Cloud and infrastructure misconfiguration scanner — part of the MEDUSA security platform
Project description
ARCHER
ARCHER is the infrastructure misconfiguration scanner component of the MEDUSA security platform. It discovers cloud and infrastructure resources, builds a resource dependency graph, and evaluates hundreds of security rules to surface misconfigurations before they become incidents.
Fit within MEDUSA
| Component | Focus |
|---|---|
| Remy | Static Application Security Testing |
| Stryx | Dynamic Application Security Testing |
| ARCHER | Infrastructure Misconfiguration Scanning |
Installation
pip install archer-scan
Note: The PyPI distribution is
archer-scan. The CLI command isarcher.
Quickstart
Auto-detect provider and scan the current directory:
archer scan
Scan a specific provider and path:
archer scan --provider terraform --path ./infra
Scan AWS and output JSON to a file:
archer scan --provider aws --output report.json --format json
Module Table
| Module | Purpose |
|---|---|
archer/providers/ |
Provider adapters (AWS, Azure, GCP, ...) |
archer/rules/ |
YAML rule definitions |
archer/engine/ |
Rule evaluation engine |
archer/graph/ |
Resource graph model |
archer/cli/ |
Command-line interface |
archer/report/ |
Report generation (JSON, Markdown) |
archer/auth/ |
Credential resolution and provider auth |
archer/config/ |
Configuration file parsing |
CLI Reference
archer scan [OPTIONS]
Options:
--provider TEXT Provider to scan (aws, azure, gcp, terraform, kubernetes)
--path TEXT Path to infrastructure files (local providers only)
--profile TEXT AWS / Azure / GCP profile name
--region TEXT Cloud provider region
--output TEXT Output file path
--format TEXT Output format (json, markdown)
--config TEXT Path to config file
--verbose / --quiet
--help Show this message and exit.
Configuration File
# archer.yaml
provider: aws
region: us-east-1
profile: production
output:
format: json
path: ./reports/scan.json
rules:
include:
- "s3-*"
- "iam-*"
exclude:
- "iam-policy-wildcard-action"
Sample Report Output
Findings: 3 critical, 5 high, 2 medium, 1 low
CRITICAL
S3 Bucket Public Access Block Disabled
Resource: my-app-bucket (aws_s3_bucket)
Rule: s3-public-access-block-disabled
Remediation: Enable block public access on the bucket.
IAM Policy With Wildcard Action
Resource: MyRolePolicy (iam_policy)
Rule: iam-policy-wildcard-action
Remediation: Scope IAM actions to specific API operations.
Security Group Allows All Inbound Traffic
Resource: sg-0123456789abcdef0 (aws_security_group)
Rule: ec2-security-group-open-ingress
Remediation: Restrict inbound rules to specific ports and CIDRs.
Roadmap
v0.1.0 (Current)
- Core rule engine and CLI
- AWS, Terraform providers
- 50+ built-in rules
- JSON and Markdown reporting
v0.5.0
- Azure and GCP providers
- Custom rule authoring
- HTML report format with visualizations
- SARIF output for GitHub Advanced Security integration
v1.0.0
- Kubernetes provider
- Continuous scanning mode
- CI/CD integration (GitHub Action, GitLab CI)
- Remediation automation (planned, optional opt-in)
- Plugin SDK for community providers
Contributing
See CONTRIBUTING.md for development setup, code style guidelines, and instructions for adding rules and providers.
Security
See SECURITY.md for the security policy and IAM permission requirements.
Author: Abhay Gupta
Organization: Medusa Security
Repository: https://github.com/Medusa-Security/archer
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file archer_scan-0.1.0.tar.gz.
File metadata
- Download URL: archer_scan-0.1.0.tar.gz
- Upload date:
- Size: 38.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a28f138eb3e334bfbdc7e98651992d8420ed35acae2ab8ecf283f3d84506823e
|
|
| MD5 |
547a447ee2c0948bc4171c5afd242635
|
|
| BLAKE2b-256 |
a1b6ed7ab38eec51e30c8daa3a7c022803da7b37cd24430383839ebe67c9d0b3
|
File details
Details for the file archer_scan-0.1.0-py3-none-any.whl.
File metadata
- Download URL: archer_scan-0.1.0-py3-none-any.whl
- Upload date:
- Size: 40.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
50b6be6aa05d2c492957d89623ccc056bf22effad6f257816c46ee2ed31cf7b1
|
|
| MD5 |
2c053426604c3e296e72f954528cd618
|
|
| BLAKE2b-256 |
a3889e39bb3faf6f90aa09a781f6826e78aaffdd133c1098449c3a4e93548f66
|