Skip to main content

Policy-as-code engine and OSS CLI for compliance scanning

Project description

Anaya

Anaya is a policy-pack-agnostic compliance-as-code engine. The V1 direction is a shared deterministic engine with two product surfaces:

  • CLI: local and CI usage through anaya scan; this is OSS, similar in spirit to Semgrep
  • GitHub App: pull request checks, annotations, and SARIF output

The OSS repository is licensed under AGPL-3.0-or-later.

This folder is the clean Anaya foundation. The older rbi-compliance-scanner folder remains a prototype/reference, mainly useful for GitHub App auth and webhook signature code.

Current Scope

  • Load rule packs from YAML
  • Load built-in or user-authored external policy packs
  • Run deterministic pattern rules against source files
  • Emit table, JSON, or SARIF-style output from the CLI
  • Ship five generic OSS packs for secrets, OWASP, PII handling, TLS, and audit logging
  • Include an experimental India DPDP privacy pack for early policy-pack testing
  • Cover 29 built-in rules with Python and JavaScript fixture tests
  • Provide a FastAPI GitHub App foundation with webhook verification, PR scanning, Check Run updates, and optional SARIF upload
  • Support optional OpenAI-backed type: llm rules, disabled by default and guarded by repository opt-in

Quick Start

python -m venv .venv
.\.venv\Scripts\python -m pip install -e .[dev]
anaya scan . --no-config --format table

For CLI-only usage from PyPI, install the base package. Server/GitHub App dependencies are optional:

pipx install anaya
pip install "anaya[server,llm]"

Without installing the console script:

python -m anaya.cli.main scan . --no-config --format json

Commands

anaya scan PATH
anaya scan PATH --diff HEAD~1
anaya scan PATH --format sarif -o anaya.sarif
anaya scan PATH --format audit-json
anaya scan PATH --format check-run
anaya test-rule --rule ANAYA-SEC-001 --file app.py
anaya init
anaya validate-pack anaya\packs\generic\secrets-detection.yml
anaya validate-pack anaya\packs\india\dpdp-privacy.yml
anaya packs list

Custom packs are first-class:

anaya scan . --pack path\to\my-policy-pack.yml

Pack paths in anaya.yml are resolved relative to the config file.

Diff scans are supported for local Git worktrees:

anaya scan . --diff origin/main

Repository Config

anaya scan auto-discovers anaya.yml from the scanned path or its parents. Use --config path\to\anaya.yml to choose a specific config file.

Repository config can choose packs, thresholds, ignored paths, ignored rule IDs, and language filters:

scan:
  languages: [python, javascript]

ignore:
  rules:
    - ANAYA-SEC-006

Configured packs, thresholds, languages, and ignored rule IDs are validated before scanning.

Optional OpenAI-backed rules require explicit repository opt-in:

llm:
  enabled: true

LLM rules are skipped with a warning when OpenAI is not configured. See docs/LLM_RULES.md for the rule schema, safety limits, and data-handling notes.

CLI vs GitHub App

The CLI and GitHub App intentionally ship as different surfaces over the same engine:

  • CLI: installed with the base anaya package; no hosted GitHub App runtime dependencies are needed.
  • GitHub App/server: install with anaya[server]; add anaya[llm] only when hosted LLM rules should run.
  • Railway/Docker: installs .[server,llm] because the hosted app needs FastAPI, GitHub API dependencies, Uvicorn, and optional OpenAI support.

Status

This is the Phase 1/Phase 3/Phase 4/Phase 5 foundation from ANAYA_SPEC.py: engine models, rule loader, pattern and Python AST scanners, repository config, reporters, tested generic packs, OSS CLI, in-process GitHub App PR scanning, and optional OpenAI-backed LLM judging. Redis/Celery hosted queueing, retry hardening, JavaScript AST scanning, and deployment/demo readiness are intentionally not wired yet.

Development

python -m pip install -e .[dev]
python -m pytest
python -m pytest --cov
python -m ruff check .

The same commands are wrapped in the repository Makefile for contributors who have make installed.

For human product checks after automated tests pass, see docs/MANUAL_CHECKS.md. For the full engineering handoff, see docs/TECHNICAL_ARCHITECTURE.md. For GitHub Actions SARIF upload, see docs/GITHUB_ACTION.md. For local GitHub App API setup, see docs/GITHUB_APP.md. For optional OpenAI-backed rules, see docs/LLM_RULES.md. For PyPI releases, see docs/PYPI_RELEASE.md. For Azure VM hosting, see docs/AZURE_VM_DEPLOYMENT.md. For Railway hosting, see docs/RAILWAY_DEPLOYMENT.md. For the public/private repository split, see docs/REPOSITORY_STRATEGY.md.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

anaya-1.1.0.tar.gz (63.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

anaya-1.1.0-py3-none-any.whl (62.3 kB view details)

Uploaded Python 3

File details

Details for the file anaya-1.1.0.tar.gz.

File metadata

  • Download URL: anaya-1.1.0.tar.gz
  • Upload date:
  • Size: 63.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for anaya-1.1.0.tar.gz
Algorithm Hash digest
SHA256 7e01ae3ab344f49f4efe057098ca272e5c5b319b0a2e032bcb6b5ba2db302341
MD5 64ef487d322ed1d4f19adc026b07d9dc
BLAKE2b-256 778b97f2d891d4ffb5931cbc9d5e7b128937744a0701cbb97e22a339813486d1

See more details on using hashes here.

Provenance

The following attestation bundles were made for anaya-1.1.0.tar.gz:

Publisher: publish.yml on sandip-pathe/anaya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file anaya-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: anaya-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 62.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for anaya-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4735f50964bdb73558ca55694b853093537dcdcaf6c28f87d5ace86f75da49da
MD5 95feb96ea8c770b2c63473b4674fc6fc
BLAKE2b-256 c07f349c9f512b088a98f6cc7a49300dc713b7b5c48bedfd68f74e18d6a02acd

See more details on using hashes here.

Provenance

The following attestation bundles were made for anaya-1.1.0-py3-none-any.whl:

Publisher: publish.yml on sandip-pathe/anaya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page