{"id":50897452,"url":"https://github.com/jemo19/infra-plan-scanner","last_synced_at":"2026-06-16T01:05:01.372Z","repository":{"id":365110631,"uuid":"1270609567","full_name":"jemo19/infra-plan-scanner","owner":"jemo19","description":"Terraform/OpenTofu plan scanner for security, tagging, deletion, and cost-risk checks.","archived":false,"fork":false,"pushed_at":"2026-06-15T23:53:49.000Z","size":66,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-16T00:09:07.726Z","etag":null,"topics":["devops","github-actions","iac","opentofu","policy-as-code","security","terraform"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jemo19.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-15T22:09:21.000Z","updated_at":"2026-06-15T23:53:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jemo19/infra-plan-scanner","commit_stats":null,"previous_names":["jemo19/infra-plan-scanner"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/jemo19/infra-plan-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jemo19%2Finfra-plan-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jemo19%2Finfra-plan-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jemo19%2Finfra-plan-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jemo19%2Finfra-plan-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jemo19","download_url":"https://codeload.github.com/jemo19/infra-plan-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jemo19%2Finfra-plan-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34386324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","github-actions","iac","opentofu","policy-as-code","security","terraform"],"created_at":"2026-06-16T01:05:00.606Z","updated_at":"2026-06-16T01:05:01.364Z","avatar_url":"https://github.com/jemo19.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# InfraGuard Plan Scanner\n\n[![CI](https://github.com/jemo19/infra-plan-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/jemo19/infra-plan-scanner/actions/workflows/ci.yml)\n[![CodeQL](https://github.com/jemo19/infra-plan-scanner/actions/workflows/codeql.yml/badge.svg)](https://github.com/jemo19/infra-plan-scanner/actions/workflows/codeql.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Python 3.12+](https://img.shields.io/badge/Python-3.12%2B-blue.svg)](pyproject.toml)\n\nCatch risky AWS and Azure infrastructure changes before `terraform apply`.\n\nInfraGuard is a local Terraform/OpenTofu plan scanner for engineers who want a\nfast review gate for tagging, public exposure, encryption, IAM, deletion,\nresilience, and cost-risk checks. It reads `terraform show -json` output,\nnormalizes resource changes, runs built-in policies, supports reviewed\nsuppressions/baselines, and emits Markdown, JSON, or SARIF.\n\n## Install\n\nFrom a release package:\n\n```bash\npython -m pip install infraguard-plan-scanner\ninfraguard --help\n```\n\nFrom this checkout:\n\n```bash\npython -m pip install -e \".[dev]\"\ninfraguard --help\n```\n\n## 5-Minute Demo\n\n```bash\ninfraguard scan fixtures/risky-plan.json --format markdown || true\ninfraguard scan fixtures/azure-risky-plan.json --format markdown || true\ninfraguard scan fixtures/safe-plan.json --format json\ninfraguard scan fixtures/azure-safe-plan.json --format json\ninfraguard rules --format markdown\ninfraguard explain IG016\n```\n\nThe risky fixtures fail the default `high` severity gate with actionable\nfindings. The safe fixtures exit zero.\n\n## Terraform Plan Workflow\n\nUse fake or non-production data while evaluating the tool.\n\n```bash\nterraform init\nterraform plan -out plan.out\nterraform show -json plan.out \u003e plan.json\ninfraguard scan plan.json --format markdown\n```\n\nTo generate a starter config:\n\n```bash\ninfraguard init --profile aws-azure --output infraguard.json\ninfraguard validate infraguard.json --kind config\ninfraguard scan plan.json --config infraguard.json\n```\n\nChecked-in starter packs live in [`examples/packs/`](examples/packs/).