{"id":47610752,"url":"https://github.com/stxkxs/matlock","last_synced_at":"2026-04-10T02:21:03.472Z","repository":{"id":341692947,"uuid":"1171105536","full_name":"stxkxs/matlock","owner":"stxkxs","description":"Multi-cloud security and cost swiss army knife — audit IAM permissions, spot cost anomalies, find orphaned resources, and flag insecure storage across AWS, GCP, and Azure","archived":false,"fork":false,"pushed_at":"2026-03-17T01:59:59.000Z","size":326,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-17T13:37:19.974Z","etag":null,"topics":["aws","azure","cli","cloud","cloud-security","cost-optimization","devops","gcp","golang","iam","least-privilege","security"],"latest_commit_sha":null,"homepage":"https://github.com/stxkxs/matlock","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stxkxs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-02T22:00:41.000Z","updated_at":"2026-03-17T02:00:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/stxkxs/matlock","commit_stats":null,"previous_names":["stxkxs/matlock"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/stxkxs/matlock","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stxkxs%2Fmatlock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stxkxs%2Fmatlock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stxkxs%2Fmatlock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stxkxs%2Fmatlock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stxkxs","download_url":"https://codeload.github.com/stxkxs/matlock/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stxkxs%2Fmatlock/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291363,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","cli","cloud","cloud-security","cost-optimization","devops","gcp","golang","iam","least-privilege","security"],"created_at":"2026-04-01T20:04:05.112Z","updated_at":"2026-04-01T20:04:08.465Z","avatar_url":"https://github.com/stxkxs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# matlock\n\nMulti-cloud security and cost swiss army knife — single binary, zero dependencies.\n\nAudit IAM permissions, spot cost anomalies, find orphaned resources, flag insecure storage, detect overly permissive firewall rules, monitor TLS certificate expiry, enforce resource tagging, check service quota utilization, save and compare scan baselines, generate HTML reports, and more — across AWS, GCP, and Azure.\n\n\u003c!-- screenshot placeholder --\u003e\n\u003c!-- ![matlock iam scan output](docs/screenshots/iam-scan.png) --\u003e\n\n---\n\n## Installation\n\n### Homebrew (macOS / Linux)\n\n```sh\nbrew install stxkxs/tap/matlock\n```\n\n### go install\n\n```sh\ngo install github.com/stxkxs/matlock@latest\n```\n\n### Direct download\n\nPre-built binaries for Linux, macOS, and Windows are attached to every [GitHub release](https://github.com/stxkxs/matlock/releases).\n\n```sh\n# macOS arm64 example\ncurl -sSL https://github.com/stxkxs/matlock/releases/latest/download/matlock_Darwin_arm64.tar.gz \\\n  | tar -xz matlock\nsudo mv matlock /usr/local/bin/\n```\n\nVerify the download against the published SHA256 checksums:\n\n```sh\ncurl -sSL https://github.com/stxkxs/matlock/releases/latest/download/checksums.txt | sha256sum --check --ignore-missing\n```\n\n### Build from source\n\nRequires Go 1.26+ and [Task](https://taskfile.dev).\n\n```sh\ngit clone https://github.com/stxkxs/matlock.git\ncd matlock\ntask build\n```\n\n---\n\n## Credentials setup\n\nmatlock auto-detects available providers from environment variables and credential files. You only need to configure the providers you actually use.\n\n### AWS\n\nmatlock uses the standard AWS SDK credential chain.\n\n```sh\n# Option 1 — environment variables\nexport AWS_ACCESS_KEY_ID=...\nexport AWS_SECRET_ACCESS_KEY=...