CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.
Docs and more details available in https://cfripper.readthedocs.io/
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*' - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Analysing /tmp/root_bypass.json... Valid: True$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*' - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Analysing /tmp/root_bypass.json... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Monitored issues found: - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012 - PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789012:root'$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Result saved in /tmp/root.yaml.cfripper.results.json Analysing /tmp/root_bypass.json... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Result saved in /tmp/root_bypass.json.cfripper.results.json$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py Analysing tests/test_templates/config/security_group_firehose_ips.json... Valid: True$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/ example_rules_config_for_cli.py loaded Analysing tests/test_templates/config/security_group_firehose_ips.json... Valid: True""" Analyse AWS Cloudformation templates passed by parameter. Exit codes: - 0 = all templates valid and scanned successfully - 1 = error / issue in scanning at least one template - 2 = at least one template is not valid according to CFRipper (template scanned successfully) - 3 = unknown / unhandled exception in scanning the templates """This project uses uv for dependency management. Install it with:
# macOS brew install uv # Linux/macOS curl -LsSf https://astral.sh/uv/install.sh | sh # Windows powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"# Install development dependencies make install-dev # Run tests (lint + unit) make test # Run linter make lint # Format code make format # Update lock file after changing dependencies make lock