AIB builds a dependency graph from your infrastructure-as-code and stores it in SQLite. From that graph you can inspect blast radius, drift, certificate expiry, and security findings — all from one tool.

Part of the "in a box" toolkit alongside SIB and NIB.

# Install
git clone https://github.com/matijazezelj/aib.git && cd aib && make build
# or: go install github.com/matijazezelj/aib/cmd/aib@latest
# or: docker compose -f deploy/docker-compose.yml up --build

# Scan & explore
aib scan terraform /path/to/terraform.tfstate
aib scan k8s /path/to/manifests/
aib serve   # http://localhost:8080

Typical workflow: scan sources → query the graph or open the UI → run graph audit → re-scan to track drift.

AIB can run in pull requests as a thin wrapper around the CLI: scan IaC, generate Markdown/JSON reports, upload artifacts, and update one stable PR comment.

name: AIB Infra Scan

on:
  pull_request:
    paths:
      - "**/*.tfstate"
      - "**/*tfplan*.json"
      - "**/*.yaml"
      - "**/*.yml"
      - "**/docker-compose*.yml"

permissions:
  contents: read
  pull-requests: write

jobs:
  aib:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: matijazezelj/aib@v1.4.4
        with:
          paths: .
          sources: auto
          comment-pr: true
          fail-on: critical

Use the release tag that contains the Action. After a moving v1 major tag is published, matijazezelj/aib@v1 is also suitable for users who prefer automatic minor updates.

Full action docs: docs/github-action.md

AIB ships with seven parsers. Pass multiple paths to any scanner; cross-file references are resolved automatically.

# Examples
aib scan auto .                                      # detect supported IaC files
aib scan terraform *.tfstate                         # multiple state files
aib scan terraform --remote --workspace='*' project/ # remote backends
aib scan k8s manifests/ --helm --values=values.yaml  # Helm chart
aib scan k8s --live --namespace=app                  # live cluster
aib scan ansible inventory.ini --playbooks=./playbooks/
aib scan compose docker-compose.yml
aib scan cloudformation vpc.yaml database.json
aib scan pulumi stack-export.json

Full scanner documentation: docs/scanners.md

aib graph show                             # summary (counts by type)
aib graph nodes --type=vm --source=terraform
aib graph edges --type=depends_on
aib graph neighbors tf:vm:web-prod-1       # direct neighbors
aib graph path <from-id> <to-id>           # shortest path
aib graph deps <node-id> --depth=10        # dependency chain
aib graph export --format=dot              # also: json, mermaid
aib graph prune --stale-days=30            # remove stale nodes

All commands support -o json for scripting:

aib -o json graph nodes --type=vm | jq '.[].id'
aib -o json impact node tf:vm:web-prod-1 | jq '.blast_radius'

$ aib impact node tf:network:prod-vpc

Impact Analysis: tf:network:prod-vpc
   Blast Radius: 4 affected assets

   tf:network:prod-vpc (network)
   ├── [connects_to] tf:subnet:prod-subnet (subnet)
   │   └── [connects_to] tf:vm:web-prod-1 (vm)
   │       └── [depends_on] tf:dns_record:web.example.com (dns_record)
   └── [depends_on] tf:database:cloudsql-prod (database)

Runs 15 checks across three severities:

aib graph audit
aib -o json graph audit | jq '.findings[] | select(.severity == "critical")'
aib report --format markdown --out aib-report.md
aib report --format json --out aib-report.json
# Compare against an earlier JSON report for PR-friendly added/removed/changed deltas
aib report --format markdown --baseline previous-aib-report.json --out aib-diff.md

The web UI highlights findings on nodes: red border for critical, orange for warning.

aib graph cycles                           # circular dependencies
aib graph spof --min-affected=3            # single points of failure
aib graph orphans                          # unconnected nodes

Every scan automatically diffs against the current database and reports added/removed/modified assets. Drift is source-scoped, so a Terraform scan never flags Kubernetes nodes as removed.

aib certs probe example.com:443            # probe a TLS endpoint
aib certs list                             # all tracked certs
aib certs expiring --days=30               # expiring within threshold
aib certs check                            # re-probe all known endpoints

When running aib serve, certificates are probed on a schedule and expiry alerts can be sent to stdout, a webhook, or Slack.

aib serve                                  # default :8080
aib serve --listen=:9090 --read-only       # custom port, no scan triggers

UI features: source-grouped sidebar with filtering, multiple layout modes, connection-string rendering with copy, connection evidence on edges, security risk indicators, focus modes (dependencies / impact / secrets path / external path), optional online icons via Simple Icons.

API docs at /api/docs (Swagger UI). Full endpoint reference: docs/api.md

server:
  api_token: "${AIB_API_TOKEN}"

Auth applies to /api/* routes only. Includes CSP headers, rate limiting (10 req/s), body limits (1 MB), path traversal checks, and scan path allowlisting.

Defaults work out of the box. Create aib.yaml in the working directory or ~/.aib/ to customize:

storage:
  path: "./data/aib.db"
  memgraph:
    enabled: false
    uri: "bolt://localhost:7687"

server:
  listen: ":8080"
  api_token: "${AIB_API_TOKEN}"

scan:
  schedule: "4h"
  allowed_paths: ["/opt/infra"]

certs:
  probe_interval: "6h"
  alert_thresholds: [90, 60, 30, 14, 7, 1]

alerts:
  stdout: { enabled: true }
  webhook: { enabled: false, url: "http://sib:8080/api/v1/events" }
  slack: { enabled: false, webhook_url: "https://hooks.slack.com/..." }

All values support ${ENV_VAR} expansion and AIB_-prefixed env overrides (e.g. AIB_SERVER_LISTEN).

Full reference: docs/configuration.md and configs/aib.yaml.example.

SQLite is the source of truth. Optionally add Memgraph for faster graph traversals at scale. AIB falls back to its built-in BFS engine when Memgraph is unavailable.

docker run -p 7687:7687 memgraph/memgraph-mage
# Enable: storage.memgraph.enabled: true
aib graph sync   # sync existing data

Key differences:

• No cloud credentials required — AIB parses IaC files that already exist in your repo; it never calls cloud APIs.
• Multi-source in one graph — Terraform, Kubernetes, Ansible, Compose, CloudFormation, and Pulumi assets land in a single unified graph, enabling cross-stack blast-radius analysis.
• All-in-one binary — drift detection, TLS certificate tracking, security audit (15 checks), SPOF/cycle/orphan analysis, and a web UI ship in a single ~15 MB binary with zero external dependencies (SQLite is embedded).
• Cartography / CloudQuery / Steampipe excel at live cloud inventory but require API credentials, a running database, and don't parse IaC.
• inframap / Rover / terraform graph visualise Terraform only and don't analyse blast radius, drift, or security posture.

• Single-instance — no clustering; suitable for up to ~10K assets
• No built-in TLS — use a reverse proxy for HTTPS
• Single API token — no per-user RBAC
• Partial parser coverage — not all provider resource types are mapped
• Internal networks only — do not expose directly to the internet

make build       # Build binary
make test        # Run tests
make fmt         # Format code
make lint        # Run linter
make clean       # Remove build artifacts

Apache 2.0