Skip to content

Medusa-Security/archer

ARCHER

Python 3.11+ License: Apache 2.0 Code style: black Ruff CI

ARCHER is the infrastructure misconfiguration scanner component of the MEDUSA security platform. It discovers cloud and infrastructure resources, builds a resource dependency graph, and evaluates hundreds of security rules to surface misconfigurations before they become incidents.

Fit within MEDUSA

Component Focus
Remy Static Application Security Testing
Stryx Dynamic Application Security Testing
ARCHER Infrastructure Misconfiguration Scanning

Installation

pip install archer-scan

Note: The PyPI distribution is archer-scan. The CLI command is archer.

Quickstart

Auto-detect provider and scan the current directory:

archer scan

Scan a specific provider and path:

archer scan --provider terraform --path ./infra

Scan AWS and output JSON to a file:

archer scan --provider aws --output report.json --format json

Module Table

Module Purpose
archer/providers/ Provider adapters (AWS, Azure, GCP, ...)
archer/rules/ YAML rule definitions
archer/engine/ Rule evaluation engine
archer/graph/ Resource graph model
archer/cli/ Command-line interface
archer/report/ Report generation (JSON, Markdown)
archer/auth/ Credential resolution and provider auth
archer/config/ Configuration file parsing

CLI Reference

archer scan [OPTIONS]

Options:
  --provider TEXT     Provider to scan (aws, azure, gcp, terraform, kubernetes)
  --path TEXT         Path to infrastructure files (local providers only)
  --profile TEXT      AWS / Azure / GCP profile name
  --region TEXT       Cloud provider region
  --output TEXT       Output file path
  --format TEXT       Output format (json, markdown)
  --config TEXT       Path to config file
  --verbose / --quiet
  --help              Show this message and exit.

Configuration File

# archer.yaml
provider: aws
region: us-east-1
profile: production
output:
  format: json
  path: ./reports/scan.json
rules:
  include:
    - "s3-*"
    - "iam-*"
  exclude:
    - "iam-policy-wildcard-action"

Sample Report Output

Findings: 3 critical, 5 high, 2 medium, 1 low

CRITICAL
  S3 Bucket Public Access Block Disabled
    Resource: my-app-bucket (aws_s3_bucket)
    Rule: s3-public-access-block-disabled
    Remediation: Enable block public access on the bucket.

  IAM Policy With Wildcard Action
    Resource: MyRolePolicy (iam_policy)
    Rule: iam-policy-wildcard-action
    Remediation: Scope IAM actions to specific API operations.

  Security Group Allows All Inbound Traffic
    Resource: sg-0123456789abcdef0 (aws_security_group)
    Rule: ec2-security-group-open-ingress
    Remediation: Restrict inbound rules to specific ports and CIDRs.

Roadmap

v0.1.0 (Current)

  • Core rule engine and CLI
  • AWS, Terraform providers
  • 50+ built-in rules
  • JSON and Markdown reporting

v0.5.0

  • Azure and GCP providers
  • Custom rule authoring
  • HTML report format with visualizations
  • SARIF output for GitHub Advanced Security integration

v1.0.0

  • Kubernetes provider
  • Continuous scanning mode
  • CI/CD integration (GitHub Action, GitLab CI)
  • Remediation automation (planned, optional opt-in)
  • Plugin SDK for community providers

Contributing

See CONTRIBUTING.md for development setup, code style guidelines, and instructions for adding rules and providers.

Security

See SECURITY.md for the security policy and IAM permission requirements.


Author: Abhay Gupta

Organization: Medusa Security

Repository: https://github.com/Medusa-Security/archer

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors