wakeful
diff --git a/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 31 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.golangci.yaml‎
Lines changed: 43 additions & 0 deletions b/‎.golangci.yaml‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 28 additions & 0 deletions b/‎.goreleaser.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 28 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 28 additions & 0 deletions b/‎LICENSE‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎Readme.md‎
Lines changed: 45 additions & 0 deletions b/‎Readme.md‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎app.go‎
Lines changed: 131 additions & 0 deletions b/‎app.go‎
Lines changed: 131 additions & 0 deletions
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
@@ -0,0 +1,31 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions: { }
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - run: git fetch --force --tags
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b
+        with:
+          go-version: '>=1.24.2'
+          cache: false
+      - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,43 @@
+version: "2"
+linters:
+  default: all
+  settings:
+    cyclop:
+      max-complexity: 11
+    depguard:
+      rules:
+        main:
+          allow:
+            - $gostd
+            - github.com/aws/aws-sdk-go-v2/aws
+            - github.com/aws/aws-sdk-go-v2/config
+            - github.com/aws/aws-sdk-go-v2/service/ec2
+            - github.com/aws/aws-sdk-go-v2/service/ec2/types
+            - github.com/aws/aws-sdk-go-v2/service/rds
+            - github.com/aws/aws-sdk-go-v2/service/ssm
+            - github.com/aws/aws-sdk-go-v2/service/sts
+            - golang.org/x/sync/errgroup
+  exclusions:
+    generated: disable
+    rules:
+      - path: main.go
+        linters:
+          - funlen
+          - lll
+      - path: _string.go
+        linters:
+          - gochecknoglobals
+      - path: _test.go
+        linters:
+          - dupl
+          - err113
+          - exhaustruct
+          - funlen
+          - varnamelen
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+    - golines
@@ -0,0 +1,28 @@
+version: 2
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  version_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+archives:
+  - formats: ['tar.gz']
+    files:
+      - LICENSE
@@ -0,0 +1,28 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-case-conflict
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.29
+    hooks:
+      - id: shellcheck
+      - id: gofmt
+  - repo: local
+    hooks:
+      - id: addlicense
+        name: Add License
+        entry: go tool -modfile=tools/go.mod addlicense -c 'variHQ OÜ' -l 'BSD-3-Clause' -s=only
+        language: system
+        types: [ file ]
+        exclude: '\.(hcl|yaml|yml)$'
+      - id: golangci-lint
+        name: golangci-lint
+        entry: go tool -modfile=tools/go.mod golangci-lint run
+        language: system
+        types: [ go ]
+        pass_filenames: false
@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2025, variHQ OÜ
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,45 @@
+# spark
+
+> **Seeking Public AWS Resources and Kernels**
+
+> [!NOTE]
+> command-line tool designed to identify public AWS resources—such as backups, AMIs, snapshots, and more—associated with
+> specific AWS accounts.
+
+```shell
+$ spark -h
+Usage spark:
+  -list-scanners
+        list available resource types
+  -region value
+        AWS region to scan (can be specified multiple times)
+  -scan value
+        AWS resource type to scan (can be specified multiple times)
+  -target string
+        target AWS account ID (default "self")
+  -verbose
+        verbose log output
+  -version
+        show version
+
+
+$ spark -list-scanners
+AMI
+snapshotsEBS
+snapshotsRDS
+ssmDocument
+```
+
+### Installation
+
+#### From source
+
+```shell
+# via the Go toolchain
+go install github.com/wakeful/spark
+```
+
+#### Using a binary release
+
+You can download a pre-built binary from the [release page](https://github.com/wakeful/spark/releases/latest) and add it
+to your user PATH.
@@ -0,0 +1,131 @@
+// Copyright 2025 variHQ OÜ
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"golang.org/x/sync/errgroup"
+)
+
+// App represents a struct that provides functionality for interacting with the AWS services.
+type App struct {
+	accountID string
+	runners   []runner
+	stsClient stsClient
+}
+
+func newApp(ctx context.Context, check []runnerType, regions []string) (*App, error) {
+	if len(regions) == 0 {
+		return nil, errEmptyRegion
+	}
+
+	if len(check) == 0 {
+		return nil, errEmptyCheck
+	}
+
+	regions = uniqRegions(regions)
+
+	baseCfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load aws config, %w", err)
+	}
+
+	stsCfg := baseCfg.Copy()
+	stsCfg.Region = regions[0]
+
+	runners := make([]runner, 0)
+
+	for _, region := range regions {
+		cfg := baseCfg.Copy()
+		cfg.Region = region
+
+		for _, scan := range check {
+			switch scan {
+			case amiImage:
+				runners = append(runners, newAMIImageScan(cfg))
+			case ebsSnapshot:
+				runners = append(runners, newEBSSnapshotRunner(cfg))
+			case rdsSnapshot:
+				runners = append(runners, newRDSSnapshotRunner(cfg))
+			case ssmDocument:
+				runners = append(runners, newSSMDocumentScan(cfg))
+			}
+		}
+	}
+
+	return &App{
+		accountID: "",
+		runners:   runners,
+		stsClient: sts.NewFromConfig(stsCfg),
+	}, nil
+}
+
+// Run executes the scan process on the target using all available runners,
+// and returns the collected results or an error.
+func (a *App) Run(ctx context.Context, target string) ([]Result, error) {
+	group, gCtx := errgroup.WithContext(ctx)
+	group.SetLimit(1)
+
+	if strings.EqualFold(target, "self") {
+		slog.Debug("replacing self with account ID",
+			slog.String("accountID", a.accountID),
+		)
+
+		target = a.accountID
+	}
+
+	buffer := make(chan []Result, len(a.runners))
+
+	for _, scanRunner := range a.runners {
+		group.Go(func() error {
+			select {
+			case <-gCtx.Done():
+				return gCtx.Err()
+			default:
+				scanResults, err := scanRunner.scan(ctx, target)
+				if err != nil {
+					return err
+				}
+
+				buffer <- scanResults
+			}
+
+			return nil
+		})
+	}
+
+	if err := group.Wait(); err != nil {
+		return nil, fmt.Errorf("failed to run all checks, %w", err)
+	}
+
+	close(buffer)
+
+	var output []Result
+	for item := range buffer {
+		output = append(output, item...)
+	}
+
+	return output, nil
+}
+
+func (a *App) getAccountID(ctx context.Context) error {
+	output, err := a.stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		return fmt.Errorf("failed to get caller identity, %w", err)
+	}
+
+	if *output.Account == "" {
+		return errEmptyAccountID
+	}
+
+	a.accountID = *output.Account
+
+	return nil
+}