{"id":13408269,"url":"https://github.com/cloud-custodian/cloud-custodian","last_synced_at":"2026-01-06T21:17:19.476Z","repository":{"id":37514091,"uuid":"52837350","full_name":"cloud-custodian/cloud-custodian","owner":"cloud-custodian","description":"Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources","archived":false,"fork":false,"pushed_at":"2025-09-09T13:27:25.000Z","size":136997,"stargazers_count":5798,"open_issues_count":1561,"forks_count":1562,"subscribers_count":167,"default_branch":"main","last_synced_at":"2025-09-09T16:35:07.740Z","etag":null,"topics":["aws","azure","cloud","cloud-computing","compliance","gcp","lambda","management","rules-engine","serverless"],"latest_commit_sha":null,"homepage":"https://cloudcustodian.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-custodian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-03-01T01:11:20.000Z","updated_at":"2025-09-09T14:35:11.000Z","dependencies_parsed_at":"2023-09-22T00:51:30.976Z","dependency_job_id":"382351f6-a287-4570-967d-d0ffeffc4689","html_url":"https://github.com/cloud-custodian/cloud-custodian","commit_stats":{"total_commits":4269,"total_committers":487,"mean_commits":8.765913757700206,"dds":0.7001639728273601,"last_synced_commit":"feddf4fddc31dad9a581c3f0e0503cb3ee8e303f"},"previous_names":["capitalone/cloud-custodian"],"tags_count":121,"template":false,"template_full_name":null,"purl":"pkg:github/cloud-custodian/cloud-custodian","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fcloud-custodian","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fcloud-custodian/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fcloud-custodian/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fcloud-custodian/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-custodian","download_url":"https://codeload.github.com/cloud-custodian/cloud-custodian/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fcloud-custodian/sbom","scorecard":{"id":265124,"data":{"date":"2025-08-11","repo":{"name":"github.com/cloud-custodian/cloud-custodian","commit":"8f0dd9febbaeff29a9eeee021bfe26c31432dac4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.8,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:77","Info: jobLevel 'contents' permission set to 'read': .github/workflows/functional.yaml:15","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/functional.yaml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:14","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/release.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:78","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/release.yml:79","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/docker.yml:1","Warn: no topLevel permission defined: .github/workflows/functional.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: OSSFuzz integration found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":6,"reason":"dependency not pinned by hash detected -- score normalized to 6","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/functional.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/functional.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/functional.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/functional.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/functional.yaml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/functional.yaml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-custodian/cloud-custodian/functional.yaml/main?