git.stella-ops.org/docs/features/unchecked/scanner/surface-aware-reachability-analysis-with-confidence-tiers.md

# Surface-Aware Reachability Analysis with Confidence Tiers

## Module
Scanner

## Status
IMPLEMENTED

## Description
Reachability analysis that factors in attack surface boundaries (HTTP, gRPC, internal) and classifies findings into confidence tiers (Confirmed, Likely, Present, Unreachable), providing structured boundary proof extraction from multiple sources (rich graph, gateway config, K8s network policies, IaC).

## Implementation Details
- **Surface-Aware Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs` - `SurfaceAwareReachabilityAnalyzer` combining reachability analysis with attack surface boundary information for confidence-tiered classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/ReachabilityConfidenceTier.cs` - `ReachabilityConfidenceTier` enum (Confirmed, Likely, Present, Unreachable)
- **Boundary Proof Extractors**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IBoundaryProofExtractor.cs` - Interface for extracting boundary proofs from different sources
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/CompositeBoundaryExtractor.cs` - `CompositeBoundaryExtractor` aggregating proofs from multiple boundary sources
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs` - `RichGraphBoundaryExtractor` extracting boundaries from rich dependency graphs
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs` - `GatewayBoundaryExtractor` extracting boundaries from API gateway configurations
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/K8sBoundaryExtractor.cs` - `K8sBoundaryExtractor` extracting boundaries from Kubernetes NetworkPolicy resources
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs` - `IacBoundaryExtractor` extracting boundaries from Infrastructure-as-Code definitions
- **Semantic Extensions**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphSemanticExtensions.cs` - Semantic extension methods for rich graph boundary analysis
- **DI Registration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs` - DI registration for boundary extractors

## E2E Test Plan
- [ ] Analyze a vulnerability with function-level reachability and HTTP boundary exposure and verify it is classified as "Confirmed" confidence tier
- [ ] Verify a vulnerability reachable in code but behind an API gateway with authentication is classified as "Likely" rather than "Confirmed"
- [ ] Verify a vulnerability present in the SBOM but not reachable in the call graph is classified as "Present"
- [ ] Verify boundary proofs from Kubernetes NetworkPolicy correctly restrict the attack surface assessment
- [ ] Verify the `CompositeBoundaryExtractor` aggregates proofs from rich graph, gateway, K8s, and IaC sources into a unified boundary assessment
- [ ] Verify confidence tier classification is deterministic for the same inputs