /path/to/repo --output-dir contracts/schemas\n\n# Validate changes against baseline\n./arch-analyzer validate /path/to/repo --contracts-dir contracts\n```\n\n### Aggregate multiple components\n\n```bash\n./arch-analyzer analyze /path/to/repo-a --output-dir results/repo-a\n./arch-analyzer analyze /path/to/repo-b --output-dir results/repo-b\n./arch-analyzer aggregate results/ --output-dir platform-output/\n```\n\n### Platform discovery\n\n```bash\n./arch-analyzer discover /path/to/operator-repo --format json\n./arch-analyzer build-config /path/to/operator-repo\n```\n\n## Extractors\n\n| Extractor | Source Patterns | Data Extracted |\n|-----------|----------------|----------------|\n| CRDs | `config/crd/**`, `deploy/crds/`, `charts/**/crds/`, `manifests/**/crd*` | Group, version, kind, scope, field count, CEL rules |\n| RBAC | `config/rbac/`, `deploy/rbac/`, Go kubebuilder markers | ClusterRoles, bindings, rules, kubebuilder RBAC markers |\n| Services | `**/service*.yaml` | Name, type, ports, selector |\n| Deployments | `**/deployment*.yaml`, `**/manager*.yaml`, `**/statefulset*.yaml` | Containers, security context, env vars, volumes, resources, probes |\n| Network Policies | `**/*networkpolicy*`, `**/*network-polic*`, `**/*netpol*`, `**/network-policies/**` | Pod selector, ingress/egress rules |\n| Controller Watches | `**/*_controller.go`, `**/setup.go`, `**/*reconciler*.go` | For/Owns/Watches with GVK resolution |\n| Dependencies | `go.mod` | Go version, toolchain, modules (direct only), internal ODH deps, replace directives |\n| Secrets | Deployments, services | Secret names, types, references (never values) |\n| Helm | `Chart.yaml`, `values.yaml` | Chart metadata, security-relevant defaults |\n| Dockerfiles | `Dockerfile*`, `Containerfile*`, `*.Dockerfile`, `*.Containerfile` | Base image, build stages, USER, EXPOSE, FIPS indicators, COPY/ADD instructions with multi-stage source tracing, build tool invocations (go build, npm/yarn/pnpm, pip, make) |\n| Webhooks | `**/webhook*.yaml`, `**/mutating*`, `**/validating*` | Webhook rules, failure policy, side effects |\n| ConfigMaps | `**/configmap*.yaml` | ConfigMap names, data keys |\n| HTTP Endpoints | Go source (`http.HandleFunc`, `mux.Route`, `gin.Engine`) | Method, path, handler, middleware |\n| Ingress | `**/ingress*`, `**/virtualservice*`, `**/httproute*` | Gateway API, Istio, K8s Ingress resources |\n| External Connections (Go) | Go source (`sql.Open`, `redis.NewClient`, `grpc.Dial`, `sarama.New*`) | Database, object storage, gRPC, messaging references with credential redaction |\n| External Connections (Python) | Python source (`psycopg2`, `sqlalchemy`, `boto3`, `requests`, `httpx`, `grpc`, `openai`, `chromadb`, etc.) | Database, object storage, gRPC, messaging, HTTP clients, LLM/ML SDK references |\n| Feature Gates | Go source (`DefaultMutableFeatureGate.Add`, `featuregate.Feature` consts) | Gate name, default state, pre-release stage, source location |\n| Cache Config | Go source (`ctrl.NewManager`, `cache.Options`) | Cache scope, filtered types, disabled types, implicit informers, GOMEMLIMIT |\n| Operator Config | Go source (const/var blocks in controllers, pkg/config) | Classified constants: images, ports, timeouts, env vars, resources, name patterns |\n| Reconcile Sequences | Go source (`Reconcile()` methods) | Ordered sub-resource reconciliation steps with conditional guards |\n| Prometheus Metrics | Go source (`prometheus.New*`, `promauto.New*`) | Metric name, type (gauge/counter/histogram/summary), help, labels, namespace |\n| Status Conditions | Go source (const blocks in controllers, API types) | Condition type constants, associated reason constants, source location |\n| Platform Detection | Go source (controllers, reconcilers, config packages) | Capability structs (IsOpenShift, HasRoute), API discovery checks, conditional resource creation |\n| Go CRD