• Stars
    star
    812
  • Rank 56,150 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.

Coverage Maintained by Bridgecrew.io golangci-lint security slack-community Go Report Card Go Reference Docker pulls Chocolatey downloads GitHub All Releases

Yor is an open-source tool that helps add informative and consistent tags across infrastructure as code (IaC) frameworks. Today, Yor can automatically add tags to Terraform, CloudFormation, and Serverless Frameworks.

Yor is built to run as a GitHub Action automatically adding consistent tagging logics to your IaC. Yor can also run as a pre-commit hook and a standalone CLI.

Features

  • Apply tags and labels on infrastructure as code directory
  • Tracing: yor_trace tag enables simple attribution between an IaC resource block and a running cloud resource.
  • Change management: git-based tags automatically add org, repo, commit and modifier details on every resource block.
  • Custom taggers: user-defined tagging logics can be added to run using Yor.
  • Skips: inline annotations enable developers to exclude paths that should not be tagged.
  • Dry-Run: get a preview of what tags will be added without applying any.

Demo

Table of contents

Getting Started

Installation

MacOS / Linux

brew tap bridgecrewio/tap
brew install bridgecrewio/tap/yor

If not using Brew:

pip3 install lastversion
lastversion bridgecrewio/yor -d --assets
tar -xzf $(find . -name *.tar.gz)
chmod +x yor
sudo mv yor /usr/local/bin

OR

Windows

choco install yor

OR

Docker

docker pull bridgecrew/yor

docker run --tty --volume /local/path/to/tf:/tf bridgecrew/yor tag --directory /tf

GitHub Action

name: IaC trace

on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  yor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        name: Checkout repo
        with:
          fetch-depth: 0
          ref: ${{ github.head_ref }}
      - name: Run yor action and commit
        uses: bridgecrewio/yor-action@main

Azure DevOps Pipeline

Install Yor with:

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- script: |
    curl -s -k https://api.github.com/repos/bridgecrewio/yor/releases/latest | jq '.assets[] | select(.name | contains("linux_386")) | select(.content_type | contains("gzip")) | .browser_download_url' -r | awk '{print "curl -L -k " $0 " -o yor.tar.gz"}' | sh
    sudo tar -xf yor.tar.gz -C /usr/bin/ 
    rm yor.tar.gz 
    sudo chmod +x /usr/bin/yor 
    echo 'alias yor="/usr/bin/yor"' >> ~/.bashrc
    yor --version

Pre-commit

  - repo: https://github.com/bridgecrewio/yor
    rev: 0.1.143
    hooks:
      - id: yor
        name: yor
        entry: yor tag -d
        args: ["."]
        language: golang
        types: [terraform]
        pass_filenames: false

Usage

tag : Apply tagging on a given directory.

# Apply all the tags in yor on the directory tree terraform.
yor tag --directory terraform/

# Apply only the specified tags git_file and git_org
yor tag --directory terraform/ --tags git_file,git_org

# Apply all the tags in yor except the tags starting with git and yor_trace
yor tag --directory terraform/ --skip-tags git*,yor_trace

# Apply only the tags under the git tag group
yor tag --tag-groups git --directory terraform/

# Apply key-value tags on a specific directory
export YOR_SIMPLE_TAGS='{ "Environment" : "Dev" }'
yor tag --tag-groups simple --directory terraform/dev/

# Perform a dry run to get a preview in the CLI output of all of the tags that will be added using Yor without applying any changes to your IaC files.
yor tag -d . --dry-run

# Use an external tag group configuration file path
yor tag -d . --config-file /path/to/conf/file/

# Apply tags to all resources except of a specified type
yor tag -d . --skip-resource-types aws_s3_bucket

# Apply tags with a specifix prefix
yor tag -d . --tag-prefix "module_"

# Apply tags to all resources except with the specified name
yor tag -d . --skip-resources aws_s3_bucket.operations

# Apply tags to only the specified frameworks
yor tag -d . --parsers Terraform,CloudFormation

# Run yor with custom tags located in tests/yor_plugins/example and custom taggers located in tests/yor_plugins/tag_group_example
yor tag -d . --custom-tagging tests/yor_plugins/example,tests/yor_plugins/tag_group_example

-o : Modify output formats.

# Default cli output
yor tag -d . -o cli

# json output
yor tag -d . -o json

# Print CLI output and additional output to a JSON file -- enables programmatic analysis alongside printing human readable results
yor tag -d . --output cli --output-json-file result.json

--skip-dirs : Skip directory paths you can define paths that will not be tagged.

## Run on the directory path/to/files
yor tag -d path/to/files

## Run yor on the directory path/to/files, skipping path/to/files/skip/ and path/to/files/another/skip2/
yor tag -d path/to/files --skip-dirs path/to/files/skip,path/to/files/another/skip2

list-tag

# List tag classes that are built into yor.
yor list-tag-groups

# List all the tags built into yor
yor list-tags

# List all the tags built into yor under the tag group git
yor list-tags --tag-groups git

What is Yor trace?

yor_trace is a magical tag creating a unique identifier for an IaC resource code block.

