Evidra

Acerca de

Evidra acts as a critical guardrail between AI agents and production infrastructure, intercepting and validating structured tool invocations like `kubectl`, `terraform`, and `argocd` before they execute. It evaluates these actions against explicit OPA policy, blocking any destructive operations that are incomplete, unsafe, or unknown, thereby preventing potential outages and misconfigurations. Operating on a fail-closed principle, Evidra ensures that only explicitly allowed and contextually safe operations proceed, while recording every decision in an immutable, hash-chained evidence log for audit and compliance. It offers deterministic protection without relying on natural language analysis or runtime API calls, making it suitable for both AI-driven workflows and traditional CI pipelines.

Características Principales

• Fail-closed by default, denying unknown tools, incomplete payloads, or ambiguous target scopes.
• Every decision (allow/deny) is appended to an immutable, SHA-256 hash-chained evidence log.
• Curated 'ops layer' rules catch catastrophic misconfigurations like privileged containers or public S3 buckets.
• 2 GitHub stars
• Evaluates structured tool invocations against OPA policy bundles, providing deterministic results and actionable hints.
• Kill-switch for AI agents, blocking destructive operations unless proven safe.

Casos de Uso

• Integrating into CI/CD pipelines to validate infrastructure-as-code plans (e.g., Terraform plans) before application.
• Preventing AI agents from executing unsafe, incomplete, or unauthorized infrastructure changes on production environments.
• Maintaining an immutable, tamper-evident audit trail of all infrastructure policy decisions for compliance and accountability.