|
1 | 1 | # rdsspectre |
2 | 2 |
|
3 | | -Managed database waste and security auditor for AWS RDS and GCP Cloud SQL. |
| 3 | +[](https://github.com/ppiankov/rdsspectre/actions/workflows/ci.yml) |
| 4 | +[](https://goreportcard.com/report/github.com/ppiankov/rdsspectre) |
| 5 | + |
| 6 | +**rdsspectre** — Managed database waste and security auditor for RDS and Cloud SQL. Part of [SpectreHub](https://github.com/ppiankov/spectrehub). |
4 | 7 |
|
5 | 8 | ## What it is |
6 | 9 |
|
7 | | -A read-only CLI tool that scans managed database instances for idle, oversized, unencrypted, publicly accessible, and misconfigured databases. Each finding includes severity and estimated monthly waste in USD. |
| 10 | +- Scans AWS RDS and GCP Cloud SQL for idle, oversized, and misconfigured instances |
| 11 | +- Detects unencrypted databases, public accessibility, and missing backups |
| 12 | +- Estimates monthly waste in USD per finding |
| 13 | +- Generates IAM policy and config file via init command |
| 14 | +- Outputs text, JSON, SARIF, and SpectreHub formats |
8 | 15 |
|
9 | 16 | ## What it is NOT |
10 | 17 |
|
11 | 18 | - Not a database query tool or performance profiler |
12 | 19 | - Not a migration or modification tool — strictly read-only |
13 | | -- Not a replacement for AWS Trusted Advisor or GCP Recommender — deeper, database-specific checks |
| 20 | +- Not a replacement for Trusted Advisor or GCP Recommender |
| 21 | + |
| 22 | +## Quick start |
14 | 23 |
|
15 | | -## Quick Start |
| 24 | +### Homebrew |
| 25 | + |
| 26 | +```sh |
| 27 | +brew tap ppiankov/tap |
| 28 | +brew install rdsspectre |
| 29 | +``` |
16 | 30 |
|
17 | | -```bash |
18 | | -# Install |
19 | | -go install github.com/ppiankov/rdsspectre/cmd/rdsspectre@latest |
| 31 | +### From source |
20 | 32 |
|
21 | | -# Generate config and IAM policy |
22 | | -rdsspectre init |
| 33 | +```sh |
| 34 | +git clone https://github.com/ppiankov/rdsspectre.git |
| 35 | +cd rdsspectre |
| 36 | +make build |
| 37 | +``` |
23 | 38 |
|
24 | | -# Scan AWS RDS |
25 | | -rdsspectre aws --region us-east-1 |
| 39 | +### Usage |
26 | 40 |
|
27 | | -# Scan GCP Cloud SQL |
28 | | -rdsspectre gcp --project my-project |
| 41 | +```sh |
| 42 | +rdsspectre aws --region us-east-1 --format json |
29 | 43 | ``` |
30 | 44 |
|
31 | | -## Usage |
| 45 | +## CLI commands |
32 | 46 |
|
33 | | -```bash |
34 | | -# AWS RDS scan with custom thresholds |
35 | | -rdsspectre aws --region us-east-1 --idle-days 7 --cpu-threshold 15 --format json |
| 47 | +| Command | Description | |
| 48 | +|---------|-------------| |
| 49 | +| `rdsspectre aws` | Scan AWS RDS instances | |
| 50 | +| `rdsspectre gcp` | Scan GCP Cloud SQL instances | |
| 51 | +| `rdsspectre init` | Generate IAM policy and config file | |
| 52 | +| `rdsspectre version` | Print version | |
36 | 53 |
|
37 | | -# GCP Cloud SQL scan |
38 | | -rdsspectre gcp --project my-project --format json |
| 54 | +## SpectreHub integration |
39 | 55 |
|
40 | | -# Output to file |
41 | | -rdsspectre aws --region us-east-1 -o report.json --format json |
| 56 | +rdsspectre feeds managed database waste findings into [SpectreHub](https://github.com/ppiankov/spectrehub) for unified visibility across your infrastructure. |
42 | 57 |
|
43 | | -# Exclude specific instances |
44 | | -rdsspectre aws --exclude-tags env=production |
45 | | -rdsspectre gcp --project my-project --exclude-tags env=production |
| 58 | +```sh |
| 59 | +spectrehub collect --tool rdsspectre |
46 | 60 | ``` |
47 | 61 |
|
48 | | -## Finding Types |
49 | | - |
50 | | -| Finding | Severity | AWS | GCP | Description | |
51 | | -|---------|----------|-----|-----|-------------| |
52 | | -| IDLE_INSTANCE | high | yes | — | CPU < 5%, zero connections over N days | |
53 | | -| OVERSIZED_INSTANCE | high | yes | — | CPU p95 < 20% with active connections | |
54 | | -| UNENCRYPTED_STORAGE | critical | yes | — | Storage encryption disabled | |
55 | | -| PUBLIC_ACCESS | critical | yes | yes | Instance publicly accessible | |
56 | | -| NO_AUTOMATED_BACKUPS | critical | yes | yes | Backup retention period is zero | |
57 | | -| STALE_SNAPSHOT | medium | yes | — | Manual snapshot older than threshold | |
58 | | -| UNUSED_READ_REPLICA | high | yes | yes | Read replica with zero connections | |
59 | | -| NO_MULTI_AZ | high | yes | yes | Single-AZ / ZONAL deployment | |
60 | | -| OLD_ENGINE_VERSION | medium | yes | yes | 2+ major versions behind current | |
61 | | -| NO_DELETION_PROTECTION | medium | yes | yes | Deletion protection disabled | |
62 | | -| PARAMETER_GROUP_DRIFT | low | yes | — | Non-default parameter group | |
63 | | - |
64 | | -## Output Formats |
65 | | - |
66 | | -- `text` — human-readable table (default) |
67 | | -- `json` — spectre/v1 JSON envelope |
68 | | -- `sarif` — SARIF v2.1.0 for CI integration |
69 | | -- `spectrehub` — SpectreHub envelope |
| 62 | +## Safety |
| 63 | + |
| 64 | +rdsspectre operates in **read-only mode**. It inspects and reports — never modifies, deletes, or alters your databases. |
70 | 65 |
|
71 | 66 | ## License |
72 | 67 |
|
73 | | -MIT |
| 68 | +MIT — see [LICENSE](LICENSE). |
| 69 | + |
| 70 | +--- |
| 71 | + |
| 72 | +Built by [Obsta Labs](https://github.com/ppiankov) |
0 commit comments