Automic VaultAutomic Vault

brew

Install yor with Homebrew, Nix

Extensible auto-tagger for your IaC files. Version 0.1.200 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install yor

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#yor

nixpkgs package indexes · pkgs/by-name/yo/yor/package.nix · source: api.github.com

overview

Package summary

Extensible auto-tagger for your IaC files

Commands and aliases

  • yor

history

Project history and usage

Yor is Bridgecrew's open-source auto-tagger for infrastructure-as-code files. It adds consistent tags and trace identifiers to Terraform, CloudFormation, Serverless Framework, and related IaC so cloud resources can be traced back to code, owners, commits, and change history.

Project history

Yor was publicly launched on 2021-05-27, shortly after Palo Alto Networks acquired Bridgecrew. Palo Alto's announcement framed it as an open-source IaC tag-and-trace tool for developer workflows, with local CLI, pre-commit, GitHub Actions, and CI/CD usage.

The README describes Yor as an open-source tool that adds informative and consistent tags across IaC frameworks, with built-in support for Terraform, CloudFormation, and Serverless Frameworks, plus custom taggers, skip annotations, dry runs, and Git-based tags.

Adoption history

Yor's adoption story is tied to cloud governance rather than app deployment. Help Net Security covered it as a tool for traceability and auditability, noting that organizations can run it retroactively across infrastructure resources or build it into CI/CD so ownership and other tags come from IaC and git history.

Packaging followed developer workflow channels: Homebrew, Chocolatey, Docker, GitHub Actions, Azure DevOps snippets, and pre-commit hooks are all documented entry points.

How it is used

The common command is `yor tag --directory terraform/`, with options to recurse or not, include or skip tag groups, target specific frameworks, add simple custom tags, preview with dry-run, write JSON output, and skip directories or resource types.

The most package-relevant mode is automated CI: Yor can run as a GitHub Action or pre-commit hook that modifies IaC files so trace and owner tags travel from source repositories into provisioned cloud resources.

Why package nerds care

Yor matters because it packages cloud tagging policy as a repeatable source-code transformation. It is a small CLI, but its runtime effect is on Terraform and other IaC files that later become cloud inventory, billing, security, and incident-response metadata.

It is also an example of DevSecOps tooling where the package manager is part of governance distribution: install the CLI in CI, pin the hook/action version, and every repository can apply the same tagging logic.

Timeline

  • 2021-05-27: Palo Alto Networks announces Yor as an open-source automated IaC tag-and-trace tool.
  • 2021-05-27: Security press covers Yor as an IaC traceability and auditability tool built by Bridgecrew.
  • 2020s: Yor documents usage as CLI, Docker image, GitHub Action, Azure DevOps step, and pre-commit hook.

Related projects

  • Bridgecrew and Prisma Cloud/Cortex Cloud are the commercial ecosystem around the project.
  • bridgecrewio/yor-action is the GitHub Action integration.
  • Terraform, CloudFormation, Serverless Framework, Kubernetes, pre-commit, Docker, and GitHub Actions are major adjacent technologies in documented workflows.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 8 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
yorcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.1.200
manager updated
local dataok
upstreamcurrent
latest detected0.1.200

https://github.com/bridgecrewio/yor

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:yor
Version0.1.200
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/yor
Homepagehttps://yor.io/
Repositoryhttps://github.com/bridgecrewio/yor
Upstream docshttps://yor.io/
LicenseApache-2.0
Source archivehttps://github.com/bridgecrewio/yor/archive/refs/tags/0.1.200.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameyor
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

yor

nix profile install nixpkgs#yor
  • normalized package name match
  • Matched by: Yor
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/yo/yor/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment