The whole system, one page
Attestral, laid out.
Every part of the system and how it fits: the pipeline from config to runtime policy, the twelve commands, the three review layers, the adversarial-validation loop, what it covers, and what it emits. A single map you can hold in your head. Everything here reflects the shipping CLI.
01 · the pipeline
From raw config to a runtime policy that catches drift.
One command flows through six stages. Nothing is hidden between them, and each stage reasons over the same system model.
Parse everything
Terraform, Kubernetes, MCP configs, prompts, agent settings, agent cards.
One graph
A SystemModel: components, edges, and trust boundaries.
Three layers
Deterministic rules, then optional ML and LLM. Tagged by origin.
Hash chain
Findings commit to a SHA-256 chain you verify offline.
Default-deny policy
The attested design becomes an mcp-guard (Attestral's runtime enforcement layer) policy, bound to the chain head.
Catch divergence
Runtime telemetry diffed against the policy: the running system diverging from the reviewed design gets caught. DRF-001..007.
02 · the commands
Twelve commands, the whole loop.
| Command | What it does | Key flags |
|---|---|---|
| scan | Review a project's security design. Prints to the terminal; writes files only when asked. | --local · -o/--format md|json|both|sarif|aibom|md-summary · --ml/--no-ml/--ml-engine · --aivss · --baseline · --fail-on · -q |
| fleet | Model several repos as one agent fleet and find flows that span them (ATL-213). | repo-a repo-b … · --fail-on · -o |
| accept | Accept a finding as documented risk, recorded on the evidence chain with a content pin. | path rule component · -r reason · --expires · --by |
| validate | Check whether an assembled attack path is reachable in the modeled design, and verify the fix. | --remediate · --action-space · --generate · --execute · --fail-on-reachable · -o |
| verify | Check a report's evidence chain, offline: integrity always, authenticity with a public key. | report.json · --public-key |
| sign | Sign the chain head (Ed25519 / DSSE) so it is authentic, not just tamper-evident. | --key · --gen-key · --signer · -o |
| remediate | The concrete source edit that clears each finding: the flag to flip, the value to replace, tied to its file. | --rule |
| fix | Compile the enforceable mcp-guard control that neutralizes each finding, bound to the chain head. | --rule · -o policy.yaml |
| compile | Turn the attested design into a default-deny mcp-guard policy. | -o policy.yaml |
| drift | Diff runtime telemetry against the compiled policy, batch or as a continuous sidecar. | --stdin · --watch · --fail-on-drift |
| explain | Inspect any rule: title, severity, fix, framework refs. | ATL-103 |
| init | Scaffold onboarding files (CI workflow, waivers, pre-commit) into a project. | -- |
03 · the review layers
Deterministic first. Model-reasoned, clearly labeled.
Regulated buyers can't accept "the AI said so," so every finding carries its origin. The deterministic core always runs and is reproducible; the reasoning layers are optional and tagged.
232 typed matchers
Fail-closed rules over the model, plus cross-server attack-path synthesis and the OWASP AIVSS (AI Vulnerability Scoring System) agentic risk score. origin: deterministic.
Prompt-injection classifier
Scores agentic text surfaces. Zero-dep heuristic runs by default; --ml-engine upgrades to ONNX or DeBERTa. origin: ml.
Elicitation + judge
Optional frontier-model threat elicitation and an LLM-as-judge that cross-examines findings. Needs a key. origin: llm.
04 · adversarial validation
Show the path is reachable, score it, verify the fix.
The differentiator: attestral validate doesn't stop at findings. It runs a full loop over a design you own.
Show it is reachable
Walk the path over the model's edges. Deterministic, zero-dep, no execution. Reachability is necessary, not sufficient, for exploitation. Committed to the evidence chain.
Draft the exploit
--generate: an LLM drafts the predicted payload and transcript. No live target, labeled predicted.
Sandbox harness
--execute: replay the path through stub tools with a planted canary and capture the transcript. Live-target execution stays gated.
--remediate names the minimal fix and verifies it by re-synthesis - strip the rung, rebuild the model, confirm the path is gone - and reports the AARS (Agentic AI Risk Score, 0–10) posture before vs after. --aivss ranks every agentic finding by an OWASP AIVSS score, mapped to an OWASP Agentic (ASI, the OWASP Agentic Security Initiative) / LLM Top-10 category. See it live on the proof page.
05 · coverage
232 checks, balanced by strategy.
The agentic and cross-boundary rules are the moat; the cloud packs are parity, not an arms race. Every rule cites a real control and ships with a fixture. 21 framework families.
06 · outputs
Terminal-first, machine-ready.
Nothing is written to disk unless you ask. When you do, the same findings render into every format a pipeline speaks.
aivss
SARIF GitHub Code Scanning (rank + aivss)
AI-BOM AI Bill of Materials, CycloneDX 1.6
Evidence chain SHA-256, verify offline
mcp-guard policy default-deny, from compile
Why it's hard to copy
It reasons over a model, not a file.
Every scanner flags configs. Attestral builds a system model of the agent, its tools, and the cloud they can reach, then reasons across it. That is where the uncopyable findings live, the ones that exist in no single file.
- Cross-boundary reachability: an agent's credentials reaching over-permissive cloud
- Reachable attack paths: walked and attested, not just flagged
- Verified remediation: the fix, verified to close the path by re-synthesis
- Compile-to-policy + drift: the review becomes the runtime policy
07 · go deeper