\nexport AWS_REGION=us-east-1\n\n# Option 2 — named profile\nexport AWS_PROFILE=my-profile\nexport AWS_REGION=us-east-1\n\n# Option 3 — IAM role / instance metadata (no env vars needed)\n```\n\nRequired IAM permissions for a read-only audit role:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"iam:List*\",\n        \"iam:Get*\",\n        \"cloudtrail:LookupEvents\",\n        \"ce:GetCostAndUsage\",\n        \"ec2:Describe*\",\n        \"elasticloadbalancing:Describe*\",\n        \"s3:ListAllMyBuckets\",\n        \"s3:GetBucketAcl\",\n        \"s3:GetBucketEncryption\",\n        \"s3:GetBucketVersioning\",\n        \"s3:GetBucketLogging\",\n        \"s3:GetBucketPublicAccessBlock\",\n        \"s3:GetBucketTagging\",\n        \"acm:ListCertificates\",\n        \"acm:DescribeCertificate\",\n        \"rds:DescribeDBInstances\",\n        \"lambda:ListFunctions\",\n        \"lambda:GetFunction\",\n        \"lambda:ListTags\",\n        \"lambda:GetAccountSettings\",\n        \"iam:GetAccountSummary\",\n        \"servicequotas:GetServiceQuota\",\n        \"servicequotas:ListServiceQuotas\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}\n```\n\n### GCP\n\n```sh\n# Option 1 — application default credentials (gcloud)\ngcloud auth application-default login\n\n# Option 2 — service account key\nexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json\nexport GOOGLE_CLOUD_PROJECT=my-project-id\n\n# Required for cost diff\nexport GOOGLE_BILLING_ACCOUNT_ID=XXXXXX-XXXXXX-XXXXXX\n```\n\nRequired IAM roles for the service account:\n- `roles/iam.securityReviewer`\n- `roles/logging.viewer`\n- `roles/billing.viewer`\n- `roles/storage.objectViewer`\n- `roles/compute.viewer`\n- `roles/certificatemanager.viewer` (for `matlock certs`)\n- `compute.projects.get` permission (for `matlock quota`)\n\n### Azure\n\n```sh\n# Option 1 — Azure CLI\naz login\nexport AZURE_SUBSCRIPTION_ID=...\n\n# Option 2 — service principal\nexport AZURE_TENANT_ID=...\nexport AZURE_CLIENT_ID=...\nexport AZURE_CLIENT_SECRET=...\nexport AZURE_SUBSCRIPTION_ID=...\n```\n\nRequired role assignments:\n- `Reader` on the subscription\n- `Cost Management Reader` on the subscription\n- `Key Vault Reader` + `Key Vault Certificates Officer` (or `Key Vault Reader` if using RBAC-enabled vaults) for `matlock certs`\n\n---\n\n## Commands\n\n### `matlock iam scan` — unused and overprivileged IAM\n\nCompares granted permissions against CloudTrail / Audit Log activity over the lookback window and reports unused, admin, and cross-account risks.\n\n```sh\n# Scan all auto-detected providers (90-day lookback)\nmatlock iam scan\n\n# AWS only, last 30 days, show CRITICAL and HIGH only\nmatlock iam scan --provider aws --days 30 --severity HIGH\n\n# Scan a specific principal\nmatlock iam scan --provider gcp --principal serviceAccount:scanner@my-project.iam.gserviceaccount.com\n\n# JSON output for downstream tooling\nmatlock iam scan --output json --output-file report.json\n\n# SARIF output for GitHub Advanced Security\nmatlock iam scan --output sarif --output-file results.sarif\n\n# Increase parallelism for large accounts\nmatlock iam scan --concurrency 20\n```\n\n\u003c!-- screenshot placeholder --\u003e\n\u003c!-- ![iam scan table output](docs/screenshots/iam-scan.png) --\u003e\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan: `aws`, `gcp`, `azure` |\n| `--days` | `90` | Audit log lookback window in days |\n| `--principal` | | Scan a single principal by name or ID |\n| `--severity` | `LOW` | Minimum severity to report: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFO` |\n| `--output` | `table` | Output format: `table`, `json`, `sarif` |\n| `--output-file` | | Write output to file instead of stdout |\n| `--concurrency` | `10` | Maximum parallel goroutines per provider |\n| `--profile` | | AWS named profile to use for credentials |\n\n---\n\n### `matlock iam fix` — generate Terraform remediations\n\nReads a JSON scan report and generates least-privilege Terraform policy files for each flagged principal.