Page structure
- Stat row — three cards: Toxic combinations (total), Critical, and High.
- Per-repository sections — each repository with at least one combination gets a section listing its combination cards. Repositories with no combinations are omitted.
- a severity badge (
CRITICAL/HIGH), the combination’s name, and its scope (a workflow file, or repository-wide); - a one-paragraph impact narrative;
- an interactive attack-chain graph — left-to-right nodes for each stage of the attack, ending in the compromise. Hover/pan to explore; each non-terminal node is numbered and the final node is the impact;
- a green Break the chain callout naming the single fix that defeats the whole scenario; and
- an expandable contributing findings list with each finding’s rule ID,
severity, and
file:line.
How the data is computed
The page callsGET /api/attack-paths, which loads each repository’s
latest-scan findings server-side and runs the shared detection engine
(pkg/scanner). Detection is identical to the CLI; the dashboard
only groups results by repository and rolls up the counts.
Because combinations derive from already-persisted findings, the page reflects
your most recent scans. Run a scan from the Dashboard or Repositories
view to refresh them. A combination never includes a finding from a rule you’ve
turned off in Rule settings.