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/ci.yml:48","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:109","Info:  17 out of  20 GitHub-owned GitHubAction dependencies pinned","Info:   8 out of  11 third-party GitHubAction dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"42 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq","Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: PYSEC-2018-49","Warn: Project is vulnerable to: PYSEC-2017-41 / GHSA-x7c8-4x3h-874w","Warn: Project is vulnerable to: PYSEC-2019-126","Warn: Project is vulnerable to: GHSA-2g68-c3qc-8985","Warn: Project is vulnerable to: GHSA-f9vj-2wh5-fj8j","Warn: Project is vulnerable to: PYSEC-2019-140 / GHSA-gq9m-qvpx-68hc","Warn: Project is vulnerable to: PYSEC-2023-221 / GHSA-hrfv-mqp8-q5rw","Warn: Project is vulnerable to: GHSA-j544-7q9p-6xp8","Warn: Project is vulnerable to: PYSEC-2023-57 / GHSA-px8h-6qxv-m22q","Warn: Project is vulnerable to: GHSA-q34m-jh98-gwm2","Warn: Project is vulnerable to: PYSEC-2023-58 / GHSA-xg9f-g7g7-2323","Warn: Project is vulnerable to: PYSEC-2022-203","Warn: Project is vulnerable to: GO-2025-3829","Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7","Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95","Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj","Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h","Warn: Project is vulnerable to: PYSEC-2021-129 / GHSA-qhx9-7hx7-cp4r","Warn: Project is vulnerable to: PYSEC-2022-227 / GHSA-xhp9-4947-rq78","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg","Warn: Project is vulnerable to: PYSEC-2020-99 / GHSA-537h-rv9q-vvph","Warn: Project is vulnerable to: PYSEC-2020-100 / GHSA-xrx6-fmxq-rjj2","Warn: Project is vulnerable to: PYSEC-2022-42986 / GHSA-43fp-rhv2-5gv8","Warn: Project is vulnerable to: PYSEC-2023-135 / GHSA-xqr8-7jwr-rhp7","Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h","Warn: Project is vulnerable to: PYSEC-2019-124 / GHSA-38fc-9xqv-7f7q","Warn: Project is vulnerable to: PYSEC-2019-123 / GHSA-887w-45rq-vxgf","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: PYSEC-2023-207 / GHSA-gwvm-45gx-3cf8","Warn: Project is vulnerable to: PYSEC-2019-133 / GHSA-mh33-7rrq-662w","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24","Warn: Project is vulnerable to: PYSEC-2018-32 / GHSA-www2-v7xj-xrc6","Warn: Project is vulnerable to: PYSEC-2021-108"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T11:49:05.383Z","repository_id":37514091,"created_at":"2025-08-17T11:49:05.383Z","updated_at":"2025-08-17T11:49:05.383Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274358906,"owners_count":25270681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-09T02:00:10.223Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","cloud","cloud-computing","compliance","gcp","lambda","management","rules-engine","serverless"],"created_at":"2024-07-30T20:00:51.783Z","updated_at":"2026-01-06T21:17:19.409Z","avatar_url":"https://github.com/cloud-custodian.png","language":"Python","readme":"Cloud Custodian (c7n)\n=================\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://cloudcustodian.io/img/logo_capone_devex_cloud_custodian.svg\" alt=\"Cloud Custodian Logo\" width=\"200px\" height=\"200px\" /\u003e\u003c/p\u003e\n\n---\n\n[![slack](https://img.shields.io/badge/slack-chat-yellow)](https://communityinviter.com/apps/cloud-custodian/c7n-chat)\n[![CI](https://github.com/cloud-custodian/cloud-custodian/workflows/CI/badge.svg?event=push)](https://github.com/cloud-custodian/cloud-custodian/actions?query=workflow%3ACI+branch%3Amaster+event%3Apush)\n[![](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)\n[![](https://codecov.io/gh/cloud-custodian/cloud-custodian/branch/master/graph/badge.svg)](https://codecov.io/gh/cloud-custodian/cloud-custodian)\n[![](https://requires.io/github/cloud-custodian/cloud-custodian/requirements.svg?branch=master)](https://requires.io/github/cloud-custodian/cloud-custodian/requirements/?branch=master)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3402/badge)](https://bestpractices.coreinfrastructure.org/projects/3402)\n\nCloud Custodian, also known as c7n, is a rules engine for managing\npublic cloud accounts and resources. It allows users to define\npolicies to enable a well managed cloud infrastructure, that\\'s both\nsecure and cost optimized. It consolidates many of the adhoc scripts\norganizations have into a lightweight and flexible tool, with unified\nmetrics and reporting.\n\nCustodian can be used to manage AWS, Azure, and GCP environments by\nensuring real time compliance to security policies (like encryption and\naccess requirements), tag policies, and cost management via garbage\ncollection of unused resources and off-hours resource management.