Having a yor_trace in place can help with tracing code block to its cloud provisioned resources without access to sensitive data such as plan or state files.

See demo here

Contributing

Contribution is welcomed!

We are working on extending Yor and adding more parsers (to support additional IaC frameworks) and more taggers (to tag using other contextual data).

To maintain our conventions, please run lint on your branch before opening a PR. To run lint:

golangci-lint run --fix --skip-dirs tests/yor_plugins

Support

For more support contact us at https://slack.bridgecrew.io/.

More Repositories

1

checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Python
7,015
star
2

terragoat

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
HCL
1,139
star
3

AirIAM

Least privilege AWS IAM Terraformer
Python
771
star
4

checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
HCL
238
star
5

cfngoat

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
91
star
6

helm-scanner

Open source IaC security scanner for public Helm charts
Python
87
star
7

bridgecrew-action

This GitHub Action runs Bridgecrew against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
72
star
8

checkov-vscode

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework, and other infrastructure-as-code-languages with Checkov by Bridgecrew in your VSCODE IDE.
TypeScript
68
star
9

kustomizegoat

Vulnerable Kustomize Kubernetes templates for training and education
HTML
47
star
10

terraform-aws-session-manager

Terraform module for deploying AWS Session Manager
HCL
43
star
11

cdkgoat

CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Python
43
star
12

redshirts

TypeScript
20
star
13

terraform-aws-route53-backup-restore

A module that backs up and restores route53 zones and records
Python
20
star
14

yor-action

Github action for Yor
TypeScript
16
star
15

HowCrew

Super-powered know how tools for AWS and GCP cloud security
Python
14
star
16

bridgecrew-orb

This CircleCI Orb Action runs Bridgecrew analysis of Infrastructure-as-Code repository. Bridgecrerw performs static security analysis of Terraform, CloudFormation and Kubernetes Infrastructure code security
11
star
17

whorf

Python
10
star
18

cdk-validator-checkov

AWS CDK policy validation plugin powered by checkov
TypeScript
7
star
19

bicepgoat

BicepGoat is Bridgecrew's "Vulnerable by Design" Bicep and ARM repository. BicepGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Bicep
7
star
20

jsonpath-ng

Finally, a JSONPath implementation for Python that aims to be standard compliant. That's all. Enjoy it.
Python
6
star
21

cloud-security-notebooks

Jupyter notebooks of various cloud security subjects
Jupyter Notebook
6
star
22

aws-collect-unused-security-groups

Track unused security groups of an AWS account over period of time with control of the interval to sample the security groups
JavaScript
6
star
23

terraform-provider-bridgecrew

USE https://github.com/paloaltonetworks/terraform-provider-bridgecrew
Go
5
star
24

terraform-aws-secured-postgresql-rds

A Terraform module to create an Amazon Web Services (AWS) PostgreSQL Relational Database Server (RDS) in a VPC, NAT implementing security best practices.
HCL
5
star
25

bridgecrew-integrations

Integrations that supported by Bridgecrew. Each integration collect data from different sensors and send the log data to Bridgecrew
HCL
4
star
26

aws-modernization-workshop-bridgecrew

HTML
4
star
27

bridgecrew-kubernetes

Resources for Kubernetes
4
star
28

terraform-aws-bridgecrew-read-only

Bridgecrew READ ONLY integration module
HCL
4
star
29

terraform-aws-bridgecrew-cloudtrail

Integrate your AWS account Cloudtrail with Bridgecrew
HCL
4
star
30

terraform-google-bridgecrew-gcp-read-only

Connecting your GCP project to Bridgecrew
HCL
3
star
31

checkov-jetbrains-ide

Checkov is a static code analysis tool for infrastructure as code.The Checkov Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
3
star
32

terraform-azurerm-bridgecrew-azure-read-only

Read Only module to connect Azure subscriptions to https://bridgecrew.cloud
HCL
3
star
33

bc-pipeline-utils

utils for jenkins pipelines
Groovy
2
star
34

sample-custom-checks

Example custom checks to use with the Checkov CLI.
Python
2
star
35

bc-toolbox

Bridgecrew utility scripts and more.
JavaScript
2
star
36

terraform-aws-bridgecrew-remediation

HCL
2
star
37

prisma-cloud-vscode-plugin

TypeScript
2
star
38

fluentd-dlp

Dockerfile
1
star
39

docker-syslog-integration

JavaScript
1
star
40

WHP_IaC_Scanning

A repository for the We Hack Purple mini-course on IaC scanning with Checkov. (https://checkov.io)
HCL
1
star
41

checkov-pre-receive-hooks

Shell
1
star
42

yor-choco

PowerShell
1
star
43

bridgecrew-py

Shell
1
star
44

iam-alerting-cleanup

Python
1
star
45

prisma-cloud-jetbrains-ide

The Prisma cloud Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
1
star