CLI reference¶
Run efterlev --help, or efterlev <command> --help for any command's flags.
Every command runs locally; only the agent commands and report run make an
outbound call (to your configured LLM endpoint).
Explore & onboard¶
efterlev studio— open the local browser visualization (Efterlev Studio);--live(spawn + stream a pipeline),--watch <event-log>(attach mode: tail an externally-driven pipeline's events; the path the AI install prompt uses),--sample,--poster <path>,--no-open,--port.efterlev quickstart— run init + scan against a bundled fixture (no API key needed).efterlev shell— interactive REPL over the whole command surface, with workspace status and next-step hints.efterlev doctor— pre-flight check (Python, FRMR cache, API-key shape, Bedrock creds, LLM ping).
Plan before you scan (no workspace, no key)¶
efterlev plan— KSI work-breakdown map: evidenced-automatically vs. manifest-needed vs. CSP-inherited.efterlev catalog— every KSI by theme, with its evidence type and mapped 800-53 controls.
Workspace¶
efterlev init— scaffold.efterlev/, load catalogs, write config (--baseline,--llm-backend,--force).efterlev boundary discover— surface candidate in-boundary dependencies from your IaC (external providers, cross-account refs, remote state, SaaS endpoints, external data sources). Reconnaissance, not auto-scoping; no workspace needed.--json.efterlev boundary set— declare authorization scope with--includeglobs.efterlev scope— inspect / manage CSP-inherited controls.
Scan & ingest evidence¶
efterlev scan— run all detectors over Terraform / CloudFormation / CDK source (and.github/workflows/);--plan <plan.json>for module-composed codebases.efterlev scan-diff— compare two scans for drift / CI gating.efterlev import-security-hub <findings.json>— ingest AWS Security Hub (ASFF) findings.efterlev import-config <evaluations.json>— ingest AWS Config evaluations.efterlev import-prowler <findings.json>— ingest Prowler native JSON.
Reason (LLM-backed agents)¶
efterlev agent gap— classify each KSI's posture (Gap Agent, Opus 4.7).efterlev agent document— draft FRMR-compatible attestation JSON + HTML (Documentation Agent, Sonnet 4.6).efterlev agent remediate --ksi <KSI>— propose a Terraform diff that closes a gap (Remediation Agent, Opus 4.7).
Outputs & artifacts¶
efterlev poam— reviewer-ready POA&M markdown for every open KSI.efterlev oscal export --kind poam|component-definition— OSCAL 1.0.4 artifacts.efterlev vdr— Vulnerability Disclosure Report.efterlev inventory— resource inventory report.efterlev next— your ranked next steps: the single most important action plus an impact-ordered worklist, each with the exact command; re-ranks as you close items.--json,--limit.efterlev readiness— 0–100% scorecard + top blockers (--strictfor the RFC-0017 gate).efterlev submission package— bundle the latest artifacts into a 3PAO handoff zip.efterlev manifests scaffold— batch-scaffold a fillable stub for every procedural KSI that doesn't have a manifest yet; deliberately non-substantive (TODO placeholders) until you fill it in.efterlev manifests status— completion tracker for procedural manifests:ready/thin/missing.--json.efterlev manifests draft <KSI>— interactively scaffold one manifest with real answers (clean, no placeholders).efterlev manifests validate <path>— schema validation + substantiveness warnings (named attester, review cadence, supporting docs).
Trust, provenance & ops¶
efterlev provenance show <prefix>/efterlev provenance verify— walk any claim back to source; tamper-evidence sweep.efterlev redaction review— audit the LLM-prompt secret-redaction log.efterlev detectors new <id>/efterlev detectors show <id>— scaffold / inspect detectors.efterlev report run— full pipeline:init → scan → gap → document → poam → oscal(--watch,--skip-*).efterlev start— guided first-run entry point.efterlev mcp serve— expose every primitive as an MCP tool over stdio.