Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,23 @@ All notable changes to Shasta are documented here. Format follows
[Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the project
adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased

### Added
- Add GCP compliance scanning coverage across IAM, networking, storage,
encryption, logging, compute, and Cloud Run, including CIS GCP mappings,
Google provider Terraform remediation templates, GCP dependencies, and
GCP smoke/functional tests.

### Fixed
- Surface GCP domain, project, IAM, and GCS per-resource API failures as
`NOT_ASSESSED` findings instead of silently dropping checks or reporting
false `PASS` results.
- Use Cloud Resource Manager's `projects/NUMBER` resource name when recording
GCP project numbers.
- Render GCP provider labels and CIS GCP controls in Markdown, HTML,
consolidated reports, and dashboard finding details.

## [1.9.0] — 2026-05-05 — Voice console (opt-in)

### Added
Expand Down
38 changes: 23 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@
**Multi-Cloud Compliance Automation, Claude-Native**

AI-native compliance toolkit — SOC 2, ISO 27001, HIPAA, ISO 42001, and EU AI Act
across AWS and Azure. Through conversation, not dashboards — including an opt-in
**voice console** (`python -m shasta.voice`) that lets you talk to your compliance
posture hands-free. From the team at [Transilience.ai](https://www.transilience.ai).
across AWS, Azure, and GCP. Through conversation, not dashboards — including an
opt-in **voice console** (`python -m shasta.voice`) that lets you talk to your
compliance posture hands-free. From the team at [Transilience.ai](https://www.transilience.ai).

[![Built by Transilience](https://img.shields.io/badge/Built%20by-Transilience.ai-4A90D9)](https://www.transilience.ai)
[![CI](https://github.com/transilienceai/shasta/actions/workflows/integrity.yml/badge.svg)](https://github.com/transilienceai/shasta/actions/workflows/integrity.yml)
Expand All @@ -24,7 +24,7 @@ posture hands-free. From the team at [Transilience.ai](https://www.transilience.

> 📹 **See it in action:** [60-second walkthrough of the voice console](./docs/media/shasta-voice-demo.mp4) — talk to your compliance posture, drill into findings, manage the risk register hands-free. Also attached as a release asset on the [v1.9.0 GitHub Release](https://github.com/transilienceai/shasta/releases/tag/v1.9.0).

Shasta scans your cloud infrastructure for SOC 2, ISO 27001, HIPAA, ISO 42001, EU AI Act, OWASP LLM Top 10 and more. It covers 13 compliance frameworks, 221 automated checks, and 199 security questionnaire answers — with a web dashboard, an opt-in voice console, 112 Terraform remediation templates, and auditor-grade evidence. Application source-code AI scanning lives in the separate [Whitney](https://github.com/transilienceai/whitney) project (`pip install whitney`). Built for founders running <50 employee companies who need compliance without the $30K/year Vanta bill.
Shasta scans your cloud infrastructure for SOC 2, ISO 27001, HIPAA, ISO 42001, EU AI Act, OWASP LLM Top 10 and more. It covers 13 compliance frameworks, 267 automated checks, and 199 security questionnaire answers — with a web dashboard, an opt-in voice console, 132 Terraform remediation templates, and auditor-grade evidence. Application source-code AI scanning lives in the separate [Whitney](https://github.com/transilienceai/whitney) project (`pip install whitney`). Built for founders running <50 employee companies who need compliance without the $30K/year Vanta bill.

> **Three load-bearing artifacts at the repo root, in order of what to read:**
> [`README.md`](./README.md) (this file — what it does) →
Expand Down Expand Up @@ -56,7 +56,7 @@ For application source-code AI security scanning — prompt injection detection,

## Platform Capabilities

### 1. Multi-Cloud Security Scanning (5 Domains, 174+ Checks)
### 1. Multi-Cloud Security Scanning (5 Domains, 267+ Checks)

#### AWS Checks (40+)

Expand Down Expand Up @@ -184,7 +184,7 @@ Attack surface analysis that produces auditor-grade pen test evidence:
### 11. Risk Register (SOC 2 CC3.1)

