s3spectre — S3 bucket drift and lifecycle auditor. Part of SpectreHub.
- Scan mode cross-references S3 bucket refs in code against live AWS state
- Discover mode inspects buckets for public access, missing encryption, and lifecycle gaps
- Detects missing buckets, stale prefixes, version sprawl, and drift
- Supports baseline mode to suppress known findings on repeat runs
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a replacement for AWS Config Rules or GuardDuty — not real-time
- Not a data scanner — never reads object contents, only metadata
- Not a remediation tool — reports only, never modifies buckets
- Not a cost calculator — identifies waste, does not estimate dollars
brew tap ppiankov/tap
brew install s3spectregit clone https://github.com/ppiankov/s3spectre.git
cd s3spectre
make builds3spectre discover --region us-east-1 --format json| Command | Description |
|---|---|
s3spectre scan |
Cross-reference code bucket refs against live S3 state |
s3spectre discover |
Inspect S3 buckets for waste and misconfigurations |
s3spectre version |
Print version |
s3spectre feeds S3 bucket findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool s3spectres3spectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your buckets.
| Document | Contents |
|---|---|
| CLI Reference | Full command reference, flags, and configuration |
MIT — see LICENSE.
Built by Obsta Labs