ASH (Automated Security Helper) is a security scanning tool designed to help you identify potential security issues in your code, infrastructure, and IAM configurations as early as possible in your development process.
local, container, or precommit mode depending on your needsASH v3 integrates multiple open-source security tools as scanners. Tools like Bandit, Checkov, and Semgrep are managed via UV's tool isolation system, which automatically installs and runs them in isolated environments without affecting your project dependencies:
| Scanner | Type | Languages/Frameworks | Installation (Local Mode) |
|---|---|---|---|
| Bandit | SAST | Python | Managed via UV tool isolation (auto-installed: bandit>=1.7.0) |
| Semgrep | SAST | Python, JavaScript, TypeScript, Java, Go, C#, Ruby, PHP, Kotlin, Swift, Bash, and more | Managed via UV tool isolation (auto-installed: semgrep>=1.125.0) |
| detect-secrets | Secrets | All text files | Included with ASH |
| Checkov | IaC, SAST | Terraform, CloudFormation, Kubernetes, Dockerfile, ARM Templates, Serverless, Helm, and more | Managed via UV tool isolation (auto-installed: checkov>=3.2.0,<4.0.0) |
| cfn_nag | IaC | CloudFormation | gem install cfn-nag |
| cdk-nag | IaC | CloudFormation | Included with ASH |
| npm-audit | SCA | JavaScript/Node.js | Install Node.js/npm |
| Grype | SCA | Python, JavaScript/Node.js, Java, Go, Ruby, and more | See Grype Installation |
| Syft | SBOM | Python, JavaScript/Node.js, Java, Go, Ruby, and more | See Syft Installation |
| Mode | Requirements | Notes |
|---|---|---|
| Local | Python 3.10+, UV package manager | Some scanners require additional tools (see table above) |
| Container | Any OCI-compatible container runtime (Finch, Docker, Podman, etc.) | On Windows: WSL2 is typically required |
| Precommit | Python 3.10+, UV package manager | Subset of scanners, optimized for speed |
# Install uv on Linux/macOS if it isn't installed already
curl -sSfL https://astral.sh/uv/install.sh | sh
# Create an alias for ASH
alias ash="uvx git+https://github.com/awslabs/automated-security-helper.git@v3.5.6"
# Install uv on Windows with PowerShell if it isn't installed already
irm https://astral.sh/uv/install.ps1 | iex
# Create a function for ASH
function ash { uvx git+https://github.com/awslabs/automated-security-helper.git@v3.5.6 $args }
Floating tag
v3: We also maintain av3floating tag that always points to the latest stable v3.x release. You can use@v3instead of@v3.5.6to stay up to date automatically. Pin a specific version (e.g.,@v3.5.6) when you need reproducible builds.
Click to expand other installation options
brew tap awslabs/automated-security-helper https://github.com/awslabs/automated-security-helper.git
brew install ash
pipx# Install with pipx (isolated environment)
pipx install git+https://github.com/awslabs/automated-security-helper.git@v3.0,1
# Use as normal
ash --help
pippip install git+https://github.com/awslabs/automated-security-helper.git@v3.5.6
git clone https://github.com/awslabs/automated-security-helper.git --branch v3.5.6
cd automated-security-helper
pip install .
# Run a scan in local mode (Python only)
ash --mode local
# Run a scan in container mode (all tools)
ash --mode container
# Run a scan in precommit mode (fast subset of tools)
ash --mode precommit
ASH Scan Results Summary
┏━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━━┳━━━━━┳━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Scanner ┃ Suppressed ┃ Critical ┃ High ┃ Medium ┃ Low ┃ Info ┃ Duration ┃ Actionable ┃ Result ┃ Threshold ┃
┡━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━━╇━━━━━╇━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ bandit │ 7 │ 0 │ 1 │ 0 │ 56 │ 0 │ 19.9s │ 1 │ FAILED │ MEDIUM (global) │
│ cdk-nag │ 0 │ 0 │ 30 │ 0 │ 0 │ 5 │ 48.7s │ 30 │ FAILED │ MEDIUM (global) │
│ cfn-nag │ 0 │ 0 │ 0 │ 15 │ 0 │ 0 │ 45.1s │ 15 │ FAILED │ MEDIUM (global) │
│ checkov │ 10 │ 0 │ 25 │ 0 │ 0 │ 0 │ 38.9s │ 25 │ FAILED │ MEDIUM (global) │
│ detect-secrets │ 0 │ 0 │ 48 │ 0 │ 0 │ 0 │ 18.9s │ 48 │ FAILED │ MEDIUM (global) │
│ grype │ 0 │ 0 │ 2 │ 1 │ 0 │ 0 │ 40.3s │ 3 │ FAILED │ MEDIUM (global) │
└────────────────┴────────────┴──────────┴──────┴────────┴─────┴──────┴──────────┴────────────┴────────┴─────────────────┘
source-dir: '.'
output-dir: '.ash/ash_output'
=== ASH Scan Completed in 1m 6s: Next Steps ===
View detailed findings...
- SARIF: '.ash/ash_output/reports/ash.sarif'
- JUnit: '.ash/ash_output/reports/ash.junit.xml'
- ASH aggregated results JSON available at: '.ash/ash_output/ash_aggregated_results.json'
=== Actionable findings detected! ===
To investigate...
1. Open one of the summary reports for a user-friendly table of the findings:
- HTML report of all findings: '.ash/ash_output/reports/ash.html'
- Markdown summary: '.ash/ash_output/reports/ash.summary.md'
- Text summary: '.ash/ash_output/reports/ash.summary.txt'
2. Use ash report to view a short text summary of the scan in your terminal
3. Use ash inspect findings to explore the findings interactively
4. Review scanner-specific reports and outputs in the '.ash/ash_output/scanners' directory
=== ASH Exit Codes ===
0: Success - No actionable findings or not configured to fail on findings
1: Error during execution
2: Actionable findings detected when configured with `fail_on_findings: true`. Default is True. Current value: True
ERROR (2) Exiting due to 122 actionable findings found in ASH scan
ASH includes a Model Context Protocol (MCP) server that enables AI assistants to perform security scans and analyze results through a standardized interface. This allows you to integrate ASH with AI development tools like Amazon Q CLI, Claude Desktop, and Cline (VS Code).
The ASH MCP server provides:
uv from Astral or the GitHub READMEuv python install 3.10 (or a more recent version)Amazon Q Developer CLI - Add to ~/.aws/amazonq/mcp.json:
{
"mcpServers": {
"ash": {
"command": "uvx",
"args": [
"--from=git+https://github.com/awslabs/automated-security-helper@v3.5.6",
"ash",
"mcp"
],
"disabled": false,
"autoApprove": []
}
}
}
Claude Desktop - Add to claude_desktop_config.json:
{
"mcpServers": {
"ash-security": {
"command": "uvx",
"args": [
"--from=git+https://github.com/awslabs/automated-security-helper@v3.5.6",
"ash",
"mcp"
]
}
}
}
Cline (VS Code): ```json { "mcpServers": {
$ claude mcp add automated-security-helper \
-- python -m otcore.mcp_server <graph>