Automated risk management workflow required for SOC 2 Risk Assessment:
- **Auto-seeds from scan findings** — failing checks automatically create risk items with pre-mapped likelihood, impact, and treatment plans (34 check-to-risk mappings across AWS + Azure)
- **Auto-seeds from scan findings** — failing checks automatically create risk items with pre-mapped likelihood, impact, and treatment plans (34 check-to-risk mappings across AWS, Azure, and GCP)
- **Risk scoring** — 3x3 likelihood/impact matrix (1-9 score, low/medium/high levels)
- **Treatment tracking** — mitigate, accept, transfer, or avoid with documented plans
- **Status workflow** — open → in_progress → accepted/resolved
Expand Down Expand Up @@ -254,7 +254,8 @@ git clone https://github.com/kkmookhey/shasta.git
cd shasta
pip install -e ".[dev]" # Core + dev tools
pip install -e ".[azure]" # Add Azure support (optional)
pip install -e ".[dev,azure]" # Everything
pip install -e ".[gcp]" # Add GCP support (optional)
pip install -e ".[dev,azure,gcp]" # Everything

# 2a. Configure AWS (read-only access)
aws configure --profile shasta
Expand All @@ -264,10 +265,15 @@ aws configure --profile shasta
az login
az account show # Note your subscription_id and tenant_id

# 2c. Configure GCP (read access via Application Default Credentials)
gcloud auth application-default login
gcloud config set project YOUR_PROJECT_ID

# 3. Open Claude Code and run
/connect-aws # Validate AWS credentials, discover services
/connect-azure # Validate Azure credentials, discover services
/scan # Full SOC 2 compliance scan (AWS, Azure, or both)
/connect-gcp # Validate GCP credentials, discover project and services
/scan # Full SOC 2 compliance scan (AWS, Azure, GCP, or any combination)
/gap-analysis # Interactive gap analysis with AI guidance
/report # Generate PDF/HTML/MD reports
/remediate # Get Terraform fixes for findings
Expand Down Expand Up @@ -302,7 +308,8 @@ Skills are the building blocks Claude uses behind the scenes. You can invoke the
|-------|-------------|--------|
| `/connect-aws` | Validate AWS credentials, discover account topology and services | Account info, service list |
| `/connect-azure` | Validate Azure credentials, discover subscription and services | Subscription info, service list |
| `/scan` | Run all compliance checks across AWS and/or Azure (IAM, network, storage, encryption, monitoring) | Findings with AI explanations |
| `/connect-gcp` | Validate GCP credentials, discover project and enabled services | Project info, service list |
| `/scan` | Run all compliance checks across AWS, Azure, and/or GCP (IAM, network, storage, encryption, monitoring) | Findings with AI explanations |
| `/gap-analysis` | Interactive SOC 2 gap analysis with control-by-control walkthrough | Gap analysis report |
| `/report` | Generate compliance reports in all formats | MD, HTML, PDF files |
| `/remediate` | Interactive remediation with Terraform code and step-by-step instructions | Terraform bundle + guidance |
Expand Down Expand Up @@ -330,14 +337,14 @@ For a **<50 employee startup** pursuing compliance:

