# SnapCheck β Unified DevOps/MLOps Audit & Correlation Engine
[]()
[]()
[]()
[]()
[]()
> **One tool. One pass. Total visibility.**
> SnapCheck is a modular, read-only audit platform for DevOps/MLOps estates.
> It inspects Terraform, Kubernetes, Helm, CI/CD, Docker registries, secrets, AWS costs, and GitOps β then **correlates** signals to tell you *what broke, why, and what changed since last time*.
---
## π Why SnapCheck Exists
Modern engineering teams live across **10+ tools** β Terraform for infra, Kubernetes for workloads, GitHub for CI/CD, Helm for packaging, AWS Cost Explorer for finance, and so on.
When something goes wrong, finding the *root cause* often means **hours of context switching** and digging through logs.
**SnapCheck fixes this by:**
- Pulling **signals from all your critical systems** in one pass.
- Correlating events into **human-readable storylines** (e.g., Terraform drift β Helm failure β CI/CD latency β cost anomaly).
- Producing **shareable, portable HTML & Markdown reports** for audits, reviews, and compliance.
- Enforcing **safe-by-default access** with OAuth + RBAC.
---
## π Core Features
| Capability | Highlights |
|------------|------------|
| **Terraform** | Local/remote `.tfstate`, drift detection, IAM wildcard/admin checks, stale resources, cost estimates |
| **Kubernetes** | Node readiness/pressure, pod health, restart spikes, PVC issues, DNS & service reachability, basic security context checks |
| **Helm** | List releases, detect failed upgrades, outdated charts, values drift |
| **CI/CD (GitHub)** | Longest jobs, average duration, flakiness, commitβdeploy latency, branch protection enforcement |
| **Docker** | Remote registry scans (Docker Hub/GHCR), tags/manifests, metadata & CVEs |
| **Secrets** | GitHub Actions secrets, Kubernetes secrets, regex leak detection, age tracking |
| **Cost (AWS CE)** | Real monthly AWS spend by service, Terraform-managed vs unmanaged cost delta |
| **GitOps (Argo CD)** | App health, sync status, revision drift, failed syncs, auto-sync flag |
| **Correlation Engine** | Root cause vs symptom, regression detection, severity tagging |
---
## π§° Tech Stack (Quick Overview)
| Layer | Tools & Libraries |
|--------------|-------------------|
| Core CLI | Python 3.11+, Click, Rich, Jinja2 |
| Cloud APIs | AWS boto3, GitHub REST API, Argo CD API |
| Kubernetes | official `kubernetes` Python client |
| Security | GitHub OAuth2, Starlette sessions, RBAC, JWT |
| Web UI | FastAPI, TailwindCSS, Chart.js |
| Packaging | pip, venv, Markdown, Mermaid |
---
## π₯οΈ Architecture Overview
**How it works:**
1. `snapcheck run` loads a **profile** (YAML config for env, creds, modules).
2. Plugins run in parallel-ish to collect signals from their sources.
3. Correlation engine links findings into **storylines**.
4. Output generated in:
- **Terminal**
- **Markdown**
- **HTML Dashboard** (Tailwind + Chart.js)
5. `.snapcheck/history/` stores past runs for trends & regression detection.
---
## π¦ Quick Start
```bash
## Install
### Recommended (pipx)
Requires Python 3.9+
```bash
pipx install snapcheck-cli
snapcheck --help
Upgrade
pipx upgrade snapcheck-cli
Uninstall
pipx uninstall snapcheck-cli
Windows note: If snapcheck isnβt found after install:
powershell
pipx ensurepath
then restart your terminal.
From source (for contributors)
git clone https://github.com/<your-org>/snapcheck.git
cd snapcheck
python -m venv venv
# Windows:
.\venv\Scripts\activate
# macOS/Linux:
# source venv/bin/activate
pip install -e .
snapcheck --help
---
# 1. Create a profile
snapcheck init-profile --init-name prod --init-output profiles/prod.yaml --quickstart
# 2. Set environment variables
export SNAPCHECK_PROFILE=profiles/prod.yaml
export SNAPCHECK_OAUTH_CLIENT_ID=xxx
export SNAPCHECK_OAUTH_CLIENT_SECRET=xxx
export SNAPCHECK_SECRET_KEY="a_very_long_random"
export GITHUB_TOKEN="ghp_..." # repo read + actions read
# Optional AWS/Argo creds
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export ARGOCD_TOKEN=...
---
# 3. Run audit
snapcheck run audit --modules all --output terminal
---
# 4. Serve dashboard
snapcheck serve --no-reload
---
π Example Audit Output
π SnapCheck Audit Complete β 24 findings, 6 critical
Terraform: 3 drifted resources (S3 bucket public, IAM wildcard policy)
Kubernetes: 2 pods CrashLoopBackOff
AWS Cost: +45% this month (EC2 spike)
HTML Report:
---
π Security & Compliance
Authentication: GitHub OAuth2 (scopes: read:user, user:email, read:org if org allowlist).
Authorization: RBAC via YAML (viewer, engineer, admin).
Secrets: Environment or vault only; no plaintext creds in repo.
