{"id":13510216,"url":"https://github.com/aquasecurity/cloudsploit","last_synced_at":"2025-05-14T13:05:52.897Z","repository":{"id":34335194,"uuid":"38255391","full_name":"aquasecurity/cloudsploit","owner":"aquasecurity","description":"Cloud Security Posture Management (CSPM)","archived":false,"fork":false,"pushed_at":"2025-04-29T13:35:23.000Z","size":26989,"stargazers_count":3511,"open_issues_count":193,"forks_count":703,"subscribers_count":72,"default_branch":"master","last_synced_at":"2025-05-07T08:45:12.172Z","etag":null,"topics":["alibaba","aqua","aws","azure","cloud","cspm","gcp","oci","oracle","security","security-audit"],"latest_commit_sha":null,"homepage":"https://cloud.aquasec.com/signup","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-06-29T15:33:40.000Z","updated_at":"2025-05-04T08:17:18.000Z","dependencies_parsed_at":"2024-04-22T09:00:01.321Z","dependency_job_id":"b5b5729b-ae08-414d-97cb-80a6a1f49349","html_url":"https://github.com/aquasecurity/cloudsploit","commit_stats":{"total_commits":4960,"total_committers":97,"mean_commits":"51.134020618556704","dds":0.7939516129032258,"last_synced_commit":"90cff06efab049259a20ae5c419bec0276a7060d"},"previous_names":["cloudsploit/scans"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcloudsploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcloudsploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcloudsploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcloudsploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/cloudsploit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254149946,"owners_count":22022851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alibaba","aqua","aws","azure","cloud","cspm","gcp","oci","oracle","security","security-audit"],"created_at":"2024-08-01T02:01:29.442Z","updated_at":"2025-05-14T13:05:52.866Z","avatar_url":"https://github.com/aquasecurity.png","language":"JavaScript","readme":"[\u003cimg src=\"https://cloudsploit.com/images/logos/cloudsploit_by_aqua_2021.png\" height=\"130\"\u003e](https://cloud.aquasec.com/signup)\n\n[![Build Status](https://travis-ci.com/aquasecurity/cloudsploit.svg?branch=master)](https://travis-ci.com/aquasecurity/cloudsploit)\n\nCloudSploit by Aqua - Cloud Security Scans\n=================\n\n[\u003cimg src=\"docs/console.png\"\u003e](https://cloud.aquasec.com/signup)\n\n## Quick Start\n### Generic\n```\n$ git clone https://github.com/aquasecurity/cloudsploit.git\n$ cd cloudsploit\n$ npm install\n$ ./index.js -h\n```\n\n### Docker\n```\n$ git clone https://github.com/aquasecurity/cloudsploit.git\n$ cd cloudsploit\n$ docker build . -t cloudsploit:0.0.1\n$ docker run cloudsploit:0.0.1 -h\n$ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudsploit:0.0.1 --compliance=pci\n```\n\n## Documentation\n* [Background](#background)\n* [Deployment Options](#deployment-options)\n  + [Self-Hosted](#self-hosted)\n  + [Hosted at Aqua Wave](#hosted-at-aqua-wave)\n* [Installation](#installation)\n* [Configuration](#configuration)\n  + [Amazon Web Services](docs/aws.md#cloud-provider-configuration)\n  + [Microsoft Azure](docs/azure.md#cloud-provider-configuration)\n  + [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration)\n  + [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration)\n  + [CloudSploit Config File](#cloudsploit-config-file)\n  + [Credential Files](#credential-files)\n    + [AWS](#aws)\n    + [Azure](#azure)\n    + [GCP](#gcp)\n    + [Oracle OCI](#oracle-oci)\n  + [Environment Variables](#environment-variables)\n* [Running](#running)\n* [CLI Options](#cli-options)\n* [Compliance](#compliance)\n  + [HIPAA](#hipaa)\n  + [PCI](#pci)\n  + [CIS Benchmarks](#cis-benchmarks)\n* [Output Formats](#output-formats)\n  + [Console Output](#console-output)\n  + [Ignoring Passing Results](#ignoring-passing-results)\n  + [CSV](#csv)\n  + [JSON](#json)\n  + [JUnit XML](#junit-xml)\n  + [Collection Output](#collection-output)\n* [Suppressions](#suppressions)\n* [Running a Single Plugin](#running-a-single-plugin)\n* [Architecture](#architecture)\n* [Writing a Plugin](#writing-a-plugin)\n* [Other Notes](#other-notes)\n\n## Background\nCloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.\n\n## Deployment Options\nCloudSploit is available in two deployment options:\n\n### Self-Hosted\nFollow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps.\n\n### Hosted at Aqua Wave\nA commercial version of CloudSploit hosted at Aqua Wave. Try [Aqua Wave](https://cloud.aquasec.com/signup) today!\n\n## Installation\nEnsure that NodeJS is installed. If not, install it from [here](https://nodejs.org/download/).