Data Sculptures Artwork by Sean Patrick Morris
All Tools

Trust Boundary Mapper

Score every trust-boundary crossing in your infrastructure and emit an opinionated security report — in under a minute, entirely offline.

Trust Boundary Mapper on GitHub: https://github.com/Datasculptures/trust-boundary-mapper

  • Python
  • Security
  • Terraform
  • Kubernetes
  • Docker Compose
  • Infrastructure
  • CI/CD

What it does

TBM reads an architecture description and builds an internal graph of components and the connections between them. It scores each connection using a trust-boundary thinness formula, grouping results into Critical (T ≥ 0.60), Moderate (0.30 ≤ T < 0.60), and Acceptable (T < 0.30) severity buckets. The output is a self-contained HTML report with an interactive graph, a printable one-page client deliverable, and a machine-readable JSON export. No data ever leaves your machine.

The T-score formula

T(u, v) = (α + (1 − α) · A) · (wₛ · S + wᵇ · B)
  • A — authentication strength (0 = strongest, 1 = none)
  • S — data sensitivity (0.1 = public, 1.0 = secrets)
  • B — blast radius (fraction of system reachable downstream)
  • α — floor weight; default 0.10
  • wₛ, wᵇ — sensitivity / blast-radius weights; default 0.50 / 0.50

Severity buckets

  • CriticalT ≥ 0.60 — address before deploying
  • Moderate0.30 ≤ T < 0.60 — plan remediation
  • AcceptableT < 0.30 — low risk under current assumptions

Authentication ladder

  • mtls_rotatingGold standard — rotating mutual TLS
  • mtls_staticFixed mutual TLS certificates
  • oauth2_shortShort-lived cryptographic tokens
  • bearer_tlsLong-lived token over encrypted channel
  • network_onlyNo authentication — network-trusted only
  • noneCompletely open

Supported inputs

Native YAML

Hand-written TBM schema files. Full control over components, zones, edges, authentication, and data sensitivity. Auto-detected as tbm.yaml or *.tbm.yaml.

Terraform state

Output of terraform show -json. TBM recognises EC2, Lambda, RDS, ElastiCache, S3, API Gateway, Load Balancers, and SQS. Connections inferred from security groups and IAM policies.

Docker Compose

Reads compose.yml or docker-compose.yml. Infers connections from depends_on, shared networks, published ports, and named volumes.

Kubernetes manifests

Reads a directory of Kubernetes YAML files. Understands Services, NetworkPolicies, Ingress, PersistentVolumeClaims, and RBAC — including cluster-admin bindings and projected service account tokens.

Install

# Recommended — isolated, always on PATH
pipx install trust-boundary-mapper

# Verify
tbm --version

Pre-built binaries (no Python required) are available on the Releases page for Windows x64, Linux x64, and macOS Apple Silicon.

Usage

# Zero-config — auto-detects infrastructure files in current directory
tbm

# Score a YAML file and open the report in your browser
tbm score my-system.yaml --output report.html --serve

# Score and produce all three output formats
tbm score my-system.yaml \
  --output report.html \
  --json report.json \
  --one-pager summary.txt

# Score a Docker Compose file
tbm score docker-compose.yml --output report.html --serve

# Score Terraform state
tbm score terraform.tfstate --output report.html

# Score Kubernetes manifests
tbm score --manifest-dir k8s/ --output report.html --serve

# Compare two versions of an architecture (CI regression detection)
tbm diff \
  --before before/infra.yaml \
  --after  after/infra.yaml \
  --output diff-report.html \
  --regression-severity critical

Sample output

════════════════════════════════════════════════════════════════════════════════════
         TRUST BOUNDARY ANALYSIS — THREE-TIER WEB APPLICATION
                    2026-04-18T10:32:00Z
════════════════════════════════════════════════════════════════════════════════════
  Input: three_tier.yaml   α=0.10  wₛ=0.50  wᵇ=0.50  mesh=collapsed

  CRITICAL (T ≥ 0.60)
  ────────────────────────────────────────────────────────────────────────────────────
  web → api          T=0.680  auth=network_only  data=pii      B=0.50
  api → db            T=0.625  auth=bearer_tls    data=secrets  B=0.25

  MODERATE (0.30 ≤ T < 0.60)
  ────────────────────────────────────────────────────────────────────────────────────
  cache → api         T=0.412  auth=bearer_tls    data=internal B=0.50

  ACCEPTABLE (T < 0.30)
  ────────────────────────────────────────────────────────────────────────────────────
  api → cache         T=0.182  auth=mtls_static   data=internal B=0.00

Diff mode

tbm diff compares two versions of an architecture and surfaces regressions. Each edge is classified as Added, Removed, Thinned (↓ worse), Thickened (↑ better), Unchanged, or Reclassified. Exit code 13 signals a regression at or above the specified severity — designed for CI/CD gates. 

tbm diff \
  --before main/infra.yaml \
  --after  feature/infra.yaml \
  --output diff-report.html \
  --regression-severity critical

Exit codes

  • 0Success
  • 2Input validation error (YAML parse error, unknown auth/data value)
  • 3Path-traversal or 10 MB size-cap violation
  • 4Internal error
  • 5Malformed Terraform state
  • 6No mappable resources in Terraform state
  • 7Malformed Compose or Kubernetes manifest
  • 13Diff regression detected at or above specified severity
  • 14Diff no-overlap — before and after graphs share no component IDs

Security design

  • No network calls — ever. The vis-network graph library is vendored inside the package.
  • No telemetry, no analytics, no accounts, no API keys.
  • 10 MB input file size cap before any parsing begins.
  • yaml.safe_load only — YAML tag injection is rejected.
  • Input paths validated against CWD to prevent path traversal (exit code 3).
  • --serve binds to 127.0.0.1 only; write requests and path traversal in URLs are rejected.