| Category | Coverage | Method |
|----------|----------|--------|
| Technical cloud controls | ~90% | 190+ automated checks across AWS and Azure (full CIS AWS v3.0 + CIS Azure v3.0 coverage, including EC2/EKS/ECS hardening, KMS posture, CIS 4.x CloudWatch alarms, CloudFront, Redshift, ElastiCache, Neptune, Lambda Function URL auth, S3 Object Ownership, AWS Backup cross-region copy + access policy) |
| Technical cloud controls | ~90% | 267+ automated checks across AWS, Azure, and GCP (full CIS AWS v3.0 + CIS Azure v3.0 coverage plus CIS GCP mappings, including EC2/EKS/ECS hardening, KMS posture, CIS 4.x CloudWatch alarms, CloudFront, Redshift, ElastiCache, Neptune, Lambda Function URL auth, S3 Object Ownership, AWS Backup cross-region copy + access policy) |
| Policy/process controls | ~80% | 8 generated policy documents |
| Continuous monitoring | ~90% | 12 Config Rules + 6 EventBridge rules + GuardDuty + Inspector + Azure Defender (per-plan) + Azure Policy + CIS 5.2.x Activity Log alerts |
| Audit evidence | ~85% | Control tests, evidence snapshots (AWS + Azure), access reviews, reports |
| Vulnerability management | ~85% | Inspector + SBOM + OSV.dev + CISA KEV |
| Supply chain security | ~80% | SBOM discovery + known-compromised DB + live scanning |
| Change management | ~80% | GitHub integration + CloudTrail + Config + Azure Activity Log |
| Remediation guidance | ~90% | 112 Terraform templates (81 AWS + 31 Azure azurerm) covering CloudTrail/KMS/Object Lock, Security Hub, Access Analyzer, EC2 IMDSv2 + instance profiles, EKS private endpoint + audit logging + secrets KMS, ECS task hardening, KMS rotation + key policy + scheduled deletion, IAM policy wildcards + role trust + unused roles, CIS 4.x CloudWatch alarms, Config conformance packs, CloudFront HTTPS+TLS+WAF+OAC, Redshift encryption+public-access+audit+SSL, ElastiCache TLS+at-rest+AUTH, Neptune encryption, RDS force_ssl + log_settings + min TLS, Lambda Function URL auth + layer origin, API Gateway client cert + authorizer + throttling + request validation, S3 Object Ownership + access logging + KMS-CMK, AWS Backup cross-region copy + access policy, EFS/SNS/SQS/Secrets/ACM, ELB v2 TLS+logs+headers, RDS deep+IAM auth+PITR, Lambda runtime+CMK+DLQ, API Gateway WAF+logging, AWS Backup vault lock, VPC endpoints, CloudWatch Logs KMS+retention, AWS Org SCPs+tag policies — plus the full Azure set |
| Remediation guidance | ~90% | 132 Terraform templates (81 AWS + 31 Azure azurerm + 20 GCP google) covering CloudTrail/KMS/Object Lock, Security Hub, Access Analyzer, EC2 IMDSv2 + instance profiles, EKS private endpoint + audit logging + secrets KMS, ECS task hardening, KMS rotation + key policy + scheduled deletion, IAM policy wildcards + role trust + unused roles, CIS 4.x CloudWatch alarms, Config conformance packs, CloudFront HTTPS+TLS+WAF+OAC, Redshift encryption+public-access+audit+SSL, ElastiCache TLS+at-rest+AUTH, Neptune encryption, RDS force_ssl + log_settings + min TLS, Lambda Function URL auth + layer origin, API Gateway client cert + authorizer + throttling + request validation, S3 Object Ownership + access logging + KMS-CMK, AWS Backup cross-region copy + access policy, EFS/SNS/SQS/Secrets/ACM, ELB v2 TLS+logs+headers, RDS deep+IAM auth+PITR, Lambda runtime+CMK+DLQ, API Gateway WAF+logging, AWS Backup vault lock, VPC endpoints, CloudWatch Logs KMS+retention, AWS Org SCPs+tag policies — plus the full Azure and GCP sets |
| Security questionnaires | ~70% | 199 questions auto-filled from scan evidence (SIG Lite, CAIQ, Enterprise) |
| AI governance | ~85% | Cloud AI checks (Bedrock + SageMaker + Azure OpenAI + Azure ML) + AI SBOM, 7 frameworks (ISO 42001, EU AI Act, NIST AI RMF, NIST AI 600-1, OWASP LLM Top 10, OWASP Agentic Top 10, MITRE ATLAS); application source-code prompt-injection scanning lives in the standalone Whitney scanner (separate repo) |
| Visual dashboard | Yes | FastAPI + Tailwind + Chart.js at localhost:8080 |
Expand Down Expand Up @@ -659,7 +666,7 @@ Tier 2 and 3 used 4 parallel agents in isolated worktrees for maximum throughput
| Terraform templates | 14 | 36 | **36** |
| Unit tests | 9 | 100 | **100** |
| Compliance frameworks | 1 (SOC 2) | 2 (SOC 2 + ISO 27001) | **5** (+ HIPAA, ISO 42001, EU AI Act) |
| Cloud providers | 1 (AWS) | 2 (AWS + Azure) | **2** |
| Cloud providers | 1 (AWS) | 2 (AWS + Azure) | **3** (AWS + Azure + GCP) |

