Premium Features

CodePhreak Premium adds AI-powered validation, attack-path analysis, auto-fix suggestions, and compliance evidence generation on top of the core security scanner.

On This Page

Attack-Path Risk Graph

Maps how attackers can chain vulnerabilities from internet entry points to your sensitive data. The risk graph correlates exposure, identity, and data sensitivity to identify which attack paths are exploitable.

What it does

  • Builds a graph of nodes (entry points, services, data stores) and edges (vulnerabilities)
  • Identifies attack paths from internet → sensitive resources
  • Calculates risk scores based on path likelihood and target sensitivity
  • Marks paths as "broken" when they contain validated exploits
  • Surfaces path counts in scan results and dashboard
# Enable in config
premium:
  enable_attack_graph: true

# Run scan
codephreak scan . --enable-attack-graph

# Check results
{
  "attack_paths": {
    "total_paths": 3,
    "broken_paths": 1,
    "high_risk_paths": 2,
    "nodes": [...],
    "edges": [...],
    "paths": [
      {
        "path_id": "internet->s3-prod-data",
        "nodes": ["internet", "s3-prod-data"],
        "risk_score": 0.94,
        "broken": true
      }
    ]
  }
}

Demo Status: Attack-path computation is available in the dashboard demo. Real-world graph generation requires scanning your infrastructure and correlating findings.

Validated Exploits

Automated sandbox testing validates which vulnerabilities are truly exploitable, eliminating false positives and prioritizing real threats.

What it does

  • Uses heuristic analysis (severity + reachability) by default
  • Optionally spins up isolated sandboxes to replay attack payloads
  • Monitors for successful exploitation indicators
  • Marks findings as validated_exploit: true when confirmed
  • Adds confidence scores and validation method to each finding
# Enable in config
premium:
  enable_validated_exploits: true

# Run scan
codephreak scan . --validated-only

# Results show validation status
{
  "rule_id": "sql-injection-error-based",
  "severity": "HIGH",
  "validated_exploit": true,
  "validation_confidence": 0.9,
  "validation_method": "heuristic",
  "explainability": "High severity + reachable (heuristic)"
}

Demo Status: Heuristic validation is live. Sandbox validation requires additional infrastructure and is marked for future implementation.

Auto-Fix Suggestions

Context-aware fix suggestions with confidence scores and diff previews. Covers cloud misconfigurations (AWS, Azure, GCP) and common code vulnerabilities.

What it provides

  • Fix templates for 20+ common issues (S3 public access, SQL injection, hardcoded secrets, etc.)
  • Diff previews showing exact changes to make
  • Confidence scores (0.0-1.0) indicating reliability of the fix
  • CLI commands for infrastructure fixes (optional)
  • Modal preview in dashboard with "Apply Fix" workflow
# Enable in config
premium:
  enable_autofix: true

# Run scan
codephreak scan . --autofix-preview

# Results include fix suggestions
{
  "check_id": "s3_bucket_public_access",
  "severity": "CRITICAL",
  "autofix_suggestion": {
    "title": "Enable S3 Block Public Access",
    "diff": "- BlockPublicAcls: false\n+ BlockPublicAcls: true",
    "confidence": 0.95,
    "category": "infrastructure",
    "apply_cmd": "aws s3api put-public-access-block..."
  }
}

Implementation Status: Template-based fix engine implemented with 20+ common issues. Interactive auto-fix buttons in dashboard UI coming in v2.0. AI-powered context-aware fix generation planned for future release.

Compliance Evidence Packs

Generate SOC2, ISO27001, PCI-DSS, HIPAA, NIST CSF, and GDPR evidence exports with control mappings and compliance scores in one click.

What it generates

  • Control mappings linking findings to framework controls
  • Compliance scores showing percentage of controls passed
  • Findings by control grouped by framework requirement
  • JSON exports suitable for auditor review
  • Timestamps and scan metadata for audit trails
# Generate evidence packs
codephreak scan . --evidence-export

# Or generate for specific framework
codephreak evidence --framework SOC2 --scan-results ./results.json

# Output: evidence-packs/SOC2_20260102_123456_evidence.json
{
  "framework": "SOC2",
  "generated_at": "2026-01-02T12:34:56Z",
  "summary": {
    "total_controls": 5,
    "passed_controls": 3,
    "compliance_score": 60
  },
  "controls_mapped": [...],
  "findings_by_control": {...}
}

Demo Status: Framework mappings and export logic implemented. Accessible via /api/evidence endpoint and dashboard.

Enabling Premium Features

Configuration

# codephreak.yml
premium:
  enable_ai_prioritization: true
  enable_attack_graph: true
  enable_validated_exploits: true
  enable_autofix: true
  api_key: "your-api-key"  # For hosted features
  organization_id: "your-org-id"

# Or use environment variables
export CP_ENABLE_AI_PRIORITIZATION=true
export CP_ENABLE_ATTACK_GRAPH=true
export CP_ENABLE_VALIDATED_EXPLOITS=true
export CP_ENABLE_AUTOFIX=true

CLI Flags

# Enable individual features via flags
codephreak scan . --enable-attack-graph
codephreak scan . --validated-only
codephreak scan . --reachable-only
codephreak scan . --autofix-preview

# Combine multiple features
codephreak scan . \
  --enable-attack-graph \
  --validated-only \
  --autofix-preview \
  --evidence-export

Dashboard Demo

Try all premium features interactively in the dashboard demo:

  • Click "Load Demo Data" to populate sample scans
  • View AI Insights panel showing priority scores and EPSS
  • Filter findings by "Validated only" or "Reachable only"
  • Click "View Auto-fix" on findings with suggestions
  • Check evidence packs in the Compliance section

Next Steps