Skip to content

Releases: TocConsulting/lambda-security-scanner

v1.0.0

30 May 22:48
@TarekCheikh TarekCheikh
v1.0.0
20cbacb

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

lambda-security-scanner v1.0.0

First public release. A read-only AWS Lambda security and compliance scanner with multi-framework mapping.

Highlights

  • 19 read-only checks across 5 categories.
  • Compliance mapping for 10 frameworks totaling 81 controls.
  • Per-function scoring with mutual-exclusion rules.
  • JSON, CSV, and interactive HTML reports.

Security checks

  • Function configuration: deprecated and end-of-life runtime detection, maximum timeout, environment-variable secret scanning, large ephemeral storage, external layers, X-Ray tracing, dead letter queue.
  • Access control: public resource-based policy, function URL authentication, CORS wildcard origins, over-privileged execution roles, shared execution roles.
  • Network security: VPC configuration, multi-AZ deployment, unrestricted security group egress.
  • Logging and monitoring: CloudWatch log group and retention, reserved concurrency.
  • Code and supply chain: code signing configuration, event source mapping failure destinations.

Secret detection

Scans environment variables for plaintext credentials (AWS keys, GitHub and GitLab tokens, Stripe, Slack, private keys, connection strings, and more). Values that are managed-secret references (a Secrets Manager, SSM, or KMS ARN, an SSM parameter path, or a CloudFormation dynamic reference) are treated as the recommended pattern and are not flagged.

Compliance frameworks

AWS FSBP, CIS AWS Compute Services Benchmark, PCI DSS v4.0.1, HIPAA Security Rule, SOC 2, ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, GDPR, and NIST SP 800-53 Rev5.

Installation

PyPI:

pip install lambda-security-scanner

Docker:

docker pull tarekcheikh/lambda-security-scanner:1.0.0

Usage

lambda-security-scanner security
lambda-security-scanner security --profile production --region eu-west-1
lambda-security-scanner security -n my-function
lambda-security-scanner security --compliance-only

Requirements

  • Python 3.10 or higher.
  • AWS credentials with read-only describe and get permissions. The full IAM policy is in the README.

Safety

  • Strictly read-only. The scanner does not modify any AWS resource.
  • Permission errors are reported as findings rather than aborting the scan.

License

MIT

Assets 2
Loading