Extraction | Go types with `+kubebuilder:object:root=true` markers | Group, version, kind, scope, storage version, hub/spoke conversion, field count, CEL rules |\n| Webhook Behavioral Analysis | Webhook `Default()` and `Validate*()` method bodies | Field-level mutations, field-level validations, same-receiver method call following |\n| Programmatic Resource Ops | Go reconcile methods (`client.Create/Update/Patch/Delete`) | Operation type, target kind, API group, type-resolved via `go/packages` |\n\n### Cache Architecture Analysis\n\nThe cache analyzer cross-references controller-runtime cache configuration against controller watches and deployment memory limits. It detects:\n\n- **Cluster-wide informers** for types that should be namespace-scoped or filtered\n- **Missing cache filters** on watched types (potential OOM risk at scale)\n- **Implicit informers** created by `client.Get` calls for unwatched types\n- **Missing DefaultTransform** (managedFields wasting memory)\n- **Missing GOMEMLIMIT** in deployment (Go GC cannot pressure-tune)\n- **GOMEMLIMIT exceeding 90%** of container memory limit\n\nThis catches real bugs like [opendatahub-io/data-science-pipelines-operator#992](https://github.com/opendatahub-io/data-science-pipelines-operator/issues/992) and [opendatahub-io/model-registry-operator#457](https://github.com/opendatahub-io/model-registry-operator/issues/457).\n\n## Code Property Graph\n\nThe CPG pipeline builds a multi-language code graph from source using tree-sitter (no compilation required) and runs layered analysis on top of it.\n\n### Multi-Language Parsing\n\nFour language parsers extract AST-level nodes (functions, call sites, struct literals, HTTP endpoints, DB operations) and edges (calls, contains):\n\n| Language | Parser | CFG | Data Flow | Taint |\n|----------|--------|-----|-----------|-------|\n| Go | tree-sitter-go | Yes | Yes | Yes |\n| Python | tree-sitter-python | Yes | Yes | Yes |\n| TypeScript | tree-sitter-typescript | Yes | Yes | Yes |\n| Rust | tree-sitter-rust | Yes | Yes | Yes |\n\n### Typed Node Model\n\nNodes carry typed fields instead of string maps, covering function signatures (params, return types), call targets, HTTP routes, DB operations, struct types, class definitions (with base classes for inheritance tracking), cyclomatic complexity, and entrypoint trust level.\n\n### Edge Confidence\n\nCall edges are classified by resolution confidence:\n\n| Confidence | Meaning | Example |\n|------------|---------|---------|\n| `CERTAIN` | Exact match, same package | Direct function call `doWork()` |\n| `INFERRED` | Cross-package short-name match | `utils.Validate()` matched heuristically |\n| `UNCERTAIN` | Multiple candidates, interface dispatch | `handler.Process()` with multiple implementations |\n\nSecurity queries never filter out UNCERTAIN edges; they use confidence to prioritize review order.\n\n### Intraprocedural Data Flow\n\nPer-function analysis tracks variable assignments, reads, argument passing, field access, and return values. Produces `assigns`, `reads`, `passes_to`, `field_access`, and `returns` edges within function bodies.\n\n### Control Flow Graphs\n\nBasic block construction within each function with branching edges (`true_branch`, `false_branch`, `fallthrough`, `loop_back`, `loop_exit`, `exception`, `entry`, `exit`). Enables path-sensitive analysis: distinguishing \"validation guards the dangerous operation\" from \"validation on independent path.\"\n\n### Taint Propagation\n\nTwo-phase taint engine:\n\n1. **Intraprocedural** (Phase A): per-function taint propagation along data flow edges, filtered by CFG block reachability. Produces function summaries.\n2. **Interprocedural** (Phase B): walks the call graph using Phase A summaries to trace taint across function boundaries and storage links.