DEV.co
Open-Source DevOps · bridgecrewio

yor

Yor is an open-source CLI tool that automatically adds consistent tags to infrastructure-as-code files (Terraform, CloudFormation, Serverless Framework). It enables tracking of code changes, resource attribution, and linking cloud resources back to their source definitions.

Source: GitHub — github.com/bridgecrewio/yor
928
GitHub stars
130
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorybridgecrewio/yor
Ownerbridgecrewio
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars928
Forks130
Open issues12
Latest release0.1.200 (2025-02-25)
Last updated2026-07-06
Sourcehttps://github.com/bridgecrewio/yor

What yor is

Written in Go, Yor parses IaC files and injects tags for git metadata (org, repo, commit, author), resource tracing, and custom key-value pairs. It runs as a standalone CLI, GitHub Action, pre-commit hook, or Docker container, with support for dry-run mode and extensible custom taggers via YAML configuration.

Quickstart

Get the yor source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/bridgecrewio/yor.gitcd yor# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Cost allocation and chargeback in multi-team environments

Automatically tag resources with team, project, and environment metadata using git and custom tags, enabling accurate cloud billing attribution without manual effort.

Compliance and audit trails for IaC changes

Inject git-based metadata (commit hash, author, timestamp) into every resource definition, creating an immutable link between deployed infrastructure and source control history for compliance reporting.

Incident response and resource ownership lookup

Use the yor_trace tag to correlate running cloud resources back to their IaC definitions and owning teams, accelerating root-cause analysis and ownership verification.

Implementation considerations

  • Security: Do not point --config-file at paths inside the directory being tagged when auto-committing (e.g., GitHub Action workflows), as repo-resident config files can be edited by attackers to exfiltrate CI secrets into IaC.
  • Pre-commit hook integration: Use the pre-commit hook template (rev: 0.1.143) with language: golang to tag Terraform files automatically; ensure types filter matches your file patterns.
  • Custom taggers: Extensibility via custom YAML tag groups allows environment-specific or organizational metadata injection; review docs/3.Custom Taggers/Custom_tagger_YAML.md for plugin development and sandboxing.
  • Dry-run validation: Always run yor tag -d . --dry-run first to preview tag additions and catch schema conflicts before applying to production IaC.
  • Performance at scale: Coverage badge shows 81.2% test coverage; for large monorepos, validate tag application time and disk I/O with --non-recursive or --skip-dirs flags.

When to avoid it — and what to weigh

  • Sensitive metadata in tags — If you cannot allow git author names, commit messages, or custom environment-specific data to appear as cloud resource tags (due to security or compliance policy), Yor's default tag groups may not be suitable without selective tag filtering.
  • Non-standard IaC frameworks — Yor currently supports only Terraform, CloudFormation, and Serverless Framework. If your infrastructure uses Pulumi, CDK, or proprietary DSLs, you must extend Yor or use an alternative.
  • CI/CD pipelines without Git context — Many Yor features (git org, repo, commit, author tags) require Git context. In environments where IaC is generated or modified outside Git workflows, these taggers will fail or require workarounds.
  • High-velocity tag schema changes — If your tagging strategy requires frequent, real-time schema updates across hundreds of resources, Yor's tag-application model (file modification and commit) may create merge conflicts or require careful orchestration.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI license allowing commercial use, modification, and distribution with attribution and no patent indemnity. No warranty or liability limitations in standard terms. Suitable for enterprise adoption.

Apache-2.0 is a permissive OSI license that explicitly permits commercial use. You may use, modify, and integrate Yor into proprietary tools and commercial workflows without restrictions, provided you retain Apache license notices. Consult your legal team if vendoring or redistributing modified versions. No paid support tier or SLA documented in provided data; Slack community support via Codified Security workspace is referenced.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Yor injects metadata into IaC files and commits them to Git. Threat considerations: (1) Config files (--config-file) executed in CI/CD can be edited by repo contributors to inject secrets into IaC or exfiltrate CI env vars if auto-commit is enabled. (2) Git metadata tags expose author names and commit hashes, which may reveal organizational or contributor information. (3) Custom taggers (plugins) execute user-defined logic; validate third-party plugins before use. (4) Docker image security posture and dependency vulnerability scanning are not documented. README references security workflow badge and slack community; no CVE history provided in data. No explicit code signing or attestation mentioned.

Alternatives to consider

Terraform Cloud/Enterprise (state-based resource tagging)

HashiCorp's managed platform offers native resource tagging via workspace tags and variable sets, integrated with state management. Does not require code-level modification and eliminates drift. Requires paid licensing; vendor lock-in to Terraform ecosystem.

AWS Tag Manager / CloudFormation Stack Tags

Native AWS mechanisms for tagging resources via stack metadata or Tag Manager; tight integration with AWS cost allocation and IAM policies. Limited to AWS; no multi-cloud or Terraform support; requires cloud-side tag governance.

Infracost / Env0 / Spacelift (policy-as-code platforms)

Commercial platforms offer policy enforcement, cost estimation, and compliance tagging alongside IaC execution. Provide centralized governance, RBAC, and audit trails. Paid SaaS models; less suitable for lightweight tagging-only use cases.

Software development agency

Build on yor with DEV.co software developers

Reduce manual tagging overhead and improve resource attribution with Yor. Install via Homebrew, Docker, or GitHub Actions and start tagging in minutes.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

yor FAQ

Can Yor run in a fully offline environment?
Unknown. The README does not document offline mode or network dependency requirements. The pre-commit hook and standalone CLI suggest no runtime network calls, but the GitHub Action integration and auto-commit workflows may require Git remote access.
Does Yor support tag removal or cleanup of stale tags?
Not clearly stated. The README documents tag application (tag command) and listing (list-tags), but no removal or unapply command is mentioned. Custom taggers may support conditional logic, but this requires custom YAML plugin development.
How does Yor handle tag conflicts or overwrite existing tags?
Unknown. The README does not explain merge behavior when a resource already has a tag key that Yor wants to inject. Dry-run mode may preview conflicts, but the exact handling (skip, overwrite, append) is not documented.
Is Yor suitable for teams with strict git commit hygiene policies?
Conditional. Yor auto-commits tag changes when used via GitHub Action, which may bypass branch protection rules or required code reviews if not configured carefully. The pre-commit hook allows local validation before commit. For high-governance teams, manual tag review before committing is recommended.

Software development & web development with DEV.co

Adopting yor is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Automate your infrastructure tagging today

Reduce manual tagging overhead and improve resource attribution with Yor. Install via Homebrew, Docker, or GitHub Actions and start tagging in minutes.