y 6.7 12.4 x

Compliance scanning for SaaS teams pursuing FedRAMP 20x — that lives in your repo, not a SaaS dashboard.

Pronounced "EF-ter-lev." From Swedish efterlevnad (compliance).

Efterlev reads your Terraform, classifies it against the 60 thematic Key Security Indicators, drafts FRMR-compatible attestations grounded in cited evidence, and proposes code-level remediations. Locally. No procurement cycle. No vendor account. Apache 2.0.

# install pipx install efterlev # run the full pipeline in your repo cd path/to/your-repo efterlev init --target . --force export ANTHROPIC_API_KEY=sk-ant-... efterlev report run

It targets FedRAMP 20x — the new authorization track that replaces narrative-heavy System Security Plans with measurable outcomes called Key Security Indicators. Most new SaaS authorizations starting in 2026 will target this track.

Everything runs locally. The only outbound network call is to your configured LLM endpoint — direct Anthropic API by default, or AWS Bedrock for FedRAMP-authorized GovCloud deployments. Scanner output is fully deterministic and offline.

How it's built

Three concepts. Everything else is implementation detail.

01 / Detectors
Evidence, deterministic

Read source material — Terraform, app code, CI configs — and emit typed evidence. The contributable layer: each detector is a self-contained folder.

02 / Primitives
Typed, MCP-exposed

~15–25 small, stable functions — scan, map, generate, validate. Both Efterlev's own agents and any MCP-capable agent (Claude Code, your own) can call them.

03 / Agents
Composed, auditable

Compose primitives to draft attestations, classify gaps, propose remediations. Every claim traces back through provenance to the source line that produced it.

What it does, what it doesn't

Does

  • Scans Terraform & OpenTofu for control evidence
  • Drafts attestations grounded in cited evidence
  • Proposes code-level remediation diffs
  • Traces every claim to its source line (provenance)
  • Exposes its primitives over MCP for Claude Code

Doesn't

  • Produce an Authorization to Operate — humans and 3PAOs do that
  • Certify compliance — it accelerates the human review cycle
  • Cover SOC 2, ISO 27001, HIPAA — depth in gov frameworks, not breadth
  • Scan live cloud infrastructure yet — v1.5

Status

v0.1 — early release. Six detectors, three agents, FedRAMP-aligned, AWS + Terraform only. Stable surface: primitive interface, detector contract, provenance model, output formats. Changing surface: detector content, agent prompts, CLI ergonomics.