\n\n```\n$ git clone git@github.com:cloudsploit/scans.git\n$ npm install\n```\n\n## Configuration\nCloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access:\n\n* [Amazon Web Services](docs/aws.md#cloud-provider-configuration)\n* [Microsoft Azure](docs/azure.md#cloud-provider-configuration)\n* [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration)\n* [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration)\n\nFor AWS, you can run CloudSploit directly and it will detect credentials using the default [AWS credential chain](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html).\n\n### CloudSploit Config File\nThe CloudSploit config file allows you to pass cloud provider credentials by:\n1. A JSON file on your file system\n1. Environment variables\n1. Hard-coding (not recommended)\n\nStart by copying the example config file:\n```\n$ cp config_example.js config.js\n```\n\nEdit the config file by uncommenting the relevant sections for the cloud provider you are testing. Each cloud has both a `credential_file` option, as well as inline options. For example:\n```\nazure: {\n    // OPTION 1: If using a credential JSON file, enter the path below\n    // credential_file: '/path/to/file.json',\n    // OPTION 2: If using hard-coded credentials, enter them below\n    // application_id: process.env.AZURE_APPLICATION_ID || '',\n    // key_value: process.env.AZURE_KEY_VALUE || '',\n    // directory_id: process.env.AZURE_DIRECTORY_ID || '',\n    // subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''\n}\n```\n\n### Credential Files\nIf you use the `credential_file` option, point to a file in your file system that follows the correct format for the cloud you are using.\n\n#### AWS\n```\n{\n  \"accessKeyId\": \"YOURACCESSKEY\",\n  \"secretAccessKey\": \"YOURSECRETKEY\"\n}\n```\n\n#### Azure\n```\n{\n  \"ApplicationID\": \"YOURAZUREAPPLICATIONID\",\n  \"KeyValue\": \"YOURAZUREKEYVALUE\",\n  \"DirectoryID\": \"YOURAZUREDIRECTORYID\",\n  \"SubscriptionID\": \"YOURAZURESUBSCRIPTIONID\"\n}\n```\n\n#### GCP\nNote: For GCP, you [generate a JSON file](docs/gcp.md) directly from the GCP console, which you should not edit.\n```\n{\n    \"type\": \"service_account\",\n    \"project\": \"GCPPROJECTNAME\",\n    \"client_email\": \"GCPCLIENTEMAIL\",\n    \"private_key\": \"GCPPRIVATEKEY\"\n}\n```\n\n#### Oracle OCI\n```\n{\n  \"tenancyId\": \"YOURORACLETENANCYID\",\n  \"compartmentId\": \"YOURORACLECOMPARTMENTID\",\n  \"userId\": \"YOURORACLEUSERID\",\n  \"keyFingerprint\": \"YOURORACLEKEYFINGERPRINT\",\n  \"keyValue\": \"YOURORACLEKEYVALUE\",\n}\n```\n\n### Environment Variables\nCloudSploit supports passing environment variables, but you must first uncomment the section of your `config.js` file relevant to the cloud provider being scanned.\n\nYou can then pass the variables listed in each section. For example, for AWS:\n```\n{\n  access_key: process.env.AWS_ACCESS_KEY_ID || '',\n  secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '',\n  session_token: process.env.AWS_SESSION_TOKEN || '',\n}\n```\n\n## Running\nTo run a standard scan, showing all outputs and results, simply run:\n```\n$ ./index.js\n```\n\n## CLI Options\nCloudSploit supports many options to customize the run time. Some popular options include:\n* AWS GovCloud support: `--govcloud`\n* AWS China support: `--china`\n* Save the raw cloud provider response data: `--collection=file.json`\n* Ignore passing (OK) results: `--ignore-ok`\n* Exit with a non-zero code if non-passing results are found: `--exit-code`\n  * This is a good option for CI/CD systems\n* Change the output from a table to raw text: `--console=text`\n\nSee [Output Formats](#output-formates) below for more output options.\n\n\u003cdetails\u003e\n  \u003csummary\u003eClick for a full list of options\u003c/summary\u003e\n\n  ```\n  $ ./index.js -h\n\n    _____ _                 _  _____       _       _ _\n    / ____| |               | |/ ____|     | |     (_) |\n  | |    | | ___  _   _  __| | (___  _ __ | | ___  _| |_\n  | |    | |/ _ \\| | | |/ _` |\\___ \\| '_ \\| |/ _ \\| | __|\n  | |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_\n    \\_____|_|\\___/ \\__,_|\\__,_|_____/| .__/|_|\\___/|_|\\__|\n                                    | |\n                                    |_|\n\n    CloudSploit by Aqua Security, Ltd.\n    Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub\n\n  usage: index.js [-h] --config CONFIG [--compliance {hipaa,cis,cis1,cis2,pci}] [--plugin PLUGIN] [--govcloud] [--china] [--csv CSV] [--json JSON] [--junit JUNIT]\n                  [--table] [--console {none,text,table}] [--collection COLLECTION] [--ignore-ok] [--exit-code] [--skip-paginate] [--suppress SUPPRESS]\n\n  optional arguments:\n    -h, --help            show this help message and exit\n    --config CONFIG\n                          The path to a cloud provider credentials file.\n    --compliance {hipaa,cis,cis1,cis2,pci}\n                          Compliance mode. Only return results applicable to the selected program.\n    --plugin PLUGIN       A specific plugin to run. If none provided, all plugins will be run. Obtain from the exports.js file. E.g. acmValidation\n    --govcloud            AWS only. Enables GovCloud mode.