{"id":27351907,"url":"https://github.com/rivassec/secure-iam-lint","last_synced_at":"2026-05-02T02:38:16.424Z","repository":{"id":287471945,"uuid":"964847360","full_name":"rivassec/secure-iam-lint","owner":"rivassec","description":"Python-based linter for AWS IAM policies to catch insecure configurations","archived":false,"fork":false,"pushed_at":"2025-04-11T22:29:33.000Z","size":9,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-12T20:54:03.060Z","etag":null,"topics":["automation","aws","devsecops","iam","linter","python","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rivassec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-11T22:23:52.000Z","updated_at":"2025-04-11T23:01:11.000Z","dependencies_parsed_at":"2025-04-11T23:30:58.233Z","dependency_job_id":"195fc0e1-72ed-4d56-9e89-57832ca11d81","html_url":"https://github.com/rivassec/secure-iam-lint","commit_stats":null,"previous_names":["rivassec/secure-iam-lint"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rivassec%2Fsecure-iam-lint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rivassec%2Fsecure-iam-lint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rivassec%2Fsecure-iam-lint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rivassec%2Fsecure-iam-lint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rivassec","download_url":"https://codeload.github.com/rivassec/secure-iam-lint/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631718,"owners_count":21136560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","aws","devsecops","iam","linter","python","security"],"created_at":"2025-04-12T20:54:06.097Z","updated_at":"2026-05-02T02:38:16.415Z","avatar_url":"https://github.com/rivassec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secure-iam-lint\n\n[![Checkov Scan](https://github.com/rivassec/secure-iam-lint/actions/workflows/checkov.yml/badge.svg?branch=main)](https://github.com/rivassec/secure-iam-lint/actions/workflows/checkov.yml)\n[![Run Tests](https://github.com/rivassec/secure-iam-lint/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/rivassec/secure-iam-lint/actions/workflows/test.yml)\n[![Trivy Scan](https://github.com/rivassec/secure-iam-lint/actions/workflows/trivy.yml/badge.svg?branch=main)](https://github.com/rivassec/secure-iam-lint/actions/workflows/trivy.yml)\n[![License](https://img.shields.io/github/license/rivassec/secure-iam-lint.svg)](LICENSE)\n[![Python](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)\n\n`secure-iam-lint` is a lightweight CLI scanner for AWS IAM policies. It flags common misconfigurations such as wildcard permissions, missing conditions, and escalation risks. Ideal for CI pipelines and local dev workflows, it helps catch risky IAM patterns early.\n\n## Features\n\n- Flags use of `Action: \"*\"` and `Resource: \"*\"`\n- Warns on `Allow` statements missing `Condition` blocks\n- Detects `iam:PassRole` with wildcard resources\n- Identifies `NotAction` and `NotResource` usage\n- CLI output designed for readability\n- Modular, testable Python structure\n\n## Installation\n\nClone and install in editable mode (recommended for development):\n\n```bash\ngit clone https://github.com/rivassec/secure-iam-lint.git\ncd secure-iam-lint\npython -m venv .venv\nsource .venv/bin/activate\npip install -e .\n```\n\n\u003e PyPI installation is planned for a future release.\n\n## Usage\n\n```bash\niam-lint examples/bad-policy-extended.json\n```\n\n### Example Output\n\n```\nFindings:\n - HIGH Statement 0: Action includes '*' (overly permissive)\n - HIGH Statement 0: Resource includes '*' (overly permissive)\n - MEDIUM Statement 1: Allow without any Condition block\n - CRITICAL Statement 2: iam:PassRole with wildcard resource\n - MEDIUM Statement 3: uses NotAction (may be overly permissive)\n - MEDIUM Statement 3: uses NotResource (may be overly permissive)\n```\n\nUse `--verbose` for additional output.\n\n## Running Tests\n\nInstall `pytest` and run:\n\n```bash\npip install pytest\npytest tests/\n```\n\n## Project Structure\n\n```\nsecure-iam-lint/\n├── iamlint/               # CLI and rule logic\n├── examples/              # Sample IAM policies\n├── tests/                 # Pytest-based suite\n├── iam_lint.py            # CLI entry point\n├── setup.py               # Install/config metadata\n└── README.md\n```\n\n## Roadmap\n\nPlanned features:\n\n- JSON and SARIF output formats\n- Severity-based fail thresholds (`--fail-on HIGH`)\n- Docker container for CI use\n- Configurable rule sets\n\n## Motivation\n\nIAM policy reviews are tedious and error-prone. This tool helps engineers detect obvious risks early — especially in IaC-driven or regulated environments.\n\n## Contributing\n\nIssues and pull requests are welcome. If you have a new rule idea or see a false positive, feel free to open a discussion.\n\n## License\n\nMIT License. See the [LICENSE](LICENSE) file for details.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frivassec%2Fsecure-iam-lint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frivassec%2Fsecure-iam-lint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frivassec%2Fsecure-iam-lint/lists"}