Pre-commit Hook
Run IAM Armor automatically on every commit using the pre-commit framework.
The pre-commit integration runs iamarmor scan against staged Terraform files on every commit, blocking bad IAM configs before they enter your history.
Prerequisites
Install pre-commit if you haven’t already:
pip install pre-commit
Add the hook
Add the following to your .pre-commit-config.yaml at the root of your repository:
repos:
- repo: https://github.com/iam-armor/iamarmor
rev: v0.2.0
hooks:
- id: iamarmor
Then install the hooks:
pre-commit install
From now on, iamarmor scan runs automatically against any staged .tf files each time you run git commit.
Run manually
You can trigger the hook against all files without committing:
pre-commit run iamarmor --all-files
Pin a specific version
Replace rev with the tag you want to pin:
repos:
- repo: https://github.com/iam-armor/iamarmor
rev: v0.2.0 # pin to a specific release
hooks:
- id: iamarmor
Check github.com/iam-armor/iamarmor/releases for the latest release tag.
Pass extra arguments
Override the default severity threshold or output format via args:
repos:
- repo: https://github.com/iam-armor/iamarmor
rev: v0.2.0
hooks:
- id: iamarmor
args: [--fail-on, high, --format, json]
Combine with CI
The pre-commit hook and the Self-Host / CI guide are complementary. Use the hook for fast local feedback and the CI step as a merge gate to enforce team-wide policy.
Next steps
.iamarmor.ymlreference — configure severity thresholds and rule ignores- Self-Host / CI guide — GitHub Actions integration
- Default rules — understand what gets flagged