{"id":49581658,"url":"https://github.com/humancto/hawk","last_synced_at":"2026-05-03T20:39:58.990Z","repository":{"id":342312740,"uuid":"1173574857","full_name":"humancto/hawk","owner":"humancto","description":"Map your AWS serverless architecture in seconds. Discover Lambda functions, triggers, and connected services — render as navigable graphs.","archived":false,"fork":false,"pushed_at":"2026-03-15T14:12:48.000Z","size":634,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"claude/setup-hawk-workspace-rwgNG","last_synced_at":"2026-04-14T00:09:47.240Z","etag":null,"topics":["architecture-visualization","aws","aws-sdk-rust","bevy","cli","cloud-discovery","devops","graph-visualization","infrastructure","infrastructure-mapping","lambda","mermaid","rust","serverless"],"latest_commit_sha":null,"homepage":"https://humancto.github.io/hawk","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/humancto.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-05T14:17:37.000Z","updated_at":"2026-03-05T17:28:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/humancto/hawk","commit_stats":null,"previous_names":["humancto/octopussy"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/humancto/hawk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/humancto%2Fhawk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/humancto%2Fhawk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/humancto%2Fhawk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/humancto%2Fhawk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/humancto","download_url":"https://codeload.github.com/humancto/hawk/tar.gz/refs/heads/claude/setup-hawk-workspace-rwgNG","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/humancto%2Fhawk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32584646,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["architecture-visualization","aws","aws-sdk-rust","bevy","cli","cloud-discovery","devops","graph-visualization","infrastructure","infrastructure-mapping","lambda","mermaid","rust","serverless"],"created_at":"2026-05-03T20:39:56.538Z","updated_at":"2026-05-03T20:39:58.978Z","avatar_url":"https://github.com/humancto.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hawk\n\n**Map your AWS serverless architecture in seconds.**\n\nHawk is a CLI tool and interactive viewer that automatically discovers AWS Lambda functions, their triggers, and connected services — then renders the entire architecture as a navigable graph.\n\nPoint it at an AWS account, get a complete picture of what triggers what.\n\n```\n                ┌─────────────┐     ┌─────────────┐\n                │ EventBridge │────▶│   Lambda A   │\n                └─────────────┘     └──────┬──────┘\n                                           │\n┌─────────────┐     ┌─────────────┐        ▼\n│  S3 Bucket  │────▶│   Lambda B   │◀── SNS Topic\n└─────────────┘     └─────────────┘\n                                     ▲\n                ┌─────────────┐      │\n                │ Step Function├─────┘\n                └─────────────┘\n```\n\n---\n\n## About\n\nHawk scans your AWS account using the AWS SDK for Rust, builds a directed graph of Lambda functions and every service that triggers or invokes them, and outputs the result as structured JSON. From there you can generate Mermaid diagrams, diff snapshots over time, or explore the graph interactively in a Bevy-powered 2D viewer.\n\n**Why Hawk?**\n- You inherited an AWS account and need to understand what's connected to what\n- You want to audit Lambda trigger chains before making changes\n- You need a visual map for architecture reviews or onboarding\n- You want to track infrastructure drift by diffing snapshots\n\n**Tags:** `#aws` `#lambda` `#serverless` `#infrastructure-as-graph` `#architecture-visualization` `#rust` `#bevy` `#cloud-discovery` `#devops` `#aws-sdk-rust` `#mermaid` `#infrastructure-mapping`\n\n---\n\n## Features\n\n- **Auto-discovery** — scans 7 AWS services for Lambda connectivity\n- **Deterministic output** — sorted, deduped JSON for stable diffs\n- **Mermaid export** — paste into GitHub, Notion, or any Markdown renderer\n- **Snapshot diffing** — compare two scans to see what changed\n- **Interactive viewer** — Bevy 2D app with search, filters, and layer toggles\n- **Security-conscious** — env var values, secrets, and tokens are never exported\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n- **Rust 1.75+** — [install via rustup](https://rustup.rs)\n- **AWS credentials** — configured via `~/.aws/credentials`, environment variables, or