runbooks security cert-inventoryΒΆ
Auto-generated from
runbooks security cert-inventory --helpon 2026-05-21. Source of truth: runbooks PyPI package v1.3.22
Usage: runbooks security cert-inventory [OPTIONS]
Multi-cloud certificate inventory with expiry risk dashboard.
Discovers SSL/TLS certificates across AWS ACM (org-wide or single account),
IAM server certificates, and optionally Azure Key Vault certificates.
READONLY β no mutations.
Examples: runbooks security cert-inventory --profile ops-readonly
runbooks security cert-inventory --org-wide --threshold 60 runbooks
security cert-inventory --azure --azure-subscription $AZURE_SUBSCRIPTION_ID
runbooks security cert-inventory --export-file /tmp/certs.csv
Options:
--profile TEXT AWS profile for single-account operations.
π Profile Selection Guide: βββββββββββββββββ
ββββββββββββββββββββββββββββββ
Single Account β Use --profile YOUR_PROFILE
Example: --profile dev-account When:
Developer/operator working in one AWS
account
Multi-Account LZ β Use --all-profiles (see
inventory commands) Example: --all-
profiles When: Platform team discovering
across organization
π Enrichment Profiles (Automatic): β’
Organizations: MANAGEMENT_PROFILE β’ Costs:
BILLING_PROFILE Note: Separate from
discovery profile
Decision: Single account = --profile |
Multi-account = --all-profiles
--region TEXT AWS region override (default: ap-
southeast-2)
--dry-run Safe analysis mode - no resource
modifications (enterprise default)
-f, --format, --output-format [json|csv|table|pdf|markdown]
Output format for results display
(-f/--format preferred, --output-format
legacy)
--output-dir PATH Directory for generated files and evidence
packages
--all-outputs Generate all output formats (JSON, CSV, PDF,
Markdown) - use with --output-dir
--csv Export to CSV format (convenience flag,
activates --all-outputs)
--json Export to JSON format (convenience flag,
activates --all-outputs)
--markdown Export to Markdown format (convenience flag,
activates --all-outputs)
--azure / --no-azure Include Azure Key Vault certificates
--azure-subscription TEXT Azure subscription ID (env:
AZURE_SUBSCRIPTION_ID)
--org-wide / --single-account Org-wide via Config Aggregator (default) or
single account
--threshold INTEGER Show certificates expiring within N days
(default: 90)
--export-file TEXT Export to CSV file
--include-ok Include OK (>threshold) certificates in
output
--help Show this message and exit.