yor
Yor is an open-source CLI tool that automatically adds consistent tags to infrastructure-as-code files (Terraform, CloudFormation, Serverless Framework). It enables tracking of code changes, resource attribution, and linking cloud resources back to their source definitions.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | bridgecrewio/yor |
| Owner | bridgecrewio |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 928 |
| Forks | 130 |
| Open issues | 12 |
| Latest release | 0.1.200 (2025-02-25) |
| Last updated | 2026-07-06 |
| Source | https://github.com/bridgecrewio/yor |
What yor is
Written in Go, Yor parses IaC files and injects tags for git metadata (org, repo, commit, author), resource tracing, and custom key-value pairs. It runs as a standalone CLI, GitHub Action, pre-commit hook, or Docker container, with support for dry-run mode and extensible custom taggers via YAML configuration.
Get the yor source
Clone the repository and explore it locally.
git clone https://github.com/bridgecrewio/yor.gitcd yor# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Security: Do not point --config-file at paths inside the directory being tagged when auto-committing (e.g., GitHub Action workflows), as repo-resident config files can be edited by attackers to exfiltrate CI secrets into IaC.
- Pre-commit hook integration: Use the pre-commit hook template (rev: 0.1.143) with language: golang to tag Terraform files automatically; ensure types filter matches your file patterns.
- Custom taggers: Extensibility via custom YAML tag groups allows environment-specific or organizational metadata injection; review docs/3.Custom Taggers/Custom_tagger_YAML.md for plugin development and sandboxing.
- Dry-run validation: Always run yor tag -d . --dry-run first to preview tag additions and catch schema conflicts before applying to production IaC.
- Performance at scale: Coverage badge shows 81.2% test coverage; for large monorepos, validate tag application time and disk I/O with --non-recursive or --skip-dirs flags.
When to avoid it — and what to weigh
- Sensitive metadata in tags — If you cannot allow git author names, commit messages, or custom environment-specific data to appear as cloud resource tags (due to security or compliance policy), Yor's default tag groups may not be suitable without selective tag filtering.
- Non-standard IaC frameworks — Yor currently supports only Terraform, CloudFormation, and Serverless Framework. If your infrastructure uses Pulumi, CDK, or proprietary DSLs, you must extend Yor or use an alternative.
- CI/CD pipelines without Git context — Many Yor features (git org, repo, commit, author tags) require Git context. In environments where IaC is generated or modified outside Git workflows, these taggers will fail or require workarounds.
- High-velocity tag schema changes — If your tagging strategy requires frequent, real-time schema updates across hundreds of resources, Yor's tag-application model (file modification and commit) may create merge conflicts or require careful orchestration.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI license allowing commercial use, modification, and distribution with attribution and no patent indemnity. No warranty or liability limitations in standard terms. Suitable for enterprise adoption.
Apache-2.0 is a permissive OSI license that explicitly permits commercial use. You may use, modify, and integrate Yor into proprietary tools and commercial workflows without restrictions, provided you retain Apache license notices. Consult your legal team if vendoring or redistributing modified versions. No paid support tier or SLA documented in provided data; Slack community support via Codified Security workspace is referenced.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Yor injects metadata into IaC files and commits them to Git. Threat considerations: (1) Config files (--config-file) executed in CI/CD can be edited by repo contributors to inject secrets into IaC or exfiltrate CI env vars if auto-commit is enabled. (2) Git metadata tags expose author names and commit hashes, which may reveal organizational or contributor information. (3) Custom taggers (plugins) execute user-defined logic; validate third-party plugins before use. (4) Docker image security posture and dependency vulnerability scanning are not documented. README references security workflow badge and slack community; no CVE history provided in data. No explicit code signing or attestation mentioned.
Alternatives to consider
Terraform Cloud/Enterprise (state-based resource tagging)
HashiCorp's managed platform offers native resource tagging via workspace tags and variable sets, integrated with state management. Does not require code-level modification and eliminates drift. Requires paid licensing; vendor lock-in to Terraform ecosystem.
AWS Tag Manager / CloudFormation Stack Tags
Native AWS mechanisms for tagging resources via stack metadata or Tag Manager; tight integration with AWS cost allocation and IAM policies. Limited to AWS; no multi-cloud or Terraform support; requires cloud-side tag governance.
Infracost / Env0 / Spacelift (policy-as-code platforms)
Commercial platforms offer policy enforcement, cost estimation, and compliance tagging alongside IaC execution. Provide centralized governance, RBAC, and audit trails. Paid SaaS models; less suitable for lightweight tagging-only use cases.
Build on yor with DEV.co software developers
Reduce manual tagging overhead and improve resource attribution with Yor. Install via Homebrew, Docker, or GitHub Actions and start tagging in minutes.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
yor FAQ
Can Yor run in a fully offline environment?
Does Yor support tag removal or cleanup of stale tags?
How does Yor handle tag conflicts or overwrite existing tags?
Is Yor suitable for teams with strict git commit hygiene policies?
Software development & web development with DEV.co
Adopting yor is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.
Automate your infrastructure tagging today
Reduce manual tagging overhead and improve resource attribution with Yor. Install via Homebrew, Docker, or GitHub Actions and start tagging in minutes.