\n\n```sh\n# Generate fixes for all HIGH+ findings\nmatlock iam fix --from report.json\n\n# Write fixes to a custom directory\nmatlock iam fix --from report.json --out ./tf-fixes\n\n# Include MEDIUM severity fixes too\nmatlock iam fix --from report.json --severity MEDIUM\n```\n\n**Workflow**\n\n```sh\nmatlock iam scan --output json --output-file report.json\nmatlock iam fix --from report.json --out ./fixes\nls ./fixes/\n# minimal_lambda_executor.tf\n# minimal_my_project_scanner_at_my_project_iam_gserviceaccount_com.tf\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--from` | (required) | Path to JSON report from `matlock iam scan --output json` |\n| `--format` | `terraform` | Output format: `terraform`, `json` |\n| `--out` | `./matlock-fixes` | Output directory for generated files |\n| `--severity` | `HIGH` | Minimum severity to generate fixes for |\n\n---\n\n### `matlock cost diff` — spend delta between time windows\n\nCompares cloud spend between the last N days and the N days before that, surfacing unexpected increases service by service.\n\n```sh\n# Compare last 30 days vs the 30 days before\nmatlock cost diff\n\n# 7-day comparison, AWS only\nmatlock cost diff --provider aws --days 7\n\n# JSON output for alerting pipelines\nmatlock cost diff --output json\n```\n\n\u003c!-- screenshot placeholder --\u003e\n\u003c!-- ![cost diff table output](docs/screenshots/cost-diff.png) --\u003e\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to query |\n| `--days` | `30` | Compare last N days vs N days before |\n| `--threshold` | `0` | Only show services with \u003eN% change (e.g. `--threshold 20`) |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\nCost increases \u003e10% are shown in red; decreases are shown in green.\n\n---\n\n### `matlock orphans` — unused disks, IPs, and load balancers\n\nFinds unattached disks, reserved IPs with no instance, and idle load balancers. Reports estimated monthly cost.\n\n```sh\n# All providers\nmatlock orphans\n\n# Only report resources costing more than $5/month\nmatlock orphans --min-cost 5\n\n# JSON for Slack/PagerDuty integration\nmatlock orphans --output json\n```\n\n\u003c!-- screenshot placeholder --\u003e\n\u003c!-- ![orphans table output](docs/screenshots/orphans.png) --\u003e\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan |\n| `--min-cost` | `0` | Only report orphans with monthly cost above this USD threshold |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\nThe table includes a TOTAL row summing all monthly costs.\n\n---\n\n### `matlock storage audit` — public buckets and encryption gaps\n\nAudits object storage for public access, missing encryption, disabled versioning, and missing access logging.\n\n```sh\n# All providers\nmatlock storage audit\n\n# HIGH and CRITICAL findings only\nmatlock storage audit --severity HIGH\n\n# JSON for SIEM ingestion\nmatlock storage audit --output json --output-file storage-findings.json\n```\n\n\u003c!-- screenshot placeholder --\u003e\n\u003c!-- ![storage audit table output](docs/screenshots/storage-audit.png) --\u003e\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan |\n| `--severity` | `LOW` | Minimum severity to report |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\n---\n\n### `matlock network audit` — overly permissive firewall rules\n\nChecks security groups (AWS), firewall rules (GCP), and network security groups (Azure) for rules that expose sensitive ports to the internet.\n\nSeverity rules:\n- **CRITICAL** — `0.0.0.0/0` on SSH (22), RDP (3389), or database ports (3306, 5432, 1433, 27017, 6379, 9200)\n- **HIGH** — `0.0.0.0/0` on any non-HTTP/HTTPS port\n- **MEDIUM** — unrestricted egress (all traffic to `0.0.0.0/0`)\n\n```sh\n# All providers\nmatlock network audit\n\n# AWS only, show CRITICAL findings\nmatlock network audit --provider aws --severity CRITICAL\n\n# JSON output\nmatlock network audit --output json --output-file network-findings.json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan |\n| `--severity` | `LOW` | Minimum severity to report |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\n---\n\n### `matlock certs` — TLS certificate expiry\n\nLists TLS certificates from ACM (AWS), Certificate Manager (GCP), and Azure Key Vault that are expired or expiring soon.