Skip to content

feat(ontology): add Secret semantic label for cross-platform secret queries #2349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jychp merged 1 commit into from
Feb 5, 2026
Merged

feat(ontology): add Secret semantic label for cross-platform secret queries #2349

jychp merged 1 commit into from
Feb 5, 2026

Conversation

@jychp
Copy link
Collaborator

@jychp jychp commented Feb 5, 2026

Type of change

  • New feature (non-breaking change that adds functionality)

Summary

This PR adds a new secrets category to the Cartography ontology, enabling unified cross-platform querying of secrets and credentials across multiple cloud providers.

Supported providers:

  • AWS Secrets Manager (SecretsManagerSecret)
  • GCP Secret Manager (GCPSecretManagerSecret)
  • Azure Key Vault (AzureKeyVaultSecret)
  • GitHub Actions Secrets (GitHubActionsSecret - org, repo, and env levels)
  • Kubernetes Secrets (KubernetesSecret)

Normalized ontology fields:

Field Description
_ont_name Secret name (required)
_ont_created_at Creation timestamp
_ont_updated_at Last update timestamp
_ont_rotation_enabled Whether rotation is enabled

This enables queries like:

MATCH (s:Secret) RETURN s._ont_name, s._ont_source

Related issues or links

  • Part of the ontology enrichment effort for security posture assessment

How was this tested?

  • All linting passes (make test_lint)
  • All existing integration tests pass for affected modules:
    • AWS Secrets Manager (3 tests)
    • GCP Secret Manager (1 test)
    • Azure Key Vault (1 test)
    • Kubernetes Secrets (3 tests)
  • Ontology mapping unit tests pass (29 tests)
  • Verified ExtraNodeLabels(["Secret"]) is correctly set on all 7 schema classes

Checklist

General

  • I have read the contributing guidelines.
  • The linter passes locally (make lint).
  • I have added/updated tests that prove my fix is effective or my feature works.

Proof of functionality

  • New or updated unit/integration tests.

If you are changing a node or relationship

Notes for reviewers

  • Secret versions (AWS SecretsManagerSecretVersion, GCP GCPSecretManagerSecretVersion) are intentionally excluded as they are child entities
  • Duo tokens/credentials are kept separate as they represent MFA tokens rather than stored secrets
  • The Secret label follows the same semantic label pattern as APIKey, Database, Function, etc.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 13 files

@jychp @claude
feat(ontology): add Secret semantic label for cross-platform secret q…
d54c3bb 
…ueries

Add a new `secrets` category to the Cartography ontology that groups all
secret/credential nodes across cloud providers:

- AWS SecretsManagerSecret
- GCP GCPSecretManagerSecret
- Azure AzureKeyVaultSecret
- GitHub GitHubActionsSecret (org, repo, and env levels)
- Kubernetes KubernetesSecret

This enables unified cross-platform querying of secrets using the `Secret`
semantic label with normalized `_ont_*` properties:
- _ont_name: Secret name (required)
- _ont_created_at: Creation timestamp
- _ont_updated_at: Last update timestamp
- _ont_rotation_enabled: Whether rotation is enabled

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
@jychp jychp force-pushed the jeremy/ontology-secrets-category branch from ee7229a to d54c3bb Compare February 5, 2026 17:40
@jychp jychp enabled auto-merge (squash) February 5, 2026 17:41
@jychp jychp merged commit 40a20af into master Feb 5, 2026
5 of 8 checks passed
@jychp jychp deleted the jeremy/ontology-secrets-category branch February 5, 2026 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@kunaals kunaals kunaals approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jychp @kunaals