{"id":13528169,"url":"https://github.com/Skyscanner/cfripper","last_synced_at":"2025-04-01T11:31:06.049Z","repository":{"id":32836206,"uuid":"139401647","full_name":"Skyscanner/cfripper","owner":"Skyscanner","description":"Library and CLI tool for analysing CloudFormation templates and check them for security compliance.","archived":false,"fork":false,"pushed_at":"2024-12-11T11:57:35.000Z","size":1208,"stargazers_count":398,"open_issues_count":4,"forks_count":55,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-12-17T22:03:43.895Z","etag":null,"topics":["aws","aws-security","cfripper","cloud-governance","cloudformation","cloudformation-linter","cloudformation-template","compliance","static-analysis"],"latest_commit_sha":null,"homepage":"https://cfripper.readthedocs.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Skyscanner.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-02T06:40:54.000Z","updated_at":"2024-12-11T11:57:38.000Z","dependencies_parsed_at":"2023-11-13T09:41:17.553Z","dependency_job_id":"90efa126-4ba5-429a-a1f5-aa16194ef71b","html_url":"https://github.com/Skyscanner/cfripper","commit_stats":{"total_commits":351,"total_committers":28,"mean_commits":"12.535714285714286","dds":0.8034188034188035,"last_synced_commit":"85dbf6cbf93a86af01cdf1781794990a441ff902"},"previous_names":[],"tags_count":94,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fcfripper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fcfripper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fcfripper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fcfripper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Skyscanner","download_url":"https://codeload.github.com/Skyscanner/cfripper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246301997,"owners_count":20755514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","cfripper","cloud-governance","cloudformation","cloudformation-linter","cloudformation-template","compliance","static-analysis"],"created_at":"2024-08-01T06:02:16.020Z","updated_at":"2025-04-01T11:31:06.026Z","avatar_url":"https://github.com/Skyscanner.png","language":"Python","funding_links":[],"categories":["Python","aws","Open Source Repos"],"sub_categories":["CloudFormation"],"readme":"\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/Skyscanner/cfripper/master/docs/img/logo.png\" width=\"200\" alt=\"cfripper logo\"\u003e\n\u003c/p\u003e\n\n# CFRipper\n\n![Build Status](https://github.com/Skyscanner/cfripper/workflows/PyPI%20release/badge.svg)\n[![PyPI version](https://badge.fury.io/py/cfripper.svg)](https://badge.fury.io/py/cfripper)\n[![homebrew version](https://img.shields.io/homebrew/v/cfripper)](https://formulae.brew.sh/formula/cfripper)\n![License](https://img.shields.io/github/license/skyscanner/cfripper)\n\nCFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.\n\nDocs and more details available in https://cfripper.readthedocs.io/\n\n## CLI Usage\n\n### Normal execution\n\n```bash\n$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt\nAnalysing /tmp/root.yaml...\nNot adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.\nValid: False\nIssues found:\n - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'\n - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'\nAnalysing /tmp/root_bypass.json...\nValid: True\n```\n\n### Using the \"resolve\" flag\n\n```bash\n$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve\nAnalysing /tmp/root.yaml...\nNot adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.\nValid: False\nIssues found:\n - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'\n - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'\nAnalysing /tmp/root_bypass.json...\nNot adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.\nValid: False\nIssues found:\n - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'\nMonitored issues found:\n - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012\n - PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789012:root'\n```\n\n### Using json format and output-folder argument\n\n```bash\n$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp\nAnalysing /tmp/root.yaml...\nNot adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.\nResult saved in /tmp/root.yaml.cfripper.results.json\nAnalysing /tmp/root_bypass.json...\nNot adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.\nResult saved in /tmp/root_bypass.json.cfripper.results.json\n```\n\n### Using rules config file\n\n```bash\n$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py\nAnalysing tests/test_templates/config/security_group_firehose_ips.json...\nValid: True\n```\n\n### Using rules filters files\n\n```bash\n$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/\nexample_rules_config_for_cli.py loaded\nAnalysing tests/test_templates/config/security_group_firehose_ips.json...\nValid: True\n```\n\n### Exit Codes\n\n```python\n\"\"\"\nAnalyse AWS Cloudformation templates passed by parameter.\nExit codes:\n  - 0 = all templates valid and scanned successfully\n  - 1 = error / issue in scanning at least one template\n  - 2 = at least one template is not valid according to CFRipper (template scanned successfully)\n  - 3 = unknown / unhandled exception in scanning the templates\n\"\"\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkyscanner%2Fcfripper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSkyscanner%2Fcfripper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkyscanner%2Fcfripper/lists"}