\n\nSeverity rules:\n- **CRITICAL** — expired, or expiring within 7 days\n- **HIGH** — expiring within 30 days\n- **MEDIUM** — expiring within 60 days\n- **LOW** — expiring within 90 days (default `--days` threshold)\n\n```sh\n# All providers, warn on certs expiring within 90 days (default)\nmatlock certs\n\n# Only show certs expiring within 30 days\nmatlock certs --days 30\n\n# AWS only, CRITICAL and HIGH only\nmatlock certs --provider aws --severity HIGH\n\n# JSON output\nmatlock certs --output json --output-file certs.json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan |\n| `--days` | `90` | Include certs expiring within this many days |\n| `--severity` | `LOW` | Minimum severity to report |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\n\u003e **GCP note:** Certificate Manager must be enabled in your project (`gcloud services enable certificatemanager.googleapis.com`). If the API is not enabled, `matlock certs` skips GCP with a warning.\n\n---\n\n### `matlock tags` — missing resource tags/labels\n\nAudits EC2 instances, S3 buckets, RDS databases, Lambda functions (AWS), compute instances and GCS buckets (GCP), and all resource types (Azure) for missing required tags or labels.\n\nAll findings are **MEDIUM** severity.\n\n```sh\n# Require owner, env, and cost-center tags across all providers\nmatlock tags --require owner,env,cost-center\n\n# AWS only\nmatlock tags --provider aws --require owner,env\n\n# JSON output\nmatlock tags --require owner,env --output json --output-file tags.json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan |\n| `--require` | (required) | Comma-separated tag/label keys that must be present |\n| `--severity` | `MEDIUM` | Minimum severity to report |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\n---\n\n### `matlock audit` — unified full-spectrum audit\n\nRuns all security and cost scans (IAM, storage, network, orphans, certs, tags, secrets) in one shot and produces a single combined report. Skip specific domains with `--skip`.\n\n```sh\n# Full audit across all auto-detected providers\nmatlock audit\n\n# Skip IAM and certs domains\nmatlock audit --skip iam,certs\n\n# HIGH and CRITICAL findings only, JSON output\nmatlock audit --severity HIGH --output json --output-file audit.json\n\n# SARIF output for GitHub Advanced Security\nmatlock audit --output sarif --output-file audit.sarif\n\n# AWS only with custom thresholds\nmatlock audit --provider aws --iam-days 30 --cert-days 60 --require-tags owner,env\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to scan: `aws`, `gcp`, `azure` |\n| `--skip` | | Domains to skip: `iam`, `storage`, `network`, `orphans`, `certs`, `tags`, `secrets` |\n| `--severity` | `LOW` | Minimum severity to report |\n| `--output` | `table` | Output format: `table`, `json`, `sarif` |\n| `--output-file` | | Write output to file instead of stdout |\n| `--iam-days` | `90` | IAM audit log lookback period in days |\n| `--cert-days` | `90` | Certificate expiry warning threshold in days |\n| `--require-tags` | | Required tags for tag audit (comma-separated) |\n| `--concurrency` | `10` | Max parallel goroutines for IAM scanning |\n\n---\n\n### `matlock inventory` — list all cloud resources\n\nLists all cloud resources across providers with type, region, tags, and creation date. Groups by type and region for a complete asset overview.\n\n```sh\n# List all resources across auto-detected providers\nmatlock inventory\n\n# Filter to specific resource types\nmatlock inventory --type ec2,s3,lambda\n\n# AWS only, JSON output\nmatlock inventory --provider aws --output json --output-file inventory.json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to list: `aws`, `gcp`, `azure` |\n| `--type` | all | Resource types to list (e.g. `ec2`, `s3`, `lambda`) |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\n---\n\n### `matlock quota` — service quota utilization\n\nChecks service quota usage across cloud providers to prevent outages from silently hitting limits. Reports IAM, EC2, S3, Lambda, RDS quotas (AWS), compute project quotas (GCP), and compute/network/storage quotas (Azure).