Top Related Projects
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Protect and discover secrets using Gitleaks 🔑
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Cloud Native Runtime Security
Quick Overview
CloudSploit is an open-source project that provides cloud security scanning and auditing capabilities. It helps organizations identify misconfigurations, vulnerabilities, and security risks across various cloud platforms, including AWS, Azure, Google Cloud, and Oracle Cloud.
Pros
- Supports multiple cloud providers, offering comprehensive coverage
- Extensive set of pre-defined security checks and best practices
- Easily integrable into CI/CD pipelines for automated security scanning
- Regular updates to keep up with evolving cloud security standards
Cons
- Requires some technical expertise to set up and interpret results effectively
- May generate false positives in certain scenarios, requiring manual verification
- Limited customization options for specific organizational needs
- Documentation could be more comprehensive for advanced use cases
Getting Started
To get started with CloudSploit, follow these steps:
-
Clone the repository:
git clone https://github.com/aquasecurity/cloudsploit.git -
Install dependencies:
cd cloudsploit npm install -
Configure your cloud provider credentials:
export AWS_ACCESS_KEY_ID="your-access-key" export AWS_SECRET_ACCESS_KEY="your-secret-key" -
Run a scan:
node index.js --console --config config.js
For more detailed instructions and advanced usage, refer to the project's documentation on GitHub.
Competitor Comparisons
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Pros of Terrascan
- Supports multiple Infrastructure as Code (IaC) tools, including Terraform, Kubernetes, Helm, and Dockerfiles
- Offers a wider range of policy categories, including security, operational efficiency, and reliability
- Provides a web UI for easier visualization and management of scan results
Cons of Terrascan
- Less focus on cloud-specific security checks compared to CloudSploit
- May require more setup and configuration for cloud-specific scans
- Smaller community and fewer contributors compared to CloudSploit
Code Comparison
Terrascan:
# Example of running a Terrascan scan
terrascan scan -i terraform -d /path/to/terraform/files
CloudSploit:
// Example of running a CloudSploit scan
const CloudSploit = require('cloudsploit');
CloudSploit.scan({
cloud: 'aws',
region: 'us-east-1'
});
Both tools offer command-line interfaces for running scans, but Terrascan's approach is more straightforward for IaC scanning, while CloudSploit is more focused on direct cloud provider API interactions.
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Pros of Checkov
- Supports a wider range of infrastructure-as-code (IaC) formats, including Terraform, CloudFormation, Kubernetes, Dockerfile, and more
- Offers a more extensive set of built-in policies and security checks
- Provides easier integration with CI/CD pipelines and developer workflows
Cons of Checkov
- May have a steeper learning curve due to its broader scope and feature set
- Can be slower to run on large codebases compared to CloudSploit's focused approach
Code Comparison
Checkov:
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
class S3BucketEncryption(BaseResourceCheck):
def __init__(self):
name = "Ensure all S3 buckets employ encryption-at-rest"
check_id = "CKV_AWS_19"
supported_resources = ['aws_s3_bucket']
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, check_id=check_id, categories=categories, supported_resources=supported_resources)
CloudSploit:
var async = require('async');
var helpers = require('../../../helpers/aws');
module.exports = {
title: 'S3 Bucket Encryption',
category: 'S3',
description: 'Ensures S3 buckets have encryption enabled',
more_info: 'S3 buckets should have encryption enabled to protect sensitive data stored in them.',
recommended_action: 'Enable encryption for all S3 buckets.',
link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html',
apis: ['S3:listBuckets', 'S3:getBucketEncryption'],
Protect and discover secrets using Gitleaks 🔑
Pros of Gitleaks
- Focused specifically on detecting secrets and sensitive information in git repositories
- Lightweight and easy to integrate into CI/CD pipelines
- Supports scanning local repositories and remote URLs
Cons of Gitleaks
- Limited to git repositories, while CloudSploit covers multiple cloud providers
- Doesn't provide comprehensive cloud security auditing capabilities
- May require more manual configuration for custom secret patterns
Code Comparison
Gitleaks (Go):
func (d *Detector) Detect() ([]detectors.Result, error) {
results := []detectors.Result{}
for _, fragment := range d.Fragments {
for _, r := range d.Rules {
if match := r.Regex.FindStringSubmatch(fragment.Raw); len(match) > 0 {
results = append(results, detectors.Result{
Fragment: fragment,
Rule: r,
Match: match[0],
})
}
}
}
return results, nil
}
CloudSploit (JavaScript):
var async = require('async');
var plugins = require('./exports.js');
var complianceControls = require('./compliance/controls.js');
var AWSConfig = {
accessKeyId: '',
secretAccessKey: '',
sessionToken: '',
region: 'us-east-1'
};
var settings = {
compliance: {
standards: ['pci']
}
};
Both repositories focus on security, but Gitleaks specializes in secret detection within git repositories, while CloudSploit provides broader cloud security auditing capabilities across multiple providers. The code snippets reflect their different approaches, with Gitleaks implementing secret detection logic and CloudSploit setting up cloud provider configurations and compliance standards.
