CLI that scans repositories and generates the necessary IAM Permissions for the service to run.
Report bug
·
Feature request
·
Slauth.io blog
🤩
We're always open to feedback!
If you have any or are in need of some help, please join our Slack Community
npm install -g @slauth.io/slauth- Set the
OPENAI_API_KEYenvironment variable:export OPENAI_API_KEY=<key> - Run
slauth --helpto see available commands
The scan command will look for any calls of your Cloud Provider sdk in your git repository and generate the necessary permissions for it.
slauth scan -p aws ../path/to/my/repositoryNote: By default the
scancommand will print the result tostdout. Use-o,--output-fileoption to specify a file to output to.
Result:
The result of the scan command is an array of IAM Permissions.
Note: For
awscloud provider, if the resource is not explicit in the code (e.g. comes from a variable), we use a placholder for it. Before deploying the policies, you will have to manually change these placeholders with the correct resources the service will try to interact with.
Detected Policies:
[
{
"Version": "2012-10-17",
"Id": "S3Policy",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"<S3_BUCKET_PLACEHOLDER>",
"<S3_BUCKET_1_PLACEHOLDER>",
"arn:aws:s3:::my_bucket_2/*"
]
}
]
},
{
"Version": "2012-10-17",
"Id": "DynamoDBPolicy",
"Statement": [
{
"Sid": "DynamoDBPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem"
],
"Resource": [
"<DYNAMODB_TABLE_PLACEHOLDER>"
]
}
]
},
{
"Version": "2012-10-17",
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:SendMessage"
],
"Resource": [
"<SQS_QUEUE_URL_PLACEHOLDER>"
]
}
]
}
]-p, --cloud-provider <cloudProvider>select the cloud provider you would like to generate policies for (choices: "aws", "gcp")-m, --openai-model <openaiModel>select the openai model to use (choices: "gpt-3.5-turbo-16k", "gpt-4-32k")-o, --output-file <outputFile>write generated policies to a file instead of stdout
By default slauth will use gpt-4-32k as it provides the best results. You can still choose to use other models to scan you repo, specially if cost is a concern:
To choose a different model, use the -m option of the scan command
slauth scan -p aws -m gpt-3.5-turbo-16k ./path/to/my/repositoryAvailable models:
gpt-3.5-turbo-16k(results with this model might be incomplete)gpt-4-32k(default)
In case you want to give the CLI a quick test you can fork the following repositories.
- aws-sdk: https://github.com/slauth-io/aws-sdk-tester
- google-cloud sdk: https://github.com/slauth-io/gcp-sdk-tester
Slauth being a CLI, it can be easily integrated in your CI/CD pipelines.
In this GitHub action workflow we install Slauth, run it and then output the result to an artifact which can then be downloaded so it can be used in your IaC.
name: scan
on:
push:
permissions:
contents: read
jobs:
release:
name: policy-scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: 'lts/*'
- name: Install Slauth
run: npm install -g @slauth.io/slauth
- name: Run Slauth
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: slauth scan -p aws -o ./policies.json .
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: policies
path: policies.json- Set your
OPENAI_API_KEYin the.envfile at the root of the project - Run
npm i - Install the
slauthCLI globally:npm install -g . - Compile tsc on file change:
npm run build-watch - Test it,
slauth -hshould work