Environment Setup

Set up your tools

The audit system verifies your infrastructure by calling real APIs and inspecting real repos. That means it needs the same CLI tools you use day-to-day — installed and authenticated.

Automatic environment check

You don't need to manually verify all of this. Run /audit-preflight in Claude Code and it will check every tool, report what's missing, and tell you exactly how to fix it.

Core tools

Required for every audit, regardless of your stack.

Required Git

Repos are cloned and analyzed during audits. You almost certainly have this already.

# Check
git --version

# Install (macOS)
brew install git

Required Node.js

Used for schema validation during audits. Version 18 or later recommended.

# Check
node --version
npx --version

# Install (macOS)
brew install node

# Or with nvm
nvm install --lts

Required Claude Code

The AI CLI that runs audit skills. This is the engine behind the entire system.

# Install
npm install -g @anthropic-ai/claude-code

# Verify
claude --version

Required GitHub CLI

Used heavily for checking branch protections, CI status, repo settings, and org configuration. Must be authenticated with repo and read:org scopes.

# Install
brew install gh

# Authenticate
gh auth login

# Verify
gh auth status

# If missing scopes
gh auth refresh -s repo,read:org

Cloud provider tools

Install the CLIs for cloud providers you use. These are checked based on what you configure in org.yaml during /audit-init.

If using AWS AWS CLI

Checks RDS backups, S3 replication, EC2 availability zones, load balancer configs, and more.

# Install
brew install awscli

# Authenticate
aws configure
# Or with SSO
aws sso login

# Verify
aws sts get-caller-identity

If using GCP Google Cloud CLI

Checks Cloud SQL HA, compute zones, backup policies, and GCP-specific infrastructure items.

# Install
brew install --cask google-cloud-sdk

# Authenticate
gcloud auth login

# Set project
gcloud config set project YOUR_PROJECT_ID

# Verify
gcloud auth list --filter=status:ACTIVE

If using Azure Azure CLI

Checks SQL zone redundancy, availability sets, and Azure-specific infrastructure.

# Install
brew install azure-cli

# Authenticate
az login

# Verify
az account show

What if I skip a cloud CLI?

The audit won't break. Items that need a missing tool are marked blocked instead of failing. You'll see them in your results with a clear note about what access is needed.

This means you can start auditing immediately with just the core tools and add cloud CLIs later when you're ready to check infrastructure-level items.

Org and repo access

Beyond having the CLI tools installed, the authenticated user needs the right permissions:

GitHub org membership

The gh user must be a member (ideally admin) of the GitHub org being audited. Org-level checks (branch protection defaults, security settings, team structure) require this.

Repo read access

The audit clones repos and calls the GitHub API. You need at least read access to every repo you're auditing. The preflight check verifies this per-project.

Cloud IAM permissions

Cloud CLI checks need read access to the services being audited (RDS, Cloud SQL, EC2, etc.). A read-only IAM role or viewer role is sufficient for audit purposes.

Run the preflight check

Instead of checking everything manually, let Claude do it for you. The preflight command checks every tool, verifies authentication, and gives you copy-paste commands to fix any gaps. 

claude                  # launch Claude Code in your workspace
> /audit-preflight      # check everything

This also runs automatically before /audit-init and /audit-start, so you'll be prompted if anything is missing.

Getting started guide All commands