\n\nSources: user input handlers, deserialization calls. Sinks: SQL execution, subprocess calls, command execution, template rendering, HTML output, file access, eval usage. Bounded by configurable depth (20), path (100), and visit (10K) limits with truncation diagnostics.\n\n### SARIF Ingestion\n\nIngest SARIF 2.1.0 output from external static analyzers (Semgrep, gosec, Trivy, etc.) and map findings to CPG nodes. Enriches external findings with architecture context: \"Semgrep found SQL injection at handler.go:42\" becomes \"that function is an untrusted webhook handler with RBAC for secrets.\"\n\nValidation: schema validation, path normalization, annotation sanitization, 50K result size limit.\n\n### Structural Diff\n\nCompare two code-graph.json files to detect regressions: new functions, removed functions, changed complexity, new call edges, trust level changes. Useful for PR review automation.\n\n## Security Queries\n\n### Security Domain (12 rules)\n\n| Rule | ID | Severity | Description |\n|------|----|----------|-------------|\n| Webhook Missing Update | CGA-003 | High | Webhooks intercepting CREATE but not UPDATE |\n| RBAC Precedence Bug | CGA-004 | High | Conflicting RBAC rules across bindings |\n| Cert as CA | CGA-005 | High | Certificate used as CA without proper validation |\n| Cross-Namespace Secret | CGA-006 | High | Secret access crossing namespace boundaries |\n| Unfiltered Cache | CGA-007 | Medium | Watched types without cache filters (OOM risk) |\n| Plaintext Secrets | CGA-008 | Medium | Hardcoded secrets or credentials in source |\n| Weak Serial Entropy | CGA-009 | Medium | Weak randomness in security-sensitive contexts |\n| Complexity Hotspot | CGA-010 | Medium | High-complexity functions with security annotations |\n| Untrusted Endpoint | CGA-011 | Info | HTTP endpoints without recognized auth middleware |\n| Unprotected Ingress | CGA-012 | High | Ingress routes without TLS or auth |\n| Overprivileged Secret Access | CGA-013 | Medium | Broad secret access beyond what's needed |\n| Uncontrolled Egress | CGA-014 | Medium | Outbound connections without network policy |\n\n### Testing Domain (4 rules)\n\n| Rule | ID | Severity | Description |\n|------|----|----------|-------------|\n| Untested Security Function | CGA-T01 | Medium | Security-annotated functions without test coverage |\n| Fake-Only Integration | CGA-T02 | Low | Integration tests using only fakes/mocks |\n| Missing Error Paths | CGA-T03 | Medium | Error return paths without test coverage |\n| Consolidation Opportunity | CGA-T04 | Low | Duplicate test patterns that could be consolidated |\n\n### Upgrade Domain (4 rules)\n\n| Rule | ID | Severity | Description |\n|------|----|----------|-------------|\n| Unconverted CRD | CGA-U01 | Medium | CRDs still using v1beta1 |\n| Pre-Release API Usage | CGA-U02 | Low | Usage of alpha/beta Kubernetes APIs |\n| Ungated Feature | CGA-U03 | Medium | Features without feature gate protection |\n| Unchecked Version Access | CGA-U04 | Low | Version-dependent code without version checks |\n\n### Architecture Domain (4 rules)\n\n| Rule | ID | Severity | Description |\n|------|----|----------|-------------|\n| Abstraction Layers | CGA-A01 | Info | Surfaces class hierarchies with abstract bases and implementations |\n| External API Surface | CGA-A02 | Info | Functions using external SDK clients (openai, boto3, chromadb, etc.) |\n| Factory Dispatch | CGA-A03 | Info | Factory functions dispatching to multiple implementation types |\n| Unimplemented Interface | CGA-A04 | Low | Abstract bases with no implementations found in analyzed sources |\n\n### Network Policy Domain (2 rules)\n\n| Rule | ID | Severity | Description |\n|------|----|----------|-------------|\n| Bare Namespace Selector | CGA-N01 | High | NetworkPolicy allows ingress via namespaceSelector without podSelector or port restrictions |\n| Tenant Namespace Reach | CGA-N02 | High | Tenant workload namespaces (notebooks, pipelines) can