\n\nCustodian also supports running policies on infrastructure as code assets\nto provide feedback directly on developer workstations or within CI pipelines.\n\nCustodian policies are written in simple YAML configuration files that\nenable users to specify policies on a resource type (EC2, ASG, Redshift,\nCosmosDB, PubSub Topic) and are constructed from a vocabulary of filters\nand actions.\n\nIt integrates with the cloud native serverless capabilities of each\nprovider to provide for real time enforcement of policies with builtin\nprovisioning. Or it can be run as a simple cron job on a server to\nexecute against large existing fleets.\n\nCloud Custodian is a CNCF Incubating project, lead by a community of hundreds\nof contributors.\n\nFeatures\n--------\n\n-   Comprehensive support for public cloud services and resources with a\n    rich library of actions and filters to build policies with.\n-   Run policies on infrastructure as code (terraform, etc) assets.\t\n-   Supports arbitrary filtering on resources with nested boolean\n    conditions.\n-   Dry run any policy to see what it would do.\n-   Automatically provisions serverless functions and event sources (\n    AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP\n    AuditLog \u0026 Pub/Sub, etc)\n-   Cloud provider native metrics outputs on resources that matched a\n    policy\n-   Structured outputs into cloud native object storage of which\n    resources matched a policy.\n-   Intelligent cache usage to minimize api calls.\n-   Supports multi-account/subscription/project usage.\n-   Battle-tested - in production on some very large cloud environments.\n\nLinks\n-----\n\n-   [Homepage](http://cloudcustodian.io)\n-   [Docs](http://cloudcustodian.io/docs/index.html)\n-   [Project Roadmap](https://github.com/orgs/cloud-custodian/projects/1)\n-   [Developer Install](https://cloudcustodian.io/docs/developer/installing.html)\n-   [Presentations](https://www.google.com/search?q=cloud+custodian\u0026source=lnms\u0026tbm=vid)\n-   [YouTube Channel](https://www.youtube.com/channel/UCdeXCdFLluylWnFfS0-jbDA)\n\nQuick Install\n-------------\n\nCustodian is published on pypi as a series of packages with the `c7n`\nprefix, its also available as a docker image.\n\n```shell\n$ python3 -m venv custodian\n$ source custodian/bin/activate\n(custodian) $ pip install c7n\n```\n\n\nUsage\n-----\n\nThe first step to using Cloud Custodian (c7n) is writing a YAML file\ncontaining the policies that you want to run. Each policy specifies\nthe resource type that the policy will run on, a set of filters which\ncontrol resources will be affected by this policy, actions which the policy\nwith take on the matched resources, and a mode which controls which\nhow the policy will execute.\n\nThe best getting started guides are the cloud provider specific tutorials.\n\n - [AWS Getting Started](https://cloudcustodian.io/docs/aws/gettingstarted.html)\n - [Azure Getting Started](https://cloudcustodian.io/docs/azure/gettingstarted.html)\n - [GCP Getting Started](https://cloudcustodian.io/docs/gcp/gettingstarted.html)\n\nAs a quick walk through, below are some sample policies for AWS resources.\n\n  1. will enforce that no S3 buckets have cross-account access enabled.\n  1. will terminate any newly launched EC2 instance that do not have an encrypted EBS volume.\n  1. will tag any EC2 instance that does not have the follow tags\n     \"Environment\", \"AppId\", and either \"OwnerContact\" or \"DeptID\" to\n     be stopped in four days.\n\n```yaml\npolicies:\n - name: s3-cross-account\n   description: |\n     Checks S3 for buckets with cross-account access and\n     removes the cross-account access.\n   resource: aws.s3\n   region: us-east-1\n   filters:\n     - type: cross-account\n   actions:\n     - type: remove-statements\n       statement_ids: matched\n\n - name: ec2-require-non-public-and-encrypted-volumes\n   resource: aws.ec2\n   description: |\n    Provision a lambda and cloud watch event target\n    that looks at all new instances and terminates those with\n    unencrypted volumes.