{"id":35377640,"url":"https://github.com/cleancloud-io/cleancloud","last_synced_at":"2026-04-11T18:29:33.321Z","repository":{"id":330085709,"uuid":"1121249159","full_name":"cleancloud-io/cleancloud","owner":"cleancloud-io","description":"CleanCloud helps SRE teams safely identify orphaned, unowned, and potentially inactive AWS and Azure resources using conservative, read-only cloud hygiene checks designed for trust, not auto-cleanup.","archived":false,"fork":false,"pushed_at":"2026-02-15T23:01:44.000Z","size":404,"stargazers_count":43,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-16T06:15:32.544Z","etag":null,"topics":["aws","azure","cloud","devops","gcp","hygiene","infrastructure","sre"],"latest_commit_sha":null,"homepage":"https://www.getcleancloud.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cleancloud-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-22T17:12:35.000Z","updated_at":"2026-02-15T22:58:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cleancloud-io/cleancloud","commit_stats":null,"previous_names":["sureshcsdp/cleancloud"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/cleancloud-io/cleancloud","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cleancloud-io%2Fcleancloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cleancloud-io%2Fcleancloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cleancloud-io%2Fcleancloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cleancloud-io%2Fcleancloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cleancloud-io","download_url":"https://codeload.github.com/cleancloud-io/cleancloud/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cleancloud-io%2Fcleancloud/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29574068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T08:38:15.585Z","status":"ssl_error","status_checked_at":"2026-02-18T08:38:14.917Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","cloud","devops","gcp","hygiene","infrastructure","sre"],"created_at":"2026-01-02T04:49:55.851Z","updated_at":"2026-03-16T23:02:23.366Z","avatar_url":"https://github.com/cleancloud-io.png","language":"Python","readme":"# CleanCloud\n\n![PyPI](https://img.shields.io/pypi/v/cleancloud)\n![Python Versions](https://img.shields.io/pypi/pyversions/cleancloud)\n![Docker Pulls](https://img.shields.io/docker/pulls/getcleancloud/cleancloud)\n![License](https://img.shields.io/badge/License-MIT-yellow.svg)\n[![Security Scanning](https://github.com/cleancloud-io/cleancloud/actions/workflows/security-scan.yml/badge.svg)](https://github.com/cleancloud-io/cleancloud/actions/workflows/security-scan.yml)\n![GitHub stars](https://img.shields.io/github/stars/cleancloud-io/cleancloud?style=social)\n\n**Languages / Langues :**\n🇬🇧 [English](README.md) | 🇫🇷 [Français](README.fr.md)\n\n**Docs:** [AWS Setup](docs/aws.md) · [Azure Setup](docs/azure.md) · [CI/CD Guide](docs/ci.md) · [Detection Rules](docs/rules.md) · [Example Outputs](docs/example-outputs.md) · [Docker Hub](https://hub.docker.com/r/getcleancloud/cleancloud)\n\n---\n\n**Trivy for cloud waste. A scanner that finds orphaned resources and enforces hygiene in CI.**\n\nLike `tfsec` for Terraform or `trivy` for containers — CleanCloud scans your cloud environment and reports what's wasting money. Run it once for a quick audit, schedule it, or wire it into CI/CD to fail builds on policy violations.\n\n- **20 high-signal detection rules:** orphaned volumes, idle databases, empty load balancers, and more\n- **Estimated monthly waste:** per finding and aggregate\n- **CI-native enforcement (opt-in):** `--fail-on-confidence HIGH` or `--fail-on-cost 100` gates your pipeline\n- **Multiple output formats:** human-readable, JSON, CSV, and markdown (paste into GitHub PRs or Slack)\n- **Read-only by design:** no deletions, no tag changes, no mutations — ever\n- **No agents. No telemetry. No SaaS.** Runs in your environment, data never leaves\n\n**Use cases:**\n- One-time cloud waste audit — run in CloudShell, see findings in 60 seconds\n- Scheduled hygiene scans — cron job or weekly CI run to catch drift\n- CI/CD enforcement gates — fail builds when waste exceeds your threshold\n\n```\nFound 6 hygiene issues:\n\n1. [AWS] Unattached EBS Volume       — $40/month\n2. [AWS] Idle NAT Gateway            — $32.40/month\n3. [AWS] Unattached Elastic IP       — $0/month\n...