Air-Gapped Deployments
ShadowAudit runs entirely locally. It makes no outbound network calls during operation. All enforcement, audit logging, and approval workflows function without internet access.
What runs locally
| Component | Storage |
|---|---|
| Runtime gate | In-process, no network |
| Policy evaluation | In-process, reads local YAML |
| Audit log | Local SQLite file (./audit.db) |
| Approval queue | Local SQLite file |
| CLI commands | Local process |
Installation in air-gapped environments
Download the package and its dependencies on a networked machine, transfer to the air-gapped environment, and install from the local archive:
# On networked machine
pip download shadowaudit -d ./packages
# Transfer ./packages to air-gapped machine
# On air-gapped machine
pip install --no-index --find-links ./packages shadowaudit
Offline verification
Audit log verification runs locally:
shadowaudit verify --audit-log ./audit.db
No external service is contacted.
Policy files
Policies are plain YAML files. Manage them as code in your version control system and deploy them alongside your application. No ShadowAudit service needs to be reachable.
Approval workflows in air-gapped environments
The approval queue is stored in local SQLite. Reviewers run shadowaudit pending-approvals and shadowaudit approve <id> on the same machine (or a machine with access to the shared SQLite file).
For multi-machine environments, point all nodes at a shared network path for the audit database:
from shadowaudit.core.audit import AuditLogger
from shadowaudit.core.gate import Gate
gate = Gate(
audit_logger=AuditLogger(db_path="/shared/nfs/shadowaudit/audit.db")
)
Log export for offline analysis
View audit logs as JSON for analysis on a separate system:
shadowaudit logs --audit-log audit.db --json > audit_export.json
Analysis can be run on the exported file on any machine with ShadowAudit installed.
What is not available offline
- PyPI package updates (expected — install from local archive)
- Any future cloud dashboard or telemetry features (not part of the open-source package)