CLI that scans repositories and generates the necessary IAM Permissions for the service to run.
Report bug
*
Feature request
*
Slauth.io blog
We're always open to feedback!
If you have any or are in need of some help, please join our Slack Community
Installation
Usage
- Set the
OPENAI_API_KEYenvironment variable:export OPENAI_API_KEY= - Run
slauth --helpto see available commands
Commands
Scan
The scan command will look for any calls of your Cloud Provider sdk in your git repository and generate the necessary permissions for it.
Note: By default the
scancommand will print the result tostdout. Use-o,--output-fileoption to specify a file to output to.
Result:
The result of the scan command is an array of IAM Permissions.
Note: For
awscloud provider, if the resource is not explicit in the code (e.g. comes from a variable), we use a placholder for it. Before deploying the policies, you will have to manually change these placeholders with the correct resources the service will try to interact with.
[
{
"Version": "2012-10-17",
"Id": "S3Policy",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"
"
"arn:aws:s3:::my_bucket_2/*"
]
}
]
},
{
"Version": "2012-10-17",
"Id": "DynamoDBPolicy",
"Statement": [
{
"Sid": "DynamoDBPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem"
],
"Resource": [
"
]
}
]
},
{
"Version": "2012-10-17",
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:SendMessage"
],
"Resource": [
"
]
}
]
}
]
Available options
-p, --cloud-providerselect the cloud provider you would like to generate policies for (choices: "aws", "gcp")-m, --openai-modelselect the openai model to use (choices: "gpt-3.5-turbo-16k", "gpt-4-32k")-o, --output-filewrite generated policies to a file instead of stdout
Selecting which OpenAI Model to use
By default slauth will use gpt-4-32k as it provides the best results. You can still choose to use other models to scan you repo, specially if cost is a concern:
To choose a different model, use the -m option of the scan command
Available models:
gpt-3.5-turbo-16k(results with this model might be incomplete)gpt-4-32k(default)
Example repos to test with
In case you want to give the CLI a quick test you can fork the following repositories.
- aws-sdk: https://github.com/slauth-io/aws-sdk-tester
- google-cloud sdk: https://github.com/slauth-io/gcp-sdk-tester
Running in CI/CD
Slauth being a CLI, it can be easily integrated in your CI/CD pipelines.
Github Action Example
In this GitHub action workflow we install Slauth, run it and then output the result to an artifact which can then be downloaded so it can be used in your IaC.
on:
push:
permissions:
contents: read
jobs:
release:
name: policy-scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: 'lts/*'
- name: Install Slauth
run: npm install -g @slauth.io/slauth
- name: Run Slauth
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: slauth scan -p aws -o ./policies.json .
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: policies
path: policies.json
Development
- Set your
OPENAI_API_KEYin the.envfile at the root of the project - Run
npm i - Install the
slauthCLI globally:npm install -g . - Compile tsc on file change:
npm run build-watch - Test it,
slauth -hshould work