feat(parsers): add PICUS Breach and Attack Simulation CSV parser#14984
Draft
skywalke34 wants to merge 6 commits into
Draft
feat(parsers): add PICUS Breach and Attack Simulation CSV parser#14984skywalke34 wants to merge 6 commits into
skywalke34 wants to merge 6 commits into
Conversation
Add a PicusParser that ingests Picus BAS result CSV exports under the "PICUS Scan" scan type. Each row is an attack action; findings are active when the threat was Not Blocked (an open control gap) and inactive when blocked. Severity is taken from threatSeverity, MITRE tactic/technique/ sub-technique and attack category become tags, and CVE/CWE are mapped when present. Authored by T. Walker - DefectDojo
Add no_vuln, one_vuln, and many_vulns CSV fixtures plus 20 unit tests covering severity mapping, active/inactive logic, vuln_id_from_tool, CVE/CWE extraction, MITRE tags, title truncation, and the markdown description. All fixtures use fabricated, anonymized data. Authored by T. Walker - DefectDojo
Register "PICUS Scan" with DEDUPE_ALGO_HASH_CODE keyed on the single stable field vuln_id_from_tool (the native Picus actionId). Keying on actionId alone lets re-imported runs match prior findings so statuses update across runs rather than creating duplicates. Authored by T. Walker - DefectDojo
Document supported file types, field mapping, severity mapping, BAS active/inactive semantics, and the actionId-based hashcode deduplication. Authored by T. Walker - DefectDojo
github-actions
Bot
added
settings_changes
devGregA
approved these changes
Jun 10, 2026
| ) | ||
| if prevention == "Blocked": | ||
| return "The simulated attack was blocked by existing preventive controls." | ||
| return "" |
Member
There was a problem hiding this comment.
Should this be "" or maybe None?
Contributor
Author
There was a problem hiding this comment.
Good catch. I've reworked _build_mitigation so it no longer falls through to a bare return "" (just pushed in 11d5bef). It now aggregates the prevent → log → alert control posture plus any available Picus mitigation/triage references (mitigation guidance, detection content, payload output, action logs, detection signature), emitting only the fields that are present. In the edge case where none of those exist it now returns None rather than "", so the field stays unset instead of being persisted as an empty string.
… references Build the mitigation field from the prevent -> log -> alert control posture so analysts can see which control layer failed, plus any Picus mitigation/triage references present in the export (mitigation guidance, detection content, payload output, action logs, detection signature). Return None instead of an empty string when no mitigation data is available (addresses PR review feedback). Add fixture coverage for the reference links and six mitigation unit tests. Authored by T. Walker - DefectDojo
Update the field-mapping table, add a Mitigation Construction section, and refresh the mapped-field count to cover the control-posture block and the mitigation/triage references (mitigation guidance, detection content, payload output, action logs, detection signature) now emitted in the mitigation field. Authored by T. Walker - DefectDojo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
New parser for Picus Security, a Breach and Attack Simulation (BAS) platform. Picus runs simulated attacks and reports whether existing security controls prevented, logged, and alerted on each simulated action.
The parser:
PICUS Scanscan type (the same schema covers the Email, Endpoint, Network, and Web vector exports).threatSeverity, builds the title fromthreatName - actionName(truncated to 500 chars), and constructs a markdown-table description.vuln_id_from_toolfrom the native PicusactionIdfor deduplication.Test results
20 unit tests covering:
threatSeverityvuln_id_from_toolextraction, CVE/CWE mapping, MITRE tagsAll tests pass under both
V3_FEATURE_LOCATIONS=FalseandTrue.ruffis clean.Documentation
Parser documentation at
docs/content/supported_tools/parsers/file/picus.md.Deduplication
Registered in
settings.dist.pywithDEDUPE_ALGO_HASH_CODEkeyed on the single stable fieldvuln_id_from_tool(the nativeactionId).actionIdis stable across simulation runs whilesimulationRunIdchanges per run, so keying onactionIdalone lets re-imported runs match prior findings and update their status rather than creating duplicates.Checklist
devdevbranchsettings.dist.py