SSO\n- **AWS permissions** — read-only access to Lambda, EventBridge, S3, SNS, CloudWatch Logs, Step Functions, API Gateway v2 (see [IAM Policy](#iam-policy) below)\n\n### Install\n\n```bash\n# Clone and build\ngit clone https://github.com/humancto/hawk.git\ncd hawk\ncargo build --release\n\n# The binary is at target/release/hawk\n# Optionally copy to your PATH:\ncp target/release/hawk /usr/local/bin/\n```\n\n### Run Your First Scan\n\n```bash\n# Discover everything Hawk supports\nhawk analyze aws all \\\n  --profile my-aws-profile \\\n  --region us-east-1 \\\n  --out hawk.json \\\n  --pretty\n\n# Or just Lambda + event source mappings (faster)\nhawk analyze aws lambda \\\n  --profile my-aws-profile \\\n  --region us-east-1 \\\n  --out hawk.json\n```\n\n### Explore the Output\n\n```bash\n# Print a summary to the terminal\nhawk summary --in hawk.json\n\n# Export as a Mermaid diagram\nhawk export mermaid --in hawk.json --out hawk.mmd\n\n# Include all node types (not just Lambda-centric)\nhawk export mermaid --in hawk.json --out hawk.mmd --full\n\n# Compare two snapshots\nhawk diff --old baseline.json --new current.json\n```\n\n### Launch the Viewer\n\n```bash\ncargo run --release -p hawk_viewer -- hawk.json\n```\n\n---\n\n## CLI Reference\n\n### `hawk analyze aws \u003cscope\u003e`\n\nDiscover AWS resources and write a graph JSON file.\n\n| Scope    | Description |\n|----------|-------------|\n| `lambda` | Lambda functions + event source mappings only |\n| `all`    | All supported AWS services |\n\n**Flags:**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--profile \u003cname\u003e` | env default | AWS profile name |\n| `--region \u003cname\u003e` | env default | AWS region |\n| `--out \u003cfile\u003e` | `hawk.json` | Output file path |\n| `--pretty` | off | Pretty-print JSON |\n| `--verbose` | off | Enable debug logging |\n\n### `hawk summary`\n\nPrint human-readable stats from a scan.\n\n```\n=== Hawk Summary ===\n\nGenerated: 2026-03-05T14:30:00Z\nProfile:   production\nRegions:   us-east-1\n\nNodes: 47\n  Lambda: 23\n  SqsQueue: 8\n  EventRule: 6\n  S3Bucket: 4\n  SnsTopic: 3\n  StepFunction: 2\n  ApiGateway: 1\n\nEdges: 38\n  Triggers: 31\n  Invokes: 7\n\nTop fan-in (most triggered):\n  order-processor: 5\n  notification-handler: 4\n\nTop fan-out (most connections):\n  main-event-bus: 6\n```\n\n### `hawk export mermaid`\n\nGenerate a Mermaid flowchart diagram.\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--in \u003cfile\u003e` | `hawk.json` | Input graph file |\n| `--out \u003cfile\u003e` | `hawk.mmd` | Output Mermaid file |\n| `--full` | off | Show all node types |\n\nThe output can be pasted directly into GitHub Markdown, Notion, or rendered with the [Mermaid CLI](https://github.com/mermaid-js/mermaid-cli).\n\n### `hawk diff`\n\nCompare two graph snapshots.\n\n```bash\nhawk diff --old monday.json --new friday.json\n```\n\n```\n=== Graph Diff ===\n\nAdded nodes (2):\n  + arn:aws:lambda:us-east-1:123:function:new-handler\n  + arn:aws:sqs:us-east-1:123:new-queue\n\nRemoved nodes (1):\n  - arn:aws:lambda:us-east-1:123:function:deprecated-fn\n\nAdded edges (2):\n  + new-queue --Triggers--\u003e new-handler\n  + main-bus --Triggers--\u003e new-handler\n```\n\n---\n\n## AWS Coverage\n\n| Source | Target | Edge Kind | How |\n|--------|--------|-----------|-----|\n| **SQS / DynamoDB / Kinesis** | Lambda | Triggers | `ListEventSourceMappings` |\n| **EventBridge rules** | Lambda | Triggers | `ListRules` + `ListTargetsByRule` |\n| **S3 notifications** | Lambda | Triggers | `GetBucketNotificationConfiguration` |\n| **SNS subscriptions** | Lambda | Triggers | `ListSubscriptionsByTopic` |\n| **CloudWatch Logs** | Lambda | Triggers | `DescribeSubscriptionFilters` |\n| **Step Functions** | Lambda | Invokes | `DescribeStateMachine` (definition parse) |\n| **API Gateway v2** | Lambda | Triggers | `GetRoutes` + `GetIntegrations` |\n\n---\n\n## Graph Schema\n\nThe output JSON follows a stable schema:\n\n```jsonc\n{\n  \"generated_at\": \"2026-03-05T14:30:00Z\",\n  \"profile\": \"production\",\n  \"regions\": [\"us-east-1\"],\n  \"nodes\": [\n    {\n      \"id\": \"arn:aws:lambda:us-east-1:123456789012:function:my-fn\",\n      \"kind\": \"Lambda\",\n      \"name\": \"my-fn\",\n      \"arn\": \"arn:aws:lambda:us-east-1:123456789012:function:my-fn\",\n      \"region\": \"us-east-1\",\n      \"account_id\": \"123456789012\",\n      \"props\": {\n        \"runtime\": \"nodejs20.x\",\n        \"memory_size\": 256,\n        \"timeout\": 30,\n        \"handler\": \"index.handler\",\n        \"env_keys\": [\"DATABASE_URL\", \"API_KEY\"]  // values redacted\n      }\n    }\n  ],\n  \"edges\": [\n    {\n      \"from\": \"arn:aws:sqs:us-east-1:123456789012:my-queue\",\n      \"to\": \"arn:aws:lambda:us-east-1:123456789012:function:my-fn\",\n      \"kind\": \"Triggers\",\n      \"props\": { \"batch_size\": 10 }\n    }\n  ],\n  \"warnings\": [],\n  \"stats\": { \"node_count\": 2, \"edge_count\": 1, \"...