### Token Consumption Estimate

Expand Down Expand Up @@ -717,7 +724,8 @@ shasta/
├── .claude/skills/ # Claude Code skills (auto-discovered)
│ ├── connect-aws/SKILL.md # AWS connection and validation
│ ├── connect-azure/SKILL.md # Azure connection and validation
│ ├── scan/SKILL.md # Full compliance scan (AWS + Azure)
│ ├── connect-gcp/SKILL.md # GCP connection and validation
│ ├── scan/SKILL.md # Full compliance scan (AWS + Azure + GCP)
│ ├── gap-analysis.md # Interactive gap analysis
│ ├── report.md # Report generation (MD/HTML/PDF)
│ ├── remediate.md # Terraform remediation guidance
Expand Down Expand Up @@ -790,7 +798,7 @@ shasta/
│ └── azure-test-env/ # Azure test environment
│ └── main.tf # Azure test resources (compliant + non-compliant)
├── tests/ # pytest test suite (500+ tests)
├── tests/ # pytest test suite (720+ tests)
│ ├── conftest.py
│ ├── test_aws/
│ │ ├── test_client.py # AWS client tests (moto)
Expand Down Expand Up @@ -864,7 +872,7 @@ shasta/
- [ ] Network ACL checks (AWS)

### Medium Term
- [ ] GCP scanning modules
- [x] ~~GCP scanning modules~~ — IAM, networking, storage, encryption, monitoring, compute, and Cloud Run checks with CIS GCP mappings
- [ ] Okta integration (identity provider checks)
- [ ] Google Workspace integration
- [ ] Trust center page generation
Expand Down
10 changes: 5 additions & 5 deletions TRUST.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ forward-looking discipline. Principles say what we promise to do.
Trust says how you check that we did it.

For the Whitney AI scanner's specific validation story (vulnerability
fixtures, live cloud validation against AWS + Azure, dual-engine
fixtures, live cloud validation across AWS, Azure, and GCP, dual-engine
Semgrep architecture), see the standalone Whitney repo at
[github.com/transilienceai/whitney](https://github.com/transilienceai/whitney).
(`src/whitney/TRUST.md` was retired in the 2026-04-13 Whitney/Shasta split.)
Expand All @@ -21,9 +21,9 @@ Semgrep architecture), see the standalone Whitney repo at

Shasta and Whitney together ship the following, all integrity-tested:

- **221 check functions** (221 cloud compliance + 0 AI governance — Whitney now ships as a separate repo at [github.com/transilienceai/whitney](https://github.com/transilienceai/whitney); install with `pip install whitney` for source-code scanning)
- **112 Terraform remediation templates** (81 AWS + 31 Azure)
- **706 tests** that all pass on every commit
- **267 check functions** (267 cloud compliance + 0 AI governance — Whitney now ships as a separate repo at [github.com/transilienceai/whitney](https://github.com/transilienceai/whitney); install with `pip install whitney` for source-code scanning)
- **132 Terraform remediation templates** (81 AWS + 31 Azure + 20 GCP)
- **814 tests** that all pass on every commit

None of the claims in this README are written by hand and hoped-for —
every numeric claim is AST-counted from source by an integrity test
Expand Down Expand Up @@ -58,7 +58,7 @@ Every finding is produced by:

| Mechanism | Used in |
|---|---|
| `boto3` / `azure.mgmt.*` SDK calls | All AWS / Azure cloud checks |
| `boto3` / `azure.mgmt.*` / Google Cloud SDK calls | AWS, Azure, and GCP cloud checks |
| Semgrep AST-based pattern matching (with regex fallback) | Whitney code scanning |
| Dictionary lookups | Framework control mapping |
| Arithmetic | Compliance scoring |
Expand Down
6 changes: 6 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,12 @@ azure = [
"azure-mgmt-security>=6.0.0",
"msgraph-sdk>=1.5.0",
]
gcp = [
"google-auth>=2.29.0",
"google-api-python-client>=2.128.0",
"google-cloud-storage>=2.16.0",
"google-auth-httplib2>=0.2.0",
]
dashboard = [
"fastapi>=0.115.0",
"uvicorn>=0.32.0",
Expand Down
3 changes: 3 additions & 0 deletions src/shasta/dashboard/routes.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ def _enrich_all_frameworks(findings):
enrich_findings_with_hipaa(findings)
return findings


router = APIRouter()