\n\n```sh\n# All providers, all quotas\nmatlock quota\n\n# Only quotas above 50% utilization\nmatlock quota --threshold 50\n\n# AWS only, JSON output\nmatlock quota --provider aws --output json --output-file quotas.json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--provider` | auto | Cloud providers to check: `aws`, `gcp`, `azure` |\n| `--threshold` | `0` | Minimum utilization percentage to report |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\nUtilization is color-coded: green (\u003c50%), yellow (50-80%), red (\u003e80%).\n\n---\n\n### `matlock baseline` — save and manage scan baselines\n\nSave any scan report as a named baseline for later comparison with `matlock compare`.\n\n```sh\n# Save a baseline from a scan report\nmatlock iam scan --output json --output-file scan.json\nmatlock baseline save --from scan.json --name pre-deploy\n\n# List saved baselines\nmatlock baseline list\n\n# Delete a baseline\nmatlock baseline delete --name old-scan\n```\n\nBaselines are stored in `~/.matlock/baselines/`.\n\n**Subcommands**\n\n| Subcommand | Description |\n|------------|-------------|\n| `baseline save --from \u003cfile\u003e --name \u003cname\u003e` | Save a report as a named baseline |\n| `baseline list` | List all saved baselines with dates |\n| `baseline delete --name \u003cname\u003e` | Delete a saved baseline |\n\n---\n\n### `matlock compare` — diff two scan reports\n\nCompares two scan reports (or a saved baseline against a current report) and classifies each finding as new, resolved, or unchanged.\n\n```sh\n# Compare a saved baseline against a new scan\nmatlock compare --baseline pre-deploy --current scan-after.json\n\n# Compare two report files directly\nmatlock compare --from old-report.json --to new-report.json\n\n# JSON output\nmatlock compare --from old.json --to new.json --output json\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--baseline` | | Name of saved baseline to compare against |\n| `--current` | | Path to current report JSON file |\n| `--from` | | Path to older report JSON file |\n| `--to` | | Path to newer report JSON file |\n| `--output` | `table` | Output format: `table`, `json` |\n| `--output-file` | | Write output to file instead of stdout |\n\nUse `--baseline` + `--current` or `--from` + `--to` (not both). Supports all report types: audit, IAM, storage, network, orphans, certs, tags, secrets, quotas.\n\n**End-to-end workflow**\n\n```sh\n# Before a deploy: scan and save a baseline\nmatlock audit --output json --output-file audit.json\nmatlock baseline save --from audit.json --name pre-deploy-v2\n\n# After the deploy: scan again and compare\nmatlock audit --output json --output-file audit-after.json\nmatlock compare --baseline pre-deploy-v2 --current audit-after.json\n\n# Output shows:\n#   +NEW        findings introduced since the baseline\n#   -RESOLVED   findings that no longer appear\n#   =UNCHANGED  findings present in both\n```\n\nYou can also skip baselines and compare any two JSON files directly:\n\n```sh\nmatlock compare --from monday-scan.json --to friday-scan.json --output json\n```\n\n---\n\n### `matlock report` — generate HTML executive summary\n\nGenerates a standalone, self-contained HTML report from any JSON scan output. Includes summary cards, severity breakdown, domain-specific tables, and client-side table sorting. Supports light and dark mode via `prefers-color-scheme`.