\n   mode:\n    type: cloudtrail\n    role: CloudCustodian-QuickStart\n    events:\n      - RunInstances\n   filters:\n    - type: ebs\n      key: Encrypted\n      value: false\n   actions:\n    - terminate\n\n - name: tag-compliance\n   resource: aws.ec2\n   description: |\n     Schedule a resource that does not meet tag compliance policies to be stopped in four days. Note a separate policy using the`marked-for-op` filter is required to actually stop the instances after four days.\n   filters:\n    - State.Name: running\n    - \"tag:Environment\": absent\n    - \"tag:AppId\": absent\n    - or:\n      - \"tag:OwnerContact\": absent\n      - \"tag:DeptID\": absent\n   actions:\n    - type: mark-for-op\n      op: stop\n      days: 4\n```\n\nYou can validate, test, and run Cloud Custodian with the example policy with these commands:\n\n```shell\n# Validate the configuration (note this happens by default on run)\n$ custodian validate policy.yml\n\n# Dryrun on the policies (no actions executed) to see what resources\n# match each policy.\n$ custodian run --dryrun -s out policy.yml\n\n# Run the policy\n$ custodian run -s out policy.yml\n```\n\nYou can run Cloud Custodian via Docker as well:\n\n```shell\n# Download the image\n$ docker pull cloudcustodian/c7n\n$ mkdir output\n\n# Run the policy\n#\n# This will run the policy using only the environment variables for authentication\n$ docker run -it \\\n  -v $(pwd)/output:/home/custodian/output \\\n  -v $(pwd)/policy.yml:/home/custodian/policy.yml \\\n  --env-file \u003c(env | grep \"^AWS\\|^AZURE\\|^GOOGLE\") \\\n  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml\n\n# Run the policy (using AWS's generated credentials from STS)\n#\n# NOTE: We mount the ``.aws/credentials`` and ``.aws/config`` directories to\n# the docker container to support authentication to AWS using the same credentials\n# credentials that are available to the local user if authenticating with STS.\n\n$ docker run -it \\\n  -v $(pwd)/output:/home/custodian/output \\\n  -v $(pwd)/policy.yml:/home/custodian/policy.yml \\\n  -v $(cd ~ \u0026\u0026 pwd)/.aws/credentials:/home/custodian/.aws/credentials \\\n  -v $(cd ~ \u0026\u0026 pwd)/.aws/config:/home/custodian/.aws/config \\\n  --env-file \u003c(env | grep \"^AWS\") \\\n  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml\n```\n\nThe [custodian cask\ntool](https://cloudcustodian.io/docs/tools/cask.html) is a go binary\nthat provides a transparent front end to docker that mirors the regular\ncustodian cli, but automatically takes care of mounting volumes.\n\nConsult the documentation for additional information, or reach out on gitter.\n\nCloud Provider Specific Help\n----------------------------\n\nFor specific instructions for AWS, Azure, and GCP, visit the relevant getting started page.\n\n- [AWS](https://cloudcustodian.io/docs/aws/gettingstarted.html)\n- [Azure](https://cloudcustodian.io/docs/azure/gettingstarted.html)\n- [GCP](https://cloudcustodian.io/docs/gcp/gettingstarted.html)\n\nGet Involved\n------------\n\n-   [GitHub](https://github.com/cloud-custodian/cloud-custodian) - (This page)\n-   [Slack](https://communityinviter.com/apps/cloud-custodian/c7n-chat) - Real time chat if you're looking for help or interested in contributing to Custodian! \n    - [Gitter](https://gitter.im/cloud-custodian/cloud-custodian) - (Older real time chat, we're likely migrating away from this)\n-   [Linen.dev](https://www.linen.dev/s/cloud-custodian/c/general) - Follow our discussions on Linen\n-   [Mailing List](https://groups.google.com/forum/#!forum/cloud-custodian) - Our project mailing list, subscribe here for important project announcements, feel free to ask questions\n-   [Reddit](https://reddit.com/r/cloudcustodian) - Our subreddit\n-   [StackOverflow](https://stackoverflow.com/questions/tagged/cloudcustodian) - Q\u0026A site for developers, we keep an eye on the `cloudcustodian` tag\n-   [YouTube Channel](https://www.youtube.com/channel/UCdeXCdFLluylWnFfS0-jbDA/) - We're working on adding tutorials and other useful information, as well as meeting videos\n\nCommunity Resources\n-------------------\n\nWe have a regular community meeting that is open to all users and developers of every skill level.