\n    --china               AWS only. Enables AWS China mode.\n    --csv CSV             Output: CSV file\n    --json JSON           Output: JSON file\n    --junit JUNIT         Output: Junit file\n    --table               Output: table\n    --console {none,text,table}\n                          Console output format. Default: table\n    --collection COLLECTION\n                          Output: full collection JSON as file\n    --ignore-ok           Ignore passing (OK) results\n    --exit-code           Exits with a non-zero status code if non-passing results are found\n    --skip-paginate       AWS only. Skips pagination (for debugging).\n    --suppress SUPPRESS   Suppress results matching the provided Regex. Format: pluginId:region:resourceId\n  ```\n\u003c/details\u003e\n\n## Compliance\n\nCloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the `--compliance` flag. For example:\n```\n$ ./index.js --compliance=hipaa\n$ ./index.js --compliance=pci\n```\n\nMultiple compliance modes can be run at the same time:\n```\n$ ./index.js --compliance=cis1 --compliance=cis2\n```\n\nCloudSploit currently supports the following compliance mappings:\n\n### HIPAA\n```\n$ ./index.js --compliance=hipaa\n```\nHIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996.\n\n### PCI\n```\n$ ./index.js --compliance=pci\n```\nPCI scans map CloudSploit plugins to the Payment Card Industry Data Security Standard.\n\n### CIS Benchmarks\n```\n$ ./index.js --compliance=cis\n$ ./index.js --compliance=cis1\n$ ./index.js --compliance=cis2\n```\n\nCIS Benchmarks are supported, both for Level 1 and Level 2 controls. Passing `--compliance=cis` will run both level 1 and level 2 controls.\n\n## Output Formats\nCloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table.\n\nNote: You can pass multiple output formats and combine options for further customization. For example:\n```\n# Print a table to the console and save a CSV file\n$ ./index.js --csv=file.csv --console=table\n\n# Print text to the console and save a JSON and JUnit file while ignoring passing results\n$ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok\n```\n\n### Console Output\nBy default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:\n```\n$ ./index.js --console=text\n```\n\nAlternatively, you can suppress the console output entirely by running:\n```\n$ ./index.js --console=none\n```\n\n### Ignoring Passing Results\nYou can ignore results from output that return an OK status by passing a `--ignore-ok` commandline argument.\n\n### CSV\n```\n$ ./index.js --csv=file.csv\n```\n\n### JSON\n```\n$ ./index.js --json=file.json\n```\n\n### JUnit XML\n```\n$ ./index.js --junit=file.xml\n```\n\n### Collection Output\nCloudSploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes.\n```\n$ ./index.js --collection=file.json\n```\n\n## Suppressions\nResults can be suppressed by passing the `--suppress` flag (multiple options are supported) with the following format:\n```\n--suppress pluginId:region:resourceId\n```\n\nFor example:\n```\n# Suppress all results for the acmValidation plugin\n$ ./index.js --suppress acmValidation:*:*\n\n# Suppress all us-east-1 region results\n$ ./index.js --suppress *:us-east-1:*\n\n# Suppress all results matching the regex \"certificate/*\" in all regions for all plugins\n$ ./index.js --suppress *:*:certificate/*\n```\n\n## Running a Single Plugin\nThe `--plugin` flag can be used if you only wish to run one plugin.\n```\n$ ./index.js --plugin acmValidation\n```\n\n## Architecture\nCloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the \"collection\" phase. Once all the necessary data is collected, the result is passed to the \"scanning\" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.\n\n## Writing a Plugin\nPlease see our [contribution guidelines](.github/CONTRIBUTING.md) and [complete guide](docs/writing-plugins.md) to writing CloudSploit plugins.\n\n## Writing a remediation\nThe `--remediate` flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names.\nPlease see our [developing remediation guide](docs/writing-remediation.md) for more details.\n## Other Notes\nFor other details about the Aqua Wave SaaS product, AWS security policies, and more, [click here](docs/notes.md).\n","funding_links":[],"categories":["Tools","JavaScript","Multi-Cloud","Container Tools","Infrastructure","Security and Compliance","Other Awesome Lists","Infrastructure Security","Public Cloud Governance","azure","Cloud Platform Attack Tools","0x02 工具 :hammer_and_wrench:","Multi-Cloud Security"],"sub_categories":["AWS","MultiCloud Governance","Auditing","Cloud Security Posture Management","1 云服务工具"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fcloudsploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fcloudsploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fcloudsploit/lists"}