Transport: TLS recommended; https_only: true in production.
Data at Rest: Reports can be kept offline or in private Pages/S3.
Audit Logging: Pluggable backends (file/SQLite/S3) for access events.
Full details: docs/security.md
---
π Documentation
Getting Started
Architecture
Profiles & Config
Operations & Runbooks
Plugin Reference
Security
FAQ
---
π‘ Why Teams Use SnapCheck
Engineering: Faster root cause analysis across tool boundaries.
SRE: Audit and postmortem artifacts without piecing together CLI dumps.
Security: Early detection of leaks, public exposures, and stale secrets.
Leadership: Visibility into risk, cost anomalies, and trend regressions.
---
π€ Contributing
We welcome issues, PRs, and discussions.
See docs/developer/contributing.md for details.
---
π License
MIT License β see LICENSE for details.
Raw data
{
"_id": null,
"home_page": null,
"name": "snapcheck-cli",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "devops, security, kubernetes, terraform, cicd, cost",
"author": "SnapCheck Team",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/c1/11/1933a58347279868ac0375f0c0c333158953f1de222ea40caf78da8067db/snapcheck_cli-1.1.0.tar.gz",
"platform": null,
"description": "# SnapCheck \u2014 Unified DevOps/MLOps Audit & Correlation Engine\n\n[]()\n[]()\n[]()\n[]()\n[]()\n\n> **One tool. One pass. Total visibility.** \n> SnapCheck is a modular, read-only audit platform for DevOps/MLOps estates. \n> It inspects Terraform, Kubernetes, Helm, CI/CD, Docker registries, secrets, AWS costs, and GitOps \u2014 then **correlates** signals to tell you *what broke, why, and what changed since last time*.\n\n---\n\n## \ud83c\udf0d Why SnapCheck Exists\n\nModern engineering teams live across **10+ tools** \u2014 Terraform for infra, Kubernetes for workloads, GitHub for CI/CD, Helm for packaging, AWS Cost Explorer for finance, and so on. \nWhen something goes wrong, finding the *root cause* often means **hours of context switching** and digging through logs.\n\n**SnapCheck fixes this by:**\n- Pulling **signals from all your critical systems** in one pass.\n- Correlating events into **human-readable storylines** (e.g., Terraform drift \u2192 Helm failure \u2192 CI/CD latency \u2192 cost anomaly).\n- Producing **shareable, portable HTML & Markdown reports** for audits, reviews, and compliance.\n- Enforcing **safe-by-default access** with OAuth + RBAC.\n\n---\n\n## \ud83d\ude80 Core Features\n\n| Capability | Highlights |\n|------------|------------|\n| **Terraform** | Local/remote `.tfstate`, drift detection, IAM wildcard/admin checks, stale resources, cost estimates |\n| **Kubernetes** | Node readiness/pressure, pod health, restart spikes, PVC issues, DNS & service reachability, basic security context checks |\n| **Helm** | List releases, detect failed upgrades, outdated charts, values drift |\n| **CI/CD (GitHub)** | Longest jobs, average duration, flakiness, commit\u2192deploy latency, branch protection enforcement |\n| **Docker** | Remote registry scans (Docker Hub/GHCR), tags/manifests, metadata & CVEs |\n| **Secrets** | GitHub Actions secrets, Kubernetes secrets, regex leak detection, age tracking |\n| **Cost (AWS CE)** | Real monthly AWS spend by service, Terraform-managed vs unmanaged cost delta |\n| **GitOps (Argo CD)** | App health, sync status, revision drift, failed syncs, auto-sync flag |\n| **Correlation Engine** | Root cause vs symptom, regression detection, severity tagging |\n\n---\n\n## \ud83e\uddf0 Tech Stack (Quick Overview)\n\n| Layer | Tools & Libraries |\n|--------------|-------------------|\n| Core CLI | Python 3.11+, Click, Rich, Jinja2 |\n| Cloud APIs | AWS boto3, GitHub REST API, Argo CD API |\n| Kubernetes | official `kubernetes` Python client |\n| Security | GitHub OAuth2, Starlette sessions, RBAC, JWT |\n| Web UI | FastAPI, TailwindCSS, Chart.js |\n| Packaging | pip, venv, Markdown, Mermaid |\n\n\n---\n\n## \ud83d\udda5\ufe0f Architecture Overview\n\n\n\n**How it works:**\n1. `snapcheck run` loads a **profile** (YAML config for env, creds, modules).\n2. Plugins run in parallel-ish to collect signals from their sources.\n3. Correlation engine links findings into **storylines**.\n4. Output generated in:\n - **Terminal**\n - **Markdown**\n - **HTML Dashboard** (Tailwind + Chart.js)\n5. `.snapcheck/history/` stores past runs for trends & regression detection.