# Diagram Index

* [GitLab Pipeline Control Plane](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/gitlab-pipeline-control-plane.svg)
* [Security Quality Gates Flow](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/security-quality-gates-flow.svg)
* [Runner Isolation and Trust Boundaries](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/runner-isolation-and-trust-boundaries.svg)
* [Protected Environments and Approvals](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/protected-environments-and-approvals.svg)
* [GitLab Components and Includes](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/gitlab-components-and-includes.svg)
* [Release Evidence Chain](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/release-evidence-chain.svg)
* [DefectDojo and ASPM Overview](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/defectdojo-aspm-overview.svg)
* [DefectDojo Integration Flow](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/defectdojo-integration-flow.svg)
* `assets/diagrams/asoc-aspm-evolution.svg` — evolution from orchestration-first ASOC to posture-first ASPM
* `assets/diagrams/product-security-director-metrics.svg` — three-bucket leadership dashboard view
* `assets/diagrams/zap-dast-flow.svg` — ZAP DAST flow
* `assets/diagrams/linux-express-audit-flow.svg` — Linux express audit flow
* `assets/diagrams/cloud-attack-chain-overview.svg` — cross-cloud attack chain overview
* `assets/diagrams/aws-cloud-attack-chain.svg` — AWS provider-specific attack chain
* `assets/diagrams/azure-cloud-attack-chain.svg` — Azure provider-specific attack chain
* `assets/diagrams/gcp-cloud-attack-chain.svg` — GCP provider-specific attack chain
* `assets/diagrams/k8s-runtime-investigation-flow.svg` — runtime investigation workflow for Kubernetes and containers

## New diagrams in v2.1

* `assets/diagrams/detection-engineering-flow.svg` — how threat modeling becomes logs, detections, and playbooks
* `assets/diagrams/secure-architecture-patterns-overview.svg` — tenant, service, admin, and cloud-plane trust boundaries
* `assets/diagrams/workload-federation-and-platform-access.svg` — pipeline to federation to cloud-role flow
* `assets/diagrams/frontend-trust-boundary.svg` — browser, frontend, BFF, and service trust path
* `assets/diagrams/business-logic-abuse-surface.svg` — common business-workflow abuse surfaces

## v2.2 diagrams

* `assets/diagrams/frontend-auth-patterns.svg` - browser, BFF, API, IdP, and third-party trust map
* `assets/diagrams/business-logic-abuse-lifecycle.svg` - incentive-to-loss abuse flow
* `assets/diagrams/third-party-integration-trust-boundaries.svg` - source, pipeline, runner, and artifact trust path
* `assets/diagrams/stack-review-lifecycle.svg` - design-to-observe review loop
* `assets/diagrams/learning-labs-feedback-loop.svg` - read, practice, debrief, improve

## v2.3 diagrams

* `assets/diagrams/senior-engineer-decision-loop.svg` - advanced design-to-detection-to-scale loop
* `assets/diagrams/product-security-operating-model.svg` - intake, ownership, decision, and evidence flow
* `assets/diagrams/security-program-roadmap.svg` - staged capability roadmap for Product Security programs

## v2.4 diagrams

* `assets/diagrams/leadership-review-cadence.svg` - evidence-to-engineering-to-executive-to-board narrative flow
* `assets/diagrams/board-narrative-waterfall.svg` - board story structure from direction to asks

## v2.5 diagrams

* `assets/diagrams/newcomer-ramp-up-map.svg` - a simple map from beginner confusion to guided paths, glossary, reviews, and labs
* `assets/diagrams/review-checklist-loop.svg` - read, review, decide, record, and improve loop for newcomer-friendly checklists
* `assets/diagrams/mobile-api-compliance-automation-labs-map.svg` - map connecting mobile labs, API conformance, compliance learning, and containment automation.
* [BSIMM and SAMM Comparison](https://github.com/D3One/Product-Security-Gitbook/blob/main/assets/diagrams/bsimm-samm-comparison.svg) — high-level visual on how to use BSIMM and OWASP SAMM together.

## v4.5 diagrams

* `assets/diagrams/devopssec-control-loop.svg` - control loop for shift-left checks, protected deployment, and runtime feedback
* `assets/diagrams/webapp-review-trust-zones.svg` - browser, edge, identity, and data/integration review map
* `assets/diagrams/security-automation-controller-trust-map.svg` - AWX / Jenkins / Rundeck as privileged control planes

## v4.6 diagrams

* `assets/diagrams/browser-session-trust-zones.svg` - browser, identity/BFF, API, and data trust map for session and authorization review
* `assets/diagrams/csp-third-party-trust-flow.svg` - how CSP, SRI, and script ownership fit into frontend trust decisions
* `assets/diagrams/graphql-abuse-controls.svg` - schema, resolver, operation-cost, and detection control map for GraphQL


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/appendices-assets-and-reusable-artifacts/reading-paths/diagram-index.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.