\n\nEstimated monthly waste: ~$147\nRegions scanned: us-east-1, us-west-2, eu-west-1\n```\n\n## As featured in\n\n- [Korben](https://korben.info/cleancloud-nettoyeur-cloud-aws-azure.html) 🇫🇷 — Major French tech publication\n- [Last Week in AWS #457](https://www.lastweekinaws.com/newsletter/15259/) — Corey Quinn's weekly AWS newsletter\n\n## What users say\n\n\u003e \"Solid discovery tool that bubbles up potential savings. Easy to install and use!\"\n\u003e — [Reddit user](https://www.reddit.com/r/AZURE/comments/1rm7an5/comment/o8zfv6a/)\n\n---\n\n## Get Started\n\n**Via pipx (recommended for local use):**\n```bash\npipx install cleancloud\npipx ensurepath        # adds cleancloud to PATH — restart your shell after this\ncleancloud demo        # see sample findings without any cloud credentials\n```\n\n**Via Docker (recommended for CI/CD — no Python required):**\n```bash\ndocker pull getcleancloud/cleancloud\ndocker run --rm getcleancloud/cleancloud demo\n```\n\nWhen you're ready to scan your real environment, authenticate first — then run:\n\n```bash\n# AWS: make sure you're logged in (aws configure, aws sso login, or IAM role)\ncleancloud scan --provider aws --all-regions\n\n# Azure: make sure you're logged in (az login)\ncleancloud scan --provider azure\n```\n\nNot sure if your credentials have the right permissions? Run `cleancloud doctor --provider aws` or `cleancloud doctor --provider azure` first.\n\n### No install — try in your cloud shell\n\nGot an AWS or Azure account? Run a real scan in seconds with no local setup.\n\n**AWS — [AWS CloudShell](https://console.aws.amazon.com/cloudshell):**\n```bash\npip install --upgrade cleancloud\ncleancloud doctor --provider aws   # check what permissions your session has\ncleancloud scan --provider aws --all-regions\n```\n\n**Azure — [Azure Cloud Shell](https://shell.azure.com):**\n```bash\npip install --upgrade --user cleancloud\nexport PATH=\"$HOME/.local/bin:$PATH\"\ncleancloud doctor --provider azure  # check what permissions your session has\ncleancloud scan --provider azure\n```\n\nBoth shells authenticate using your portal session — no separate credentials needed. \n\nPermissions vary by account; \n\n`doctor` tells you exactly what's available before you scan. If permissions are missing, CleanCloud skips those rules and reports what was skipped.\n\n\u003cdetails\u003e\n\u003csummary\u003eInstall troubleshooting\u003c/summary\u003e\n\n**macOS:** `brew install pipx \u0026\u0026 pipx install cleancloud`\n\n**Linux:** `sudo apt install pipx \u0026\u0026 pipx install cleancloud`\n\n**Windows:** `python3 -m pip install --user pipx \u0026\u0026 python3 -m pipx ensurepath \u0026\u0026 pipx install cleancloud`\n\n**Command not found: cleancloud** — Run `pipx ensurepath` then restart your shell.\n\n**externally-managed-environment error** — Use `pipx` instead of `pip`.\n\n**Upgrading from a previous pip install** — remove it first to avoid shadowing:\n```bash\npip uninstall cleancloud \u0026\u0026 pipx install cleancloud \u0026\u0026 pipx ensurepath\n```\n\n**Wrong version after install** — Run `which cleancloud`; an old pip install may be shadowing pipx.\n\n**Minimum recommended version: v1.6.3** — earlier versions have setup friction. Run `cleancloud --version` to check.\n\n\u003c/details\u003e\n\n---\n\n## What It Looks Like\n\n```\nFound 6 hygiene issues:\n\n1. [AWS] Unattached EBS Volume\n   Risk       : Low\n   Confidence : High\n   Resource   : aws.ebs.volume → vol-0a1b2c3d4e5f67890\n   Region     : us-east-1\n   Rule       : aws.ebs.volume.unattached\n   Reason     : Volume has been unattached for 47 days\n   Details:\n     - size_gb: 500\n     - state: available\n     - tags: {\"Project\": \"legacy-api\", \"Owner\": \"platform\"}\n\n2. [AWS] Idle NAT Gateway\n   Risk       : Medium\n   Confidence : Medium\n   Resource   : aws.ec2.nat_gateway → nat-0abcdef1234567890\n   Region     : us-west-2\n   Rule       : aws.ec2.nat_gateway.idle\n   Reason     : No traffic detected for 21 days\n   Details:\n     - name: staging-nat\n     - total_bytes_out: 0\n     - estimated_monthly_cost_usd: 32.40\n\n3. [AWS] Unattached Elastic IP\n   Risk       : Low\n   Confidence : High\n   Resource   : aws.ec2.elastic_ip → eipalloc-0a1b2c3d4e5f6\n   Region     : eu-west-1\n   Rule       : aws.ec2.elastic_ip.unattached\n   Reason     : Elastic IP not associated with any instance or ENI (age: 92 days)\n\n--- Scan Summary ---\nTotal findings: 6\nBy risk:        low: 5  medium: 1\nBy confidence:  high: 2  medium: 4\nMinimum estimated waste: ~$147/month\n(4 of 6 findings costed)\nRegions scanned: us-east-1, us-west-2, eu-west-1 (auto-detected)\n```\n\nNo cloud account yet? `cleancloud demo` shows sample output without any credentials.