IAM Armor Static analyzer for AWS IAM policies in Terraform
View on GitHub

Pre-commit Hook

Run IAM Armor automatically on every commit using the pre-commit framework.

The pre-commit integration runs iamarmor scan against staged Terraform files on every commit, blocking bad IAM configs before they enter your history.

Prerequisites

Install pre-commit if you haven’t already:

pip install pre-commit

Add the hook

Add the following to your .pre-commit-config.yaml at the root of your repository:

repos:
  - repo: https://github.com/iam-armor/iamarmor
    rev: v0.2.0
    hooks:
      - id: iamarmor

Then install the hooks:

pre-commit install

From now on, iamarmor scan runs automatically against any staged .tf files each time you run git commit.

Run manually

You can trigger the hook against all files without committing:

pre-commit run iamarmor --all-files

Pin a specific version

Replace rev with the tag you want to pin:

repos:
  - repo: https://github.com/iam-armor/iamarmor
    rev: v0.2.0   # pin to a specific release
    hooks:
      - id: iamarmor

Check github.com/iam-armor/iamarmor/releases for the latest release tag.

Pass extra arguments

Override the default severity threshold or output format via args:

repos:
  - repo: https://github.com/iam-armor/iamarmor
    rev: v0.2.0
    hooks:
      - id: iamarmor
        args: [--fail-on, high, --format, json]

Combine with CI

The pre-commit hook and the Self-Host / CI guide are complementary. Use the hook for fast local feedback and the CI step as a merge gate to enforce team-wide policy.

Next steps