\" : \"...\" }\n}\n```\n\n**Node kinds:** Lambda, ApiGateway, ApiRoute, EventRule, SqsQueue, SnsTopic, S3Bucket, DynamoStream, StepFunction, LogGroup, EcsService, Ec2Instance, LoadBalancer, Unknown\n\n**Edge kinds:** Triggers, Invokes, Consumes, Publishes, ReadsFrom, WritesTo\n\n---\n\n## Interactive Viewer\n\nThe Bevy-based viewer renders the graph as a 2D node-and-edge map.\n\n**Controls:**\n| Action | Input |\n|--------|-------|\n| Select node | Click |\n| Pan | Drag |\n| Zoom | Scroll wheel |\n\n**UI panels:**\n- **Left panel** — search bar, layer toggles (Compute / Events / Storage / Orchestration)\n- **Right panel** — selected node details (name, kind, ARN, region, properties)\n\n**Layers:**\n| Layer | Node kinds |\n|-------|-----------|\n| Compute | Lambda, ECS Service, EC2 Instance |\n| Events | EventBridge Rule, API Gateway, API Route, SNS Topic, SQS Queue, Log Group |\n| Storage | S3 Bucket, DynamoDB Stream |\n| Orchestration | Step Function |\n\n---\n\n## IAM Policy\n\nHawk requires **read-only** access. Here's a minimal IAM policy:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"HawkReadOnly\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"lambda:ListFunctions\",\n        \"lambda:ListEventSourceMappings\",\n        \"events:ListRules\",\n        \"events:ListTargetsByRule\",\n        \"s3:ListAllMyBuckets\",\n        \"s3:GetBucketNotificationConfiguration\",\n        \"sns:ListTopics\",\n        \"sns:ListSubscriptionsByTopic\",\n        \"logs:DescribeLogGroups\",\n        \"logs:DescribeSubscriptionFilters\",\n        \"states:ListStateMachines\",\n        \"states:DescribeStateMachine\",\n        \"apigateway:GET\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}\n```\n\n---\n\n## Project Structure\n\n```\nhawk/\n├── Cargo.toml                  # Workspace root\n├── crates/\n│   ├── hawk_core/              # Graph model, stats, dedupe, redaction\n│   ├── hawk_aws/               # AWS SDK discovery modules (7 connectors)\n│   ├── hawk_cli/               # CLI binary (clap-based)\n│   └── hawk_render/            # Mermaid renderer\n├── apps/\n│   └── hawk_viewer/            # Bevy 2D interactive viewer\n├── examples/\n│   └── sample_graph.json       # Example output for testing\n└── assets/\n    ├── sprites/                # Node sprite assets\n    └── fonts/                  # Font assets\n```\n\n---\n\n## Development\n\n```bash\n# Check compilation\ncargo check --workspace\n\n# Run tests\ncargo test --workspace --exclude hawk_viewer\n\n# Run with verbose logging\nhawk analyze aws all --profile dev --region us-east-1 --verbose\n\n# Run clippy\ncargo clippy --workspace --exclude hawk_viewer\n\n# Format code\ncargo fmt --all\n```\n\n### Running Tests Without AWS Credentials\n\nThe unit tests don't require AWS credentials — they test ARN parsing, graph operations, Mermaid rendering, and data redaction. Integration tests use fixture JSON files in `examples/`.\n\n---\n\n## Security \u0026 Data Safety\n\nHawk is designed to be safe to run against production accounts:\n\n- **Environment variable values are never exported** — only keys are recorded\n- **Secrets, tokens, and auth data are redacted** from all output\n- **No write operations** — Hawk only calls read/list/describe APIs\n- **No data leaves your machine** — output is written to local files only\n- **Inline policy documents are excluded** unless explicitly requested\n\n---\n\n## Roadmap\n\n- [ ] API Gateway v1 (REST APIs) discovery\n- [ ] Multi-region scanning in a single run\n- [ ] Multi-account scanning (AWS Organizations)\n- [ ] Force-directed graph layout in the viewer\n- [ ] HTML export with interactive SVG\n- [ ] Cost annotations via Cost Explorer API\n- [ ] CloudFormation / CDK stack grouping\n- [ ] Terraform state file import\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, coding standards, and pull request guidelines.\n\n---\n\n## License\n\n[MIT](LICENSE) — Archith Rapaka\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhumancto%2Fhawk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhumancto%2Fhawk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhumancto%2Fhawk/lists"}