ARCHER is the infrastructure misconfiguration scanner component of the MEDUSA security platform. It discovers cloud and infrastructure resources, builds a resource dependency graph, and evaluates hundreds of security rules to surface misconfigurations before they become incidents.
| Component | Focus |
|---|---|
| Remy | Static Application Security Testing |
| Stryx | Dynamic Application Security Testing |
| ARCHER | Infrastructure Misconfiguration Scanning |
pip install archer-scan
Note: The PyPI distribution is
archer-scan. The CLI command isarcher.
Auto-detect provider and scan the current directory:
archer scan
Scan a specific provider and path:
archer scan --provider terraform --path ./infra
Scan AWS and output JSON to a file:
archer scan --provider aws --output report.json --format json
| Module | Purpose |
|---|---|
archer/providers/ |
Provider adapters (AWS, Azure, GCP, ...) |
archer/rules/ |
YAML rule definitions |
archer/engine/ |
Rule evaluation engine |
archer/graph/ |
Resource graph model |
archer/cli/ |
Command-line interface |
archer/report/ |
Report generation (JSON, Markdown) |
archer/auth/ |
Credential resolution and provider auth |
archer/config/ |
Configuration file parsing |
archer scan [OPTIONS]
Options:
--provider TEXT Provider to scan (aws, azure, gcp, terraform, kubernetes)
--path TEXT Path to infrastructure files (local providers only)
--profile TEXT AWS / Azure / GCP profile name
--region TEXT Cloud provider region
--output TEXT Output file path
--format TEXT Output format (json, markdown)
--config TEXT Path to config file
--verbose / --quiet
--help Show this message and exit.
# archer.yaml
provider: aws
region: us-east-1
profile: production
output:
format: json
path: ./reports/scan.json
rules:
include:
- "s3-*"
- "iam-*"
exclude:
- "iam-policy-wildcard-action"Findings: 3 critical, 5 high, 2 medium, 1 low
CRITICAL
S3 Bucket Public Access Block Disabled
Resource: my-app-bucket (aws_s3_bucket)
Rule: s3-public-access-block-disabled
Remediation: Enable block public access on the bucket.
IAM Policy With Wildcard Action
Resource: MyRolePolicy (iam_policy)
Rule: iam-policy-wildcard-action
Remediation: Scope IAM actions to specific API operations.
Security Group Allows All Inbound Traffic
Resource: sg-0123456789abcdef0 (aws_security_group)
Rule: ec2-security-group-open-ingress
Remediation: Restrict inbound rules to specific ports and CIDRs.
- Core rule engine and CLI
- AWS, Terraform providers
- 50+ built-in rules
- JSON and Markdown reporting
- Azure and GCP providers
- Custom rule authoring
- HTML report format with visualizations
- SARIF output for GitHub Advanced Security integration
- Kubernetes provider
- Continuous scanning mode
- CI/CD integration (GitHub Action, GitLab CI)
- Remediation automation (planned, optional opt-in)
- Plugin SDK for community providers
See CONTRIBUTING.md for development setup, code style guidelines, and instructions for adding rules and providers.
See SECURITY.md for the security policy and IAM permission requirements.
Author: Abhay Gupta
Organization: Medusa Security
Repository: https://github.com/Medusa-Security/archer