\n\n```sh\n# Generate from an audit report\nmatlock audit --output json --output-file audit.json\nmatlock report --from audit.json --out report.html --open\n\n# Generate from any scan report\nmatlock report --from iam-scan.json --out iam-report.html\n\n# Explicit type override\nmatlock report --from data.json --type orphans --out orphans.html\n```\n\n**Flags**\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--from` | (required) | Path to scan report JSON file |\n| `--out` | `report.html` | Output HTML file path |\n| `--type` | `auto` | Report type: `auto`, `audit`, `iam`, `storage`, `network`, `orphans`, `certs`, `tags`, `secrets`, `cost`, `quotas` |\n| `--open` | `false` | Open the report in the default browser after generation |\n\n---\n\n## Global flags\n\n| Flag | Description |\n|------|-------------|\n| `--quiet`, `-q` | Suppress all progress and summary output on stderr (for scripts) |\n| `--version` | Print version, commit hash, and build date |\n\n---\n\n## CI usage\n\n### GitHub Actions — SARIF upload\n\nUpload IAM findings to GitHub Advanced Security (requires `security-events: write` permission):\n\n```yaml\nname: matlock security scan\n\non:\n  schedule:\n    - cron: '0 6 * * 1'   # every Monday at 06:00 UTC\n  workflow_dispatch:\n\npermissions:\n  security-events: write\n\njobs:\n  iam-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Install matlock\n        run: |\n          curl -sSL https://github.com/stxkxs/matlock/releases/latest/download/matlock_Linux_amd64.tar.gz \\\n            | tar -xz matlock\n          sudo mv matlock /usr/local/bin/\n\n      - name: Run IAM scan\n        env:\n          AWS_ROLE_ARN: ${{ secrets.MATLOCK_ROLE_ARN }}\n          AWS_REGION: us-east-1\n        run: |\n          matlock iam scan \\\n            --provider aws \\\n            --severity HIGH \\\n            --output sarif \\\n            --output-file results.sarif \\\n            --quiet\n\n      - name: Upload SARIF to GitHub Security\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: results.sarif\n```\n\n### GitHub Actions — full audit\n\nRun a unified audit across all domains in CI:\n\n```yaml\nname: matlock full audit\n\non:\n  schedule:\n    - cron: '0 6 * * 1'\n  workflow_dispatch:\n\npermissions:\n  security-events: write\n\njobs:\n  audit:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Install matlock\n        run: |\n          curl -sSL https://github.com/stxkxs/matlock/releases/latest/download/matlock_Linux_amd64.tar.gz \\\n            | tar -xz matlock\n          sudo mv matlock /usr/local/bin/\n\n      - name: Run full audit\n        env:\n          AWS_ROLE_ARN: ${{ secrets.MATLOCK_ROLE_ARN }}\n          AWS_REGION: us-east-1\n        run: |\n          matlock audit \\\n            --provider aws \\\n            --severity HIGH \\\n            --output sarif \\\n            --output-file audit.sarif \\\n            --quiet\n\n      - name: Upload SARIF to GitHub Security\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: audit.sarif\n```\n\n### GitLab CI — JSON report artifact\n\n```yaml\nmatlock:\n  image: ubuntu:24.04\n  before_script:\n    - curl -sSL https://github.com/stxkxs/matlock/releases/latest/download/matlock_Linux_amd64.tar.gz\n        | tar -xz matlock\n    - mv matlock /usr/local/bin/\n  script:\n    - matlock iam scan --output json --output-file report.json --quiet\n    - matlock storage audit --severity HIGH --output json --output-file storage.json --quiet\n  artifacts:\n    paths:\n      - report.json\n      - storage.json\n    expire_in: 30 days\n```\n\n### Fail CI on critical findings\n\n```sh\n# Exit non-zero if any CRITICAL findings exist\nmatlock iam scan --severity CRITICAL --output json --quiet | \\\n  jq -e '.findings | length == 0'\n```\n\n---\n\n## Output formats\n\n| Format | Flag | Use case |\n|--------|------|----------|\n| Table | `--output table` | Human-readable terminal output with colors |\n| JSON | `--output json` | Scripts, alerting, dashboards |\n| SARIF | `--output sarif` | GitHub Advanced Security, IDE integrations |\n\nAll formats can be written to a file with `--output-file path/to/file`.\n\n---\n\n## Version\n\n```sh\nmatlock --version\n# v0.1.0 (commit abc1234, built 2026-03-01T12:00:00Z)\n```\n\n---\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstxkxs%2Fmatlock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstxkxs%2Fmatlock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstxkxs%2Fmatlock/lists"}