reach control plane services |\n\n## Renderers\n\n| Renderer | Output | Description |\n|----------|--------|-------------|\n| RBAC | `rbac.mmd` | Mermaid graph: ServiceAccounts -\u003e Bindings -\u003e Roles -\u003e Resources |\n| Component | `component.mmd` | Mermaid diagram: CRDs watched, owned, and dependency relationships |\n| Security/Network | `security-network.txt` | ASCII layered view: network, RBAC, secrets, security contexts |\n| Dependencies | `dependencies.mmd` | Mermaid graph: Go module dependencies (internal ODH highlighted) |\n| C4 | `c4-context.dsl` | Structurizr C4 context diagram |\n| Dataflow | `dataflow.mmd` | Mermaid sequence diagram: controller watches and service connections |\n| Report | `report.md` | Structured markdown with tables for all extracted data and cache issues |\n\n## Project Structure\n\n```\narchitecture-analyzer/\n  cmd/arch-analyzer/\n    main.go                # CLI entry point with subcommands\n  pkg/\n    extractor/             # 26 architecture extractors\n    renderer/              # 7 diagram/report renderers\n    aggregator/            # Platform-wide aggregation\n    validator/             # CRD contract validation\n    parser/                # Multi-language parsers (Go, Python, TypeScript, Rust)\n                           # with CFG construction per language\n    builder/               # Code property graph builder (call resolution, edge confidence)\n    graph/                 # CPG data structures (typed nodes, edges, basic blocks)\n    dataflow/              # Taint propagation engine (intraprocedural + interprocedural)\n    diff/                  # Structural diff engine for code graph comparison\n    sarif/                 # SARIF 2.1.0 ingestion and node mapping\n    linker/                # Storage linker (DB operations to schemas)\n    annotator/             # Security annotation engine\n    query/                 # Security query engine (base queries + taint-to-sink)\n    domains/               # Domain framework with registered query rules\n      security/            # 12 security queries\n      testing/             # 4 testing queries\n      upgrade/             # 4 upgrade queries\n      architecture/        # 4 architecture queries\n      netpolicy/           # 2 network policy queries\n    arch/                  # Architecture data structures\n    config/                # Configuration types\n  contracts/\n    schemas/               # CRD baseline schemas for validation\n  scripts/\n    analyze-repo.sh        # Clone + analyze + cleanup\n  site/\n    docs/                  # MkDocs Material documentation\n    mkdocs.yml             # Docs site configuration\n  .github/workflows/\n    analyze-all.yml        # Scheduled analysis workflow\n    extract-schemas.yml    # CRD schema extraction workflow\n    validate-contracts.yml # CRD contract validation on PRs\n    docs.yml               # Deploy docs to GitHub Pages\n```\n\n## Running Tests\n\n```bash\ngo test ./...\n```\n\n## Documentation\n\nFull documentation is published at **[ugiordan.github.io/architecture-analyzer](https://ugiordan.github.io/architecture-analyzer)** and covers installation, guides, CLI reference, architecture, and contributing.\n\n## GitHub Actions\n\n- `analyze-all.yml`: runs weekly (Monday 06:00 UTC) or on manual dispatch, analyzes all configured platform repos and uploads artifacts\n- `extract-schemas.yml`: extracts CRD schemas weekly and opens automated PRs for changes\n- `validate-contracts.yml`: validates CRD contract changes on PRs to the `contracts/` directory\n- `docs.yml`: deploys documentation to GitHub Pages on pushes to main\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fugiordan%2Farchitecture-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fugiordan%2Farchitecture-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fugiordan%2Farchitecture-analyzer/lists"}