The analyzer is the visible product. Around it I built the remediation pipeline and the test infrastructure that make it safe to operate.
Files ServiceNow remediation tickets to the managers and teams whose assets carry CVEs past
SLA. Normalizes owners, assets, findings, and ticket history into its own SQLite schema, groups
breaches one-ticket-per-(manager, team), and derives sha256 idempotency keys so re-runs never
double-file. Dry-run mode writes every payload to disk for review before anything is submitted.
Reads the analyzer's state strictly read-only. Later versions added fleet-wide
bulk-escalate-past-sla and reconcile-from-snow CLIs. The
transparency and provenance layer described under Security
engineering ships inside TTM, with 50+ dedicated tests of its own.
The dispatch layer between the SLA stack and ServiceNow. Encrypted secrets vault (Fernet at
rest, PBKDF2-HMAC-SHA256 at 600,000 iterations, files written 0600 in a 0700 directory).
Hash-chained audit log where verify_chain() pinpoints the exact tampered row.
CMDB matching with TTL caching, a full dispatch lifecycle state machine
(STAGED → SUBMITTING → SUBMITTED_OK / RETRY_PENDING / FAILED_PERMANENT), and idempotent
correlation IDs across runs. Live TUI with queue, runs, CMDB, audit, and settings tabs.
The entire stack can be developed and demonstrated with zero live credentials. A mock
ServiceNow server replays fixtures for incidents, CMDB queries, and rate limits, with scriptable
retryable and permanent errors for failure-path testing. A deterministic generator produces
realistic vulnerability data at fleet scale, and a KEV-injection tool flags simulated findings
against the live CISA catalog so demo data behaves like production data. Live API clients ship
as explicit NotImplementedError stubs until an operator provides credentials: the
safe posture is the default posture.