Two-pass extraction
Pass 1 finds canonical AWS shapes (ARNs, instance IDs, IPs, Route53 hostnames) by regex. Pass 2 walks your actual inventory and finds resource names referenced by short alias. Catches what a single-pass scanner misses.
Built on Atlassian Forge — installs in five minutes
Stop discovering stale runbooks
at 2 a.m.
RunbookGuard scans your Confluence runbooks for IPs, hostnames, and AWS resource IDs, then cross-checks them against your live AWS inventory. Catch the references that point to instances you terminated last quarter — before your on-call does.
90 seconds, no signup
See a real scan find real stale references
Watch RunbookGuard pull a Confluence runbook, extract every AWS identifier on the page, cross-check against a live inventory, and flag what no longer exists — start to finish.
No signup required. Or install RunbookGuard and run your first scan in under five minutes.
Features
Built for engineers who own the runbook AND the AWS account
Six things that matter, and nothing else. No AI hallucinations, no agents to install, no third-party data leaving your tenant.
Read-only by design
RunbookGuard never modifies Confluence pages, AWS resources, or Jira tickets — except the tickets you click to create. The IAM policy is Describe*, List*,Get* only. Zero blast radius if you're wrong about a finding.
Documentation coverage
Reverse view: every AWS resource that has zero references in your wiki, sorted by estimated monthly cost. Know what to document next without guessing.
Weekly digest, new findings only
One email a week, only what's NEW since the previous scan. No alert fatigue, no scrolling past the same 200 issues you saw last week. Per-team schedule + timezone.
One-click Jira tickets
Turn a finding into a fully-populated Jira issue in two clicks: page link, AWS resource, severity, recommended fix. Parent ticket + subtasks supported. Works with any project you already have access to.
Incremental scans
Re-indexes only the pages that changed since the last run. 50,000-page space scans in under 8 minutes. First scan of 1K pages: ~5 minutes.
How it works
From install to first finding in five minutes
No setup wizard maze, no AWS engineer required for onboarding. Three steps, then RunbookGuard runs weekly on its own.
01
Install from the Marketplace
One click in your Confluence Apps directory. No agent, no on-prem dependencies, no separate database. RunbookGuard runs on Atlassian's Forge platform inside your tenant.
02
Connect AWS — read-only
Paste an IAM Role ARN into the onboarding wizard. We use STS AssumeRole with a per-tenant External ID. The required policy is Describe / List / Get only — no write permissions, ever.
03
Run your first scan
Click Run Scan. 1,000 pages takes about 5 minutes. Findings appear as the scan completes; sort by severity, drill into evidence, dismiss false positives, or send to Jira with one click.
FAQ
The questions you'd ask on a sales call
No. The Confluence integration is read-only (we use Atlassian's read-content scope), and the recommended AWS IAM policy is Describe / List / Get only. The single exception: if you click "Send to Jira" on a finding, RunbookGuard creates one Jira ticket using the scope you authorized.
Pennies per scan, in practice. RunbookGuard makes read-only Describe / List API calls — no data transfer beyond inventory metadata. A typical 12-resource-type scan against a mid-size account is well under $0.01.
Inside your Atlassian Cloud tenant, in Forge SQL and Forge KVS — both isolated per-install by Atlassian. The only outbound calls are to your own AWS account and to Resend for digest email delivery. We do not operate a third-party database. See the Privacy Policy for full details.
v1 scans one account per Confluence install. If you have two AWS accounts you want to cover, you can install RunbookGuard once and configure cross-account roles, or install on a separate Confluence space. Multi-account-from-one-install is on the roadmap.
Yes. The extractor walks code blocks, CDATA, every Confluence macro variant, and structured tables. There is also a corpus test suite of known-stale fixtures that has zero false negatives on canonical AWS shapes.
Not supported. RunbookGuard is built on Atlassian Forge, which is Cloud-only. If your team is on Server or Data Center, this isn't the right tool yet.
AWS only in v1. The architecture is cloud-agnostic, but adding Azure/GCP requires writing the inventory fetchers — not on the v1 roadmap.
Every finding has a confidence score, a severity, and a Dismiss button (with optional reason). Dismissed findings stay dismissed across re-scans. False-positive rate is target <10% on clean environments and <20% on messy ones; you can tune by adjusting which Confluence spaces are in scope.
Find your stale runbooks before your on-call does
Five-minute install. First scan in under five. Read-only AWS access. Cancel any time by uninstalling — Atlassian deletes all your data within 30 days.