\n\n## Output Formats\n\n```bash\ninfraguard scan fixtures/risky-plan.json --format markdown\ninfraguard scan fixtures/risky-plan.json --format json --output report.json\ninfraguard scan fixtures/risky-plan.json --format sarif --output report.sarif\n```\n\nJSON results include `schema_version`, active findings, suppressed findings,\nunused suppressions, and the effective rule catalog for the scan. SARIF includes\nstable `partialFingerprints` based on InfraGuard finding IDs.\n\nChecked-in examples live in [`examples/outputs/`](examples/outputs/).\n\n## Suppressions And Baselines\n\nUse a suppression file for findings that have been reviewed and accepted. A\nsuppression requires a stable `finding_id`, or a `rule_id` plus\n`resource_address`, and a non-empty `reason`.\n\n```bash\ninfraguard baseline fixtures/risky-plan.json --output examples/outputs/risky-baseline.json --min-severity high\ninfraguard scan fixtures/risky-plan.json --suppressions examples/outputs/risky-baseline.json --min-severity high\ninfraguard scan fixtures/risky-plan.json --suppressions examples/suppressions.json --include-suppressed\n```\n\nSuppressed findings are excluded from the severity gate. JSON output always\nincludes `suppressed_findings`; Markdown and SARIF include suppressed findings\nonly when `--include-suppressed` is set.\n\n## Severity Gate\n\n`--min-severity` controls the exit status.\n\n```bash\ninfraguard scan fixtures/risky-plan.json --min-severity high\ninfraguard scan fixtures/risky-plan.json --min-severity medium\ninfraguard scan fixtures/risky-plan.json --min-severity low\n```\n\nExit codes:\n\n| Code | Meaning |\n|---:|---|\n| 0 | Scan completed and no findings met the severity gate |\n| 1 | Scan completed and at least one finding met the severity gate |\n| 2 | Input, parser, or configuration error |\n\nUse `--report-only` to render findings while exiting zero after a successful\nparse and config validation.\n\n## Built-In Policies\n\nInfraGuard v1 ships 20 built-in rules across AWS, Azure, and multi-provider\ngovernance checks. Use the CLI or generated docs as the source of truth:\n\n```bash\ninfraguard rules\ninfraguard rules --format json\ninfraguard explain IG005\n```\n\nSee [`docs/RULES.md`](docs/RULES.md) and\n[`docs/POLICY_AUTHORING.md`](docs/POLICY_AUTHORING.md).\n\n## GitHub Actions\n\nUse [`examples/github-action.yml`](examples/github-action.yml) as the copy/paste\nstarting point. The v1 Action is report-only by default, writes a GitHub Step\nSummary, and uploads SARIF when paired with `github/codeql-action/upload-sarif`.\nSet `fail-on-findings: \"true\"` after reviewing and baselining existing findings.\n\n```yaml\n- name: Scan plan with InfraGuard\n  uses: jemo19/infra-plan-scanner@v1\n  with:\n    plan-path: plan.json\n    output: infraguard.sarif\n    fail-on-findings: \"false\"\n```\n\n## Schemas\n\nMachine-readable schemas are checked in under [`schemas/`](schemas/):\n\n- `config.schema.json`\n- `result.schema.json`\n- `suppressions.schema.json`\n\nRegenerate them after model changes:\n\n```bash\npython scripts/generate_schemas.py\n```\n\n## Local Checks\n\n```bash\npython -m pytest\npython -m ruff check .\npython -m ruff format --check .\npython scripts/generate_schemas.py\npython scripts/generate_policy_docs.py\npython -m build\n```\n\n## Limitations\n\n- The scanner does not run Terraform state-changing commands.\n- Fixture plans are fake and intentionally small.\n- Policy configuration and suppressions are JSON-only in v1.\n- OPA/Rego plugins, Docker images, GCP coverage, and a PR comment bot are\n  post-v1 backlog items.\n\n## Security\n\nDo not scan or commit production secrets, private Terraform state, customer data,\nor proprietary infrastructure details. See [`SECURITY.md`](SECURITY.md).\n\n## License\n\nMIT. See [`LICENSE`](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjemo19%2Finfra-plan-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjemo19%2Finfra-plan-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjemo19%2Finfra-plan-scanner/lists"}