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
Pros of Prowler
- More comprehensive coverage of AWS services and security checks
- Actively maintained with frequent updates and community contributions
- Supports multiple output formats (HTML, JSON, CSV) for easy integration
Cons of Prowler
- Primarily focused on AWS, with limited support for other cloud providers
- Steeper learning curve due to more complex configuration options
- Requires more system resources for large-scale scans
Code Comparison
Prowler (Python):
def check_cloudtrail_enabled(self):
cloudtrail_client = self.session.client('cloudtrail')
trails = cloudtrail_client.describe_trails()
if not trails['trailList']:
return False
return True
CloudSploit (JavaScript):
const getTrails = (cache, region) => {
const listTrails = helpers.addSource(cache, source,
['cloudtrail', 'listTrails', region]);
return listTrails && listTrails.data ? listTrails.data : [];
};
Both projects use cloud provider SDKs to retrieve information about services and perform security checks. Prowler's code is generally more verbose and structured, while CloudSploit's code is more concise and relies heavily on helper functions.
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Pros of OPA
- More versatile and can be used for general policy enforcement across various domains
- Supports a declarative policy language (Rego) for writing complex policies
- Integrates with multiple systems and can be embedded in applications
Cons of OPA
- Steeper learning curve due to its more general-purpose nature
- Requires more setup and configuration for cloud security specific use cases
- May need additional tooling or custom development for cloud provider integrations
Code Comparison
CloudSploit example (JavaScript):
var helpers = require('../helpers');
var globals = require('./globals');
module.exports = {
title: 'Open All Ports',
category: 'EC2',
OPA example (Rego):
package ec2
import data.aws.ec2
deny[msg] {
sg := ec2.security_groups[_]
rule := sg.ip_permissions[_]
Summary
CloudSploit is specifically designed for cloud security auditing, while OPA is a more general-purpose policy engine. CloudSploit offers out-of-the-box cloud security checks, whereas OPA provides flexibility to define custom policies across various domains. CloudSploit may be easier to set up for cloud security specifically, but OPA offers more extensibility and integration options for broader policy enforcement needs.
Cloud Native Runtime Security
Pros of Falco
- Real-time threat detection and alerting for runtime security
- Extensive rule set for detecting various security threats and anomalies
- Supports multiple container runtimes and cloud environments
Cons of Falco
- Steeper learning curve due to its complex rule language
- Higher resource consumption compared to static analysis tools
- Limited focus on cloud configuration auditing
Code Comparison
Falco rule example:
- rule: Unauthorized Process
desc: Detect unauthorized process execution
condition: spawned_process and not proc.name in (authorized_processes)
output: Unauthorized process started (user=%user.name command=%proc.cmdline)
priority: WARNING
CloudSploit check example:
module.exports = {
title: 'Open SSH',
category: 'EC2',
description: 'Ensures SSH (port 22) is not open to the public',
more_info: 'While some ports are required to be open...',
link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/...',
recommended_action: 'Restrict SSH access to trusted IP addresses',
apis: ['EC2:describeSecurityGroups'],
// ... (implementation details)
};
Falco focuses on runtime behavior analysis, while CloudSploit primarily performs static configuration checks for cloud environments. Falco offers more dynamic security monitoring, whereas CloudSploit excels in identifying misconfigurations and compliance issues in cloud infrastructure.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
CloudSploit by Aqua - Cloud Security Scans
Quick Start
Generic
$ git clone https://github.com/aquasecurity/cloudsploit.git
$ cd cloudsploit
$ npm install
$ ./index.js -h
Docker
$ git clone https://github.com/aquasecurity/cloudsploit.git
$ cd cloudsploit
$ docker build . -t cloudsploit:0.0.1
$ docker run cloudsploit:0.0.1 -h
$ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudsploit:0.0.1 --compliance=pci
Documentation
- Background
- Deployment Options
- Installation
- Configuration
- Running
- CLI Options
- Compliance
- Output Formats
- Suppressions
- Running a Single Plugin
- Architecture
- Writing a Plugin
- Other Notes
Background
CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
Deployment Options
CloudSploit is available in two deployment options:
Self-Hosted
Follow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps.
