Skyscanner/cfripper

# CFRipper  [](https://badge.fury.io/py/cfripper) [](https://formulae.brew.sh/formula/cfripper)  CFRipper 是一个用于 AWS CloudFormation 模板的库和 CLI 安全分析器。您可以使用 CFRipper 防止将不安全的 AWS 资源部署到您的云环境中。您可以通过添加新的自定义插件来编写自己的合规性检查。 文档和更多详细信息请访问 https://cfripper.readthedocs.io/ ## CLI 使用 ### 正常执行 ``` $ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*' - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Analysing /tmp/root_bypass.json... Valid: True ``` ### 使用 "resolve" 标志 ``` $ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*' - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Analysing /tmp/root_bypass.json... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Valid: False Issues found: - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root' Monitored issues found: - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012 - PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789012:root' ``` ### 使用 json 格式和 output-folder 参数 ``` $ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp Analysing /tmp/root.yaml... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Result saved in /tmp/root.yaml.cfripper.results.json Analysing /tmp/root_bypass.json... Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config. Result saved in /tmp/root_bypass.json.cfripper.results.json ``` ### 使用规则配置文件 ``` $ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py Analysing tests/test_templates/config/security_group_firehose_ips.json... Valid: True ``` ### 使用规则过滤文件 ``` $ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/ example_rules_config_for_cli.py loaded Analysing tests/test_templates/config/security_group_firehose_ips.json... Valid: True ``` ### 退出代码 ``` """ Analyse AWS Cloudformation templates passed by parameter. Exit codes: - 0 = all templates valid and scanned successfully - 1 = error / issue in scanning at least one template - 2 = at least one template is not valid according to CFRipper (template scanned successfully) - 3 = unknown / unhandled exception in scanning the templates """ ``` ## 开发 ### 前置条件 本项目使用 [uv](https://docs.astral.sh/uv/) 进行依赖管理。请使用以下命令安装： ``` # macOS brew install uv # Linux/macOS curl -LsSf https://astral.sh/uv/install.sh | sh # Windows powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex" ``` ### 设置 ``` # 安装开发依赖 make install-dev # 运行测试（lint + 单元测试） make test # 运行 linter make lint # 格式化代码 make format # 更改依赖后更新 lock file make lock ```

标签：AWS, CloudFormation, DevSecOps, DPI, IaC扫描, IAM权限, S3安全, 上游代理, 云安全监控, 安全合规, 插件化, 文档结构分析, 系统triage, 网络代理, 跨账户信任, 逆向工具, 配置检查, 静态分析