Lib.rs

Programming languages
#terraform #type-safe #ai-safety #infrastructure #security

bin+lib horkos

Cloud infrastructure language where insecure code won't compile

Owned by aimable100.

7 releases

0.2.0 Dec 2, 2025
0.1.7 Dec 1, 2025
0.1.4 Nov 27, 2025

#355 in Programming languages

MIT/Apache

370KB
8K SLoC

Horkos

Horkos

If it's insecure, it won't compile.

Crates.io CI License

A type-safe language for Terraform where insecure code won't compile.

Try it Online · Documentation · Changelog · Twitter

Why Horkos?

Terraform lets you build anything. Including mistakes.

Problem Terraform Horkos
Security Opt-in Enforced
Errors caught CI/runtime Compile time
AI-generated code Compiles if insecure Fails until secure
Audit trail Comments (maybe) unsafe blocks

How It Works

// One line. Secure by default.
val bucket = S3.createBucket("data")

Compiles to 5 Terraform resources: bucket, versioning, encryption, public access block, logging.

// Weakening security? Explain yourself.
val public = unsafe("Static website - ticket #402") {
    S3.createBucket("www", publicAccess: true)
}

If it compiles, it's secure.

Get Started

# Install
cargo install horkos

# Write
echo 'val bucket = S3.createBucket("data")' > main.hk

# Compile
horkos compile

Or try it in your browser at horkos.cloud.

Other install methods

Homebrew

brew install aimable100/tap/horkos

npm

npm install -g horkos

Docker

docker run --rm -v $(pwd):/workspace ghcr.io/aimable100/horkos compile

Binary

Download from GitHub Releases.

Verify Downloads

All releases include checksums and Sigstore signatures:

# Verify checksum
sha256sum -c checksums-v0.2.0.txt

# Verify signature (requires cosign)
cosign verify-blob --signature horkos-linux-x64.tar.gz.sig \
  --certificate horkos-linux-x64.tar.gz.pem \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'github.com/aimable100/horkos' \
  horkos-linux-x64.tar.gz

What's Supported

Resources: S3, VPC, Subnets, Security Groups, Internet Gateway, CloudWatch, RDS

Language:

  • Type-safe resource creation
  • unsafe blocks with mandatory justification
  • Taint tracking (Unverified<T>) for imported Terraform
  • Conditionals, list methods, string methods
  • Compile-time assert()

Terraform: >= 1.5.0 with AWS Provider >= 5.0, < 6.0

See ROADMAP for planned features.

Documentation

Security

Report vulnerabilities to security@horkos.cloud. See SECURITY.md.

License

MIT OR Apache-2.0

In Greek mythology, Horkos punished oath-breakers. Here, your infrastructure declarations are oaths.

Dependencies

~3–4.5MB
~74K SLoC