Hosted at Aqua Wave
A commercial version of CloudSploit hosted at Aqua Wave. Try Aqua Wave today!
Installation
Ensure that NodeJS is installed. If not, install it from here.
$ git clone git@github.com:cloudsploit/scans.git
$ npm install
Configuration
CloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access:
For AWS, you can run CloudSploit directly and it will detect credentials using the default AWS credential chain.
CloudSploit Config File
The CloudSploit config file allows you to pass cloud provider credentials by:
- A JSON file on your file system
- Environment variables
- Hard-coding (not recommended)
Start by copying the example config file:
$ cp config_example.js config.js
Edit the config file by uncommenting the relevant sections for the cloud provider you are testing. Each cloud has both a credential_file option, as well as inline options. For example:
azure: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// application_id: process.env.AZURE_APPLICATION_ID || '',
// key_value: process.env.AZURE_KEY_VALUE || '',
// directory_id: process.env.AZURE_DIRECTORY_ID || '',
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
}
Credential Files
If you use the credential_file option, point to a file in your file system that follows the correct format for the cloud you are using.
AWS
{
"accessKeyId": "YOURACCESSKEY",
"secretAccessKey": "YOURSECRETKEY"
}
Azure
{
"ApplicationID": "YOURAZUREAPPLICATIONID",
"KeyValue": "YOURAZUREKEYVALUE",
"DirectoryID": "YOURAZUREDIRECTORYID",
"SubscriptionID": "YOURAZURESUBSCRIPTIONID"
}
GCP
Note: For GCP, you generate a JSON file directly from the GCP console, which you should not edit.
{
"type": "service_account",
"project": "GCPPROJECTNAME",
"client_email": "GCPCLIENTEMAIL",
"private_key": "GCPPRIVATEKEY"
}
Oracle OCI
{
"tenancyId": "YOURORACLETENANCYID",
"compartmentId": "YOURORACLECOMPARTMENTID",
"userId": "YOURORACLEUSERID",
"keyFingerprint": "YOURORACLEKEYFINGERPRINT",
"keyValue": "YOURORACLEKEYVALUE",
}
Environment Variables
CloudSploit supports passing environment variables, but you must first uncomment the section of your config.js file relevant to the cloud provider being scanned.
You can then pass the variables listed in each section. For example, for AWS:
{
access_key: process.env.AWS_ACCESS_KEY_ID || '',
secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '',
session_token: process.env.AWS_SESSION_TOKEN || '',
}
Running
To run a standard scan, showing all outputs and results, simply run:
$ ./index.js
CLI Options
CloudSploit supports many options to customize the run time. Some popular options include:
- AWS GovCloud support:
--govcloud - AWS China support:
--china - Save the raw cloud provider response data:
--collection=file.json - Ignore passing (OK) results:
--ignore-ok - Exit with a non-zero code if non-passing results are found:
--exit-code- This is a good option for CI/CD systems
- Change the output from a table to raw text:
--console=text
See Output Formats below for more output options.
