Catalyst / admin/Synapse-Cortex 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Synapse-Cortex

public

Self Hosted ITSM Tool with RBAC/Tenanting and MFA

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Synapse-Cortex / Synapse-Cortexv2 / playbooks / vuln-remediation-hitl-linux.json 3539 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
{
  "name": "Human-in-the-Loop Vulnerability Remediation v2 (Linux/apt)",
  "enabled": true,
  "allowed_target_os": ["linux"],
  "required_approval_level": "human_in_the_loop",
  "forbidden_commands": [
    "apt-get remove",
    "apt-get purge",
    "do-release-upgrade",
    "dist-upgrade"
  ],
  "acknowledged_dangerous_commands": ["host_power"],
  "graph_json": {
    "meta": {
      "playbook_kind": "vuln_remediation_hitl",
      "version": 2,
      "engine_notes": "The strings in data.command are PREDEFINED and IMMUTABLE. The AI assistant executes them verbatim and must never invent, alter, or choose a scan command. The ONLY AI-authored value in this graph is the {{command}} token on the 'remediate' node, and even that is re-checked by guardrails and gated on a human Approve click. v2 changes: (1) the predefined scans use 'apt-get -s upgrade' (a safe, read-only simulate) so they no longer collide with this playbook's own 'dist-upgrade' forbidden string and self-block; (2) 'host_power' is acknowledged so an AI-proposed reboot after patching (e.g. a kernel/glibc CVE) reaches mandatory human review instead of being auto-blocked - it still never runs without an explicit Approve click.",
      "scan_command_id": "phase1_discover"
    },
    "nodes": [
      {
        "id": "start",
        "type": "start",
        "data": {},
        "position": { "x": 250, "y": 0 }
      },
      {
        "id": "phase1_discover",
        "type": "command",
        "data": {
          "label": "Phase 1 — Discovery scan (predefined)",
          "phase": "discovery",
          "stage": "pre_approval",
          "immutable": true,
          "capture_as": "baseline_scan",
          "command": "apt-get update -qq >/dev/null 2>&1; apt-get -s upgrade 2>/dev/null | awk '/^Inst/{print $2}' | sort -u"
        },
        "position": { "x": 250, "y": 130 }
      },
      {
        "id": "gate_triage",
        "type": "condition",
        "data": {
          "label": "Phase 2 — High/Critical findings present?",
          "phase": "triage",
          "stage": "pre_approval",
          "expression": "severity in ('CRITICAL','HIGH')"
        },
        "position": { "x": 250, "y": 260 }
      },
      {
        "id": "phase4_remediate",
        "type": "command",
        "data": {
          "label": "Phase 4 — Targeted remediation (approved only)",
          "phase": "remediation",
          "stage": "post_approval",
          "immutable": false,
          "ai_authored": true,
          "command": "{{command}}"
        },
        "position": { "x": 250, "y": 390 }
      },
      {
        "id": "phase5_verify",
        "type": "command",
        "data": {
          "label": "Phase 5 — Verification re-scan (same as Phase 1)",
          "phase": "verification",
          "stage": "post_approval",
          "immutable": true,
          "capture_as": "verify_scan",
          "same_command_as": "phase1_discover",
          "command": "apt-get update -qq >/dev/null 2>&1; apt-get -s upgrade 2>/dev/null | awk '/^Inst/{print $2}' | sort -u"
        },
        "position": { "x": 250, "y": 520 }
      }
    ],
    "edges": [
      { "id": "e_start_discover", "source": "start", "target": "phase1_discover" },
      { "id": "e_discover_gate", "source": "phase1_discover", "target": "gate_triage" },
      { "id": "e_gate_remediate", "source": "gate_triage", "target": "phase4_remediate", "sourceHandle": "true" },
      { "id": "e_remediate_verify", "source": "phase4_remediate", "target": "phase5_verify" }
    ]
  }
}