\nJoining the [mailing list](https://groups.google.com/forum/#!forum/cloud-custodian) will automatically send you a meeting invite. \nSee the notes below for more technical information on joining the meeting. \n\n- [Community Meeting Videos](https://www.youtube.com/watch?v=qy250y0UT-4\u0026list=PLJ2Un8H_N5uBeAAWK95SnWvm_AuNJ8q2x)\n- [Community Meeting Notes Archive](https://github.com/orgs/cloud-custodian/discussions/categories/announcements)\n- [Upcoming Community Events](https://cloudcustodian.io/events/)\n- [Cloud Custodian Annual Report 2021](https://github.com/cncf/toc/blob/main/reviews/2021-cloud-custodian-annual.md) - Annual health check provided to the CNCF outlining the health of the project\n- [Ada Logics Third Party Security Audit](https://ostif.org/cc-audit-complete/)\n\n\nAdditional Tools\n----------------\n\nThe Custodian project also develops and maintains a suite of additional\ntools here\n\u003chttps://github.com/cloud-custodian/cloud-custodian/tree/master/tools\u003e:\n\n- [**_Org_:**](https://cloudcustodian.io/docs/tools/c7n-org.html) Multi-account policy execution.\n\n- [**_ShiftLeft_:**](https://cloudcustodian.io/docs/tools/c7n-left.html) Shift Left ~ run policies against Infrastructure as Code assets like terraform.\n\n- [**_PolicyStream_:**](https://cloudcustodian.io/docs/tools/c7n-policystream.html) Git history as stream of logical policy changes.\n\n- [**_Salactus_:**](https://cloudcustodian.io/docs/tools/c7n-salactus.html) Scale out s3 scanning.\n\n- [**_Mailer_:**](https://cloudcustodian.io/docs/tools/c7n-mailer.html) A reference implementation of sending messages to users to notify them.\n\n- [**_Trail Creator_:**](https://cloudcustodian.io/docs/tools/c7n-trailcreator.html) Retroactive tagging of resources creators from CloudTrail\n\n- **_TrailDB_:** Cloudtrail indexing and time series generation for dashboarding.\n\n- [**_LogExporter_:**](https://cloudcustodian.io/docs/tools/c7n-logexporter.html) Cloud watch log exporting to s3\n\n- [**_Cask_:**](https://cloudcustodian.io/docs/tools/cask.html) Easy custodian exec via docker\n\n- [**_Guardian_:**](https://cloudcustodian.io/docs/tools/c7n-guardian.html) Automated multi-account Guard Duty setup\n\n- [**_Omni SSM_:**](https://cloudcustodian.io/docs/tools/omnissm.html) EC2 Systems Manager Automation\n\n- [**_Mugc_:**](https://github.com/cloud-custodian/cloud-custodian/tree/master/tools/ops#mugc) A utility used to clean up Cloud Custodian Lambda policies that are deployed in an AWS environment.\n\nContributing\n------------\n\nSee \u003chttps://cloudcustodian.io/docs/contribute.html\u003e\n\nSecurity\n--------\n\nIf you've found a security related issue, a vulnerability, or a\npotential vulnerability in Cloud Custodian please let the Cloud\n[Custodian Security Team](mailto:security@cloudcustodian.io) know with\nthe details of the vulnerability. We'll send a confirmation email to\nacknowledge your report, and we'll send an additional email when we've\nidentified the issue positively or negatively.\n\nCode of Conduct\n---------------\n\nThis project adheres to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)\n\nBy participating, you are expected to honor this code.\n\n","funding_links":[],"categories":["Policy as Code","Python","Public Cloud Governance","Infrastructure","Policy as code","Security Enabling Tools","Tools","Cloud Resources Inventory","Cloud Cost Management Tools and Services","Open Source Repos","cloud","Multi-Cloud Security"],"sub_categories":["Cloud Custodian","MultiCloud Governance","Regex","Open Source Tools","MultiCloud","DevOps","Others"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-custodian%2Fcloud-custodian","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-custodian%2Fcloud-custodian","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-custodian%2Fcloud-custodian/lists"}