Click for a full list of options
$ ./index.js -h
_____ _ _ _____ _ _ _
/ ____| | | |/ ____| | | (_) |
| | | | ___ _ _ __| | (___ _ __ | | ___ _| |_
| | | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
| |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_
\_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
| |
|_|
CloudSploit by Aqua Security, Ltd.
Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
usage: index.js [-h] --config CONFIG [--compliance {hipaa,cis,cis1,cis2,pci}] [--plugin PLUGIN] [--govcloud] [--china] [--csv CSV] [--json JSON] [--junit JUNIT]
[--table] [--console {none,text,table}] [--collection COLLECTION] [--ignore-ok] [--exit-code] [--skip-paginate] [--suppress SUPPRESS]
optional arguments:
-h, --help show this help message and exit
--config CONFIG
The path to a cloud provider credentials file.
--compliance {hipaa,cis,cis1,cis2,pci}
Compliance mode. Only return results applicable to the selected program.
--plugin PLUGIN A specific plugin to run. If none provided, all plugins will be run. Obtain from the exports.js file. E.g. acmValidation
--govcloud AWS only. Enables GovCloud mode.
--china AWS only. Enables AWS China mode.
--csv CSV Output: CSV file
--json JSON Output: JSON file
--junit JUNIT Output: Junit file
--table Output: table
--console {none,text,table}
Console output format. Default: table
--collection COLLECTION
Output: full collection JSON as file
--ignore-ok Ignore passing (OK) results
--exit-code Exits with a non-zero status code if non-passing results are found
--skip-paginate AWS only. Skips pagination (for debugging).
--suppress SUPPRESS Suppress results matching the provided Regex. Format: pluginId:region:resourceId
Compliance
CloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the --compliance flag. For example:
$ ./index.js --compliance=hipaa
$ ./index.js --compliance=pci
Multiple compliance modes can be run at the same time:
$ ./index.js --compliance=cis1 --compliance=cis2
CloudSploit currently supports the following compliance mappings:
HIPAA
$ ./index.js --compliance=hipaa
HIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996.
PCI
$ ./index.js --compliance=pci
PCI scans map CloudSploit plugins to the Payment Card Industry Data Security Standard.
CIS Benchmarks
$ ./index.js --compliance=cis
$ ./index.js --compliance=cis1
$ ./index.js --compliance=cis2
CIS Benchmarks are supported, both for Level 1 and Level 2 controls. Passing --compliance=cis will run both level 1 and level 2 controls.
Output Formats
CloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table.
Note: You can pass multiple output formats and combine options for further customization. For example:
# Print a table to the console and save a CSV file
$ ./index.js --csv=file.csv --console=table
# Print text to the console and save a JSON and JUnit file while ignoring passing results
$ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok
Console Output
By default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:
$ ./index.js --console=text
Alternatively, you can suppress the console output entirely by running:
$ ./index.js --console=none
Ignoring Passing Results
You can ignore results from output that return an OK status by passing a --ignore-ok commandline argument.
CSV
$ ./index.js --csv=file.csv
JSON
$ ./index.js --json=file.json
JUnit XML
$ ./index.js --junit=file.xml
Collection Output
CloudSploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes.
$ ./index.js --collection=file.json
Suppressions
Results can be suppressed by passing the --suppress flag (multiple options are supported) with the following format:
--suppress pluginId:region:resourceId
For example:
# Suppress all results for the acmValidation plugin
$ ./index.js --suppress acmValidation:*:*
# Suppress all us-east-1 region results
$ ./index.js --suppress *:us-east-1:*
# Suppress all results matching the regex "certificate/*" in all regions for all plugins
$ ./index.js --suppress *:*:certificate/*
Running a Single Plugin
The --plugin flag can be used if you only wish to run one plugin.
$ ./index.js --plugin acmValidation
Architecture
CloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.
Writing a Plugin
Please see our contribution guidelines and complete guide to writing CloudSploit plugins.
Writing a remediation
The --remediate flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names.
Please see our developing remediation guide for more details.
Other Notes
For other details about the Aqua Wave SaaS product, AWS security policies, and more, click here.
Top Related Projects
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Protect and discover secrets using Gitleaks 🔑
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Cloud Native Runtime Security
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot