Outbound plumbing to tenant-owned external systems (cloud accounts, SCM, identity providers, vuln feeds). Split into two distinct concerns: plumbing (C10) and rule content (C11). Separating them lets rules ship as seed data without code changes.
Integration Surface · plumbing + rule contentClick to expand
Why plumbing and content are separate buckets
C10 Connector Framework is plumbing: how we pull credentials from the vault, call provider APIs, honour rate limits, retry with backoff, record scan runs, stay tenant-isolated. Shared across every scanner.
C11 Security Check Libraries is content: the actual rules (CIS benchmarks, SCM repo checks, CVE/SBOM feeds, VA report parsers) that run on top of C10.
Separation lets us ship new checks as versioned seed data without application code changes — matches SRS REQ-CSPM-9, REQ-SCM-6.
All external systems are strictly opt-in per tenant. Air-gapped deployments simply skip the integrations that require outbound network.
The grey dashed box (tenant-owned systems) is not a fifth cluster. It is the outbound boundary — everything outside our four clusters that we read from. Read-only arrows underline the contract.