Expand Down Expand Up @@ -195,6 +196,7 @@ async def finding_detail(request: Request, finding_id: str):

# Get mapped controls
soc2_controls = finding.soc2_controls
cis_gcp_controls = finding.cis_gcp_controls
iso_controls = finding.details.get("iso27001_controls", [])
hipaa_controls = finding.details.get("hipaa_controls", [])

Expand All @@ -204,6 +206,7 @@ async def finding_detail(request: Request, finding_id: str):
"request": request,
"finding": finding,
"soc2_controls": soc2_controls,
"cis_gcp_controls": cis_gcp_controls,
"iso_controls": iso_controls,
"hipaa_controls": hipaa_controls,
"details_json": json.dumps(finding.details, indent=2, default=str),
Expand Down
16 changes: 13 additions & 3 deletions src/shasta/dashboard/templates/finding_detail.html
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ <h3 class="text-sm font-semibold text-gray-700 uppercase tracking-wider mb-4">Re
<!-- Controls -->
<div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6 mb-6">
<h3 class="text-sm font-semibold text-gray-700 uppercase tracking-wider mb-4">Mapped Controls</h3>
<div class="grid grid-cols-1 md:grid-cols-3 gap-4">
<div class="grid grid-cols-1 md:grid-cols-4 gap-4">
{% if soc2_controls %}
<div>
<h4 class="text-xs font-medium text-gray-500 mb-2">SOC 2 Controls</h4>
Expand All @@ -113,6 +113,16 @@ <h4 class="text-xs font-medium text-gray-500 mb-2">SOC 2 Controls</h4>
</div>
</div>
{% endif %}
{% if cis_gcp_controls %}
<div>
<h4 class="text-xs font-medium text-gray-500 mb-2">CIS GCP Controls</h4>
<div class="flex flex-wrap gap-2">
{% for ctrl in cis_gcp_controls %}
<span class="px-3 py-1 rounded-lg text-xs font-medium bg-sky-50 text-sky-700 border border-sky-200">{{ ctrl }}</span>
{% endfor %}
</div>
</div>
{% endif %}
{% if iso_controls %}
<div>
<h4 class="text-xs font-medium text-gray-500 mb-2">ISO 27001 Controls</h4>
Expand All @@ -133,8 +143,8 @@ <h4 class="text-xs font-medium text-gray-500 mb-2">HIPAA Controls</h4>
</div>
</div>
{% endif %}
{% if not soc2_controls and not iso_controls and not hipaa_controls %}
<p class="text-sm text-gray-400 md:col-span-3">No control mappings available for this finding.</p>
{% if not soc2_controls and not cis_gcp_controls and not iso_controls and not hipaa_controls %}
<p class="text-sm text-gray-400 md:col-span-4">No control mappings available for this finding.</p>
{% endif %}
</div>
</div>
Expand Down
2 changes: 2 additions & 0 deletions src/shasta/evidence/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ class CloudProvider(str, Enum):

AWS = "aws"
AZURE = "azure"
GCP = "gcp"


class CheckDomain(str, Enum):
Expand Down Expand Up @@ -106,6 +107,7 @@ def not_assessed(
soc2_controls: list[str] = Field(default_factory=list) # e.g., ["CC6.1", "CC6.2"]
cis_aws_controls: list[str] = Field(default_factory=list) # e.g., ["1.4", "3.1"]
cis_azure_controls: list[str] = Field(default_factory=list) # e.g., ["1.1.4", "5.2.1"]
cis_gcp_controls: list[str] = Field(default_factory=list) # e.g., ["1.4", "3.6", "5.1"]
mcsb_controls: list[str] = Field(default_factory=list) # e.g., ["IM-6", "DP-5"]
iso27001_controls: list[str] = Field(default_factory=list) # e.g., ["A.8.5", "A.5.15"]
hipaa_controls: list[str] = Field(default_factory=list) # e.g., ["164.312(a)(1)", "164.312(e)(1)"]
Expand Down
1 change: 1 addition & 0 deletions src/shasta/gcp/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
"""GCP compliance scanning for Shasta."""
Loading