\n\n### Shareable markdown report\n\n```bash\ncleancloud scan --provider aws --all-regions --output markdown\n```\n\nPrints a grouped summary you can paste directly into a GitHub PR comment, Slack message, or issue:\n\n```markdown\n## CleanCloud Scan Results\n\n**Provider:** AWS\n**Regions:** us-east-1, us-west-2, eu-west-1\n**Scanned:** 2026-03-07\n**Estimated monthly waste:** ~$147\n\n**Total findings:** 6\n\n| Finding | Count | Est. Monthly Cost |\n|---------|------:|------------------:|\n| Unattached EBS Volume | 2 | ~$115 |\n| Idle NAT Gateway | 1 | ~$32 |\n| Unattached Elastic IP | 1 | ~$0 |\n| Detached ENI | 1 | — |\n| CloudWatch Log Group: Infinite Retention | 1 | — |\n\n**Confidence:** high: 3 · medium: 3\n\n\u003e Generated by [CleanCloud](https://github.com/cleancloud-io/cleancloud) — read-only cloud hygiene scanner for AWS and Azure.\n```\n\nSave to a file with `--output-file results.md`. Without `--output-file`, it prints to stdout.\n\nFor full output examples including `doctor`, JSON, CSV, and markdown: [`docs/example-outputs.md`](docs/example-outputs.md)\n\n---\n\n## What CleanCloud Detects\n\n20 rules across AWS and Azure — conservative, high-signal, designed to avoid false positives in IaC environments.\n\n**AWS:**\n- Unattached EBS volumes (HIGH)\n- Old EBS snapshots\n- Infinite retention CloudWatch Logs\n- Unattached Elastic IPs (HIGH)\n- Detached ENIs\n- Untagged resources\n- Old AMIs\n- Idle NAT Gateways\n- Idle RDS instances (HIGH)\n- Idle load balancers (HIGH)\n\n**Azure:**\n- Unattached managed disks\n- Old snapshots\n- Unused public IPs (HIGH)\n- Empty load balancers (HIGH)\n- Empty App Gateways (HIGH)\n- Empty App Service Plans (HIGH)\n- Idle VNet Gateways\n- Stopped (not deallocated) VMs (HIGH)\n- Idle SQL databases (HIGH)\n- Untagged resources\n\nRules without a confidence marker are MEDIUM — they use time-based heuristics or multiple signals. Start with `--fail-on-confidence HIGH` to catch obvious waste, then tighten as your team validates.\n\n**Full rule details, signals, and evidence:** [`docs/rules.md`](docs/rules.md)\n\n---\n\n## CI/CD Enforcement\n\nScans exit `0` by default. Opt in to enforcement:\n\n| Flag | Behavior | Exit code |\n|------|----------|-----------|\n| *(none)* | Report only, never fail | `0` |\n| `--fail-on-confidence HIGH` | Fail on HIGH confidence findings | `2` |\n| `--fail-on-confidence MEDIUM` | Fail on MEDIUM or higher | `2` |\n| `--fail-on-cost 50` | Fail if estimated monthly waste \u003e= $50 | `2` |\n| `--fail-on-findings` | Fail on any finding | `2` |\n\nComplete, copy-pasteable GitHub Actions workflows for AWS (OIDC) and Azure (Workload Identity) — including OIDC setup, trust policy, RBAC, and enforcement patterns:\n\n**[CI/CD guide →](docs/ci.md)** · [AWS setup →](docs/aws.md) · [Azure setup →](docs/azure.md)\n\n**Need help with OIDC or enforcement flags?** [Ask in our CI/CD setup discussion →](https://github.com/cleancloud-io/cleancloud/discussions/98)\n\n---\n\n## Roadmap\n\n- Additional AWS rules (S3 lifecycle, stopped EC2 instances)\n- Policy-as-code in `cleancloud.yaml` (`fail_on_confidence`, `fail_on_cost` in config)\n- Rule filtering (`--rules` flag)\n- Multi-account scanning (AWS Organizations)\n\n---\n\n## Documentation\n\n- [`docs/rules.md`](docs/rules.md) — Detection rules, signals, and evidence\n- [`docs/aws.md`](docs/aws.md) — AWS IAM policy and OIDC setup\n- [`docs/azure.md`](docs/azure.md) — Azure RBAC and Workload Identity setup\n- [`docs/ci.md`](docs/ci.md) — CI/CD integration guide\n- [`docs/example-outputs.md`](docs/example-outputs.md) — Full output examples\n- [`SECURITY.md`](SECURITY.md) — Security policy and threat model\n- [`docs/infosec-readiness.md`](docs/infosec-readiness.md) — IAM Proof Pack, threat model\n\n---\n\n**Found a bug?** [Open an issue](https://github.com/cleancloud-io/cleancloud/issues)\n\n**Feature request?** [Start a discussion](https://github.com/cleancloud-io/cleancloud/discussions)\n\n**Questions?** suresh@getcleancloud.com\n\n[MIT License](LICENSE)\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcleancloud-io%2Fcleancloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcleancloud-io%2Fcleancloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcleancloud-io%2Fcleancloud/lists"}