\n\n---\n\n## \ud83d\udce6 Quick Start\n\n```bash\n## Install\n\n### Recommended (pipx)\nRequires Python 3.9+\n```bash\npipx install snapcheck-cli\nsnapcheck --help\n\nUpgrade\n\npipx upgrade snapcheck-cli\n\nUninstall\n\npipx uninstall snapcheck-cli\nWindows note: If snapcheck isn\u2019t found after install:\n\npowershell\n\npipx ensurepath\nthen restart your terminal.\n\nFrom source (for contributors)\n\ngit clone https://github.com/<your-org>/snapcheck.git\ncd snapcheck\npython -m venv venv\n# Windows:\n.\\venv\\Scripts\\activate\n# macOS/Linux:\n# source venv/bin/activate\npip install -e .\nsnapcheck --help\n\n---\n\n# 1. Create a profile\nsnapcheck init-profile --init-name prod --init-output profiles/prod.yaml --quickstart\n\n# 2. Set environment variables\nexport SNAPCHECK_PROFILE=profiles/prod.yaml\nexport SNAPCHECK_OAUTH_CLIENT_ID=xxx\nexport SNAPCHECK_OAUTH_CLIENT_SECRET=xxx\nexport SNAPCHECK_SECRET_KEY=\"a_very_long_random\"\nexport GITHUB_TOKEN=\"ghp_...\" # repo read + actions read\n\n# Optional AWS/Argo creds\nexport AWS_ACCESS_KEY_ID=...\nexport AWS_SECRET_ACCESS_KEY=...\nexport ARGOCD_TOKEN=...\n\n---\n\n# 3. Run audit\nsnapcheck run audit --modules all --output terminal\n\n---\n\n# 4. Serve dashboard\nsnapcheck serve --no-reload\n\n---\n\n\ud83d\udcca Example Audit Output\n\n\ud83d\ude80 SnapCheck Audit Complete \u2014 24 findings, 6 critical\nTerraform: 3 drifted resources (S3 bucket public, IAM wildcard policy)\nKubernetes: 2 pods CrashLoopBackOff\nAWS Cost: +45% this month (EC2 spike)\nHTML Report:\n\n---\n\n\ud83d\udd10 Security & Compliance\nAuthentication: GitHub OAuth2 (scopes: read:user, user:email, read:org if org allowlist).\n\nAuthorization: RBAC via YAML (viewer, engineer, admin).\n\nSecrets: Environment or vault only; no plaintext creds in repo.\n\nTransport: TLS recommended; https_only: true in production.\n\nData at Rest: Reports can be kept offline or in private Pages/S3.\n\nAudit Logging: Pluggable backends (file/SQLite/S3) for access events.\n\nFull details: docs/security.md\n\n---\n\n\ud83d\udcda Documentation\nGetting Started\n\nArchitecture\n\nProfiles & Config\n\nOperations & Runbooks\n\nPlugin Reference\n\nSecurity\n\nFAQ\n\n---\n\n\ud83d\udca1 Why Teams Use SnapCheck\nEngineering: Faster root cause analysis across tool boundaries.\n\nSRE: Audit and postmortem artifacts without piecing together CLI dumps.\n\nSecurity: Early detection of leaks, public exposures, and stale secrets.\n\nLeadership: Visibility into risk, cost anomalies, and trend regressions.\n\n---\n\n\ud83e\udd1d Contributing\nWe welcome issues, PRs, and discussions.\nSee docs/developer/contributing.md for details.\n\n---\n\n\ud83d\udcdc License\nMIT License \u2014 see LICENSE for details.\n\n",
"bugtrack_url": null,
"license": null,
"summary": "SnapCheck \u2014 Unified DevOps/MLOps Audit & Correlation Engine",
"version": "1.1.0",
"project_urls": null,
"split_keywords": [
"devops",
" security",
" kubernetes",
" terraform",
" cicd",
" cost"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "640b5d98434ceb2bc2a9e799586f1a8867b83ceff4d992d24018de3fec380230",
"md5": "ed09a760540c884fdb348c113591003e",
"sha256": "5fa78d078b7a44f010b9656460f9993f34749533da64d3f3ddcf59a5d946d21b"
},
"downloads": -1,
"filename": "snapcheck_cli-1.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ed09a760540c884fdb348c113591003e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 94990,
"upload_time": "2025-08-14T13:41:52",
"upload_time_iso_8601": "2025-08-14T13:41:52.902525Z",
"url": "https://files.pythonhosted.org/packages/64/0b/5d98434ceb2bc2a9e799586f1a8867b83ceff4d992d24018de3fec380230/snapcheck_cli-1.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "c1111933a58347279868ac0375f0c0c333158953f1de222ea40caf78da8067db",
"md5": "f89d82906173772efc14461305e69ba0",
"sha256": "60dda691ae8f823251b6d1477a6f76b3b0ac1240fbff57a82f8c79def13d23e5"
},
"downloads": -1,
"filename": "snapcheck_cli-1.1.0.tar.gz",
"has_sig": false,
"md5_digest": "f89d82906173772efc14461305e69ba0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 86306,
"upload_time": "2025-08-14T13:41:54",
"upload_time_iso_8601": "2025-08-14T13:41:54.027897Z",
"url": "https://files.pythonhosted.org/packages/c1/11/1933a58347279868ac0375f0c0c333158953f1de222ea40caf78da8067db/snapcheck_cli-1.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-14 13:41:54",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "snapcheck-cli"
}
JSON