cloud-audit 0.1.0__tar.gz

cloud_audit-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,75 @@
+name: Bug Report
+description: Report a bug in cloud-audit
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please fill out the information below.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: A clear description of the bug.
+      placeholder: Describe the bug...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen?
+      placeholder: I expected...
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal steps to reproduce the issue.
+      placeholder: |
+        1. Run `cloud-audit scan --provider aws`
+        2. ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Error output
+      description: Paste any error messages or relevant output.
+      render: shell
+
+  - type: input
+    id: version
+    attributes:
+      label: cloud-audit version
+      description: "Run `cloud-audit version` to find out."
+      placeholder: "0.1.0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: python
+    attributes:
+      label: Python version
+      options:
+        - "3.10"
+        - "3.11"
+        - "3.12"
+        - "3.13"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating system
+      options:
+        - Linux
+        - macOS
+        - Windows
+        - Docker
+    validations:
+      required: true

cloud_audit-0.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question or Discussion
+    url: https://github.com/gebalamariusz/cloud-audit/discussions
+    about: Ask questions and discuss ideas here instead of opening an issue.

cloud_audit-0.1.0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,47 @@
+name: Feature Request
+description: Suggest a new check or feature
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting an improvement! Please describe your idea below.
+
+  - type: dropdown
+    id: type
+    attributes:
+      label: Type of request
+      options:
+        - New AWS check
+        - CLI improvement
+        - Report improvement
+        - New output format
+        - New cloud provider
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or use case
+      description: What problem does this solve? Why is it needed?
+      placeholder: I want this because...
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How should it work? Be as specific as possible.
+      placeholder: It should...
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Have you considered any alternatives?
+      placeholder: I also considered...

cloud_audit-0.1.0/.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "ci"
+    open-pull-requests-limit: 5

cloud_audit-0.1.0/.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## What
+
+<!-- Brief description of the change -->
+
+## Why
+
+<!-- What problem does this solve? Link to issue if applicable -->
+
+Closes #
+
+## Checklist
+
+- [ ] `ruff check src/ tests/` passes
+- [ ] `ruff format --check src/ tests/` passes
+- [ ] `mypy src/` passes
+- [ ] `pytest -v` passes
+- [ ] README updated (if adding a new check)
+- [ ] CHANGELOG updated

cloud_audit-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,56 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint & Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install ruff
+      - run: ruff check src/ tests/
+      - run: ruff format --check src/ tests/
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install -e ".[dev]"
+      - run: mypy src/
+
+  test:
+    name: Test (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: pip install -e ".[dev]"
+      - run: pytest -v --tb=short --cov=cloud_audit --cov-report=term-missing
+
+  docker:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: docker build -t cloud-audit:test .
+      - run: docker run --rm cloud-audit:test version

cloud_audit-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,41 @@
+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install build
+      - run: python -m build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/cloud-audit
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

cloud_audit-0.1.0/.gitignore

@@ -0,0 +1,43 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+*.egg
+dist/
+build/
+.eggs/
+
+# Virtual environments
+.venv/
+venv/
+
+# Environment variables
+.env
+.env.local
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+coverage.xml
+
+# Type checking
+.mypy_cache/
+
+# Linting
+.ruff_cache/
+
+# Reports (generated output, not source)
+*.html
+!src/cloud_audit/reports/templates/*.html.j2
+
+# OS
+.DS_Store
+Thumbs.db

cloud_audit-0.1.0/CHANGELOG.md

@@ -0,0 +1,30 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2026-03-03
+
+### Added
+
+- Initial release
+- CLI interface with `scan` and `version` commands
+- 17 AWS security, cost, and reliability checks:
+  - **IAM:** Root MFA, user MFA, access key rotation, unused access keys
+  - **S3:** Public buckets, encryption at rest, versioning
+  - **EC2:** Public AMIs, unencrypted EBS volumes, stopped instances
+  - **VPC:** Default VPC usage, open security groups, flow logs
+  - **RDS:** Public instances, encryption at rest, Multi-AZ
+  - **EIP:** Unattached Elastic IPs
+- Health score (0-100) based on finding severity
+- HTML report with dark-mode design
+- JSON output for CI/CD integration
+- Docker image support
+- Rich terminal UI with progress bar and color-coded findings
+
+[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/gebalamariusz/cloud-audit/releases/tag/v0.1.0

cloud_audit-0.1.0/CLAUDE.md

@@ -0,0 +1,89 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Commands
+
+```bash
+# Install (editable, with dev deps)
+pip install -e ".[dev]"
+
+# Run CLI
+cloud-audit scan --provider aws --profile <name> --regions eu-central-1
+cloud-audit version
+
+# Tests
+pytest -v
+pytest tests/test_models.py -v              # single file
+pytest tests/test_models.py::test_name -v   # single test
+
+# Lint
+ruff check src/ tests/
+ruff format --check src/ tests/
+
+# Type check
+mypy src/
+
+# Docker
+docker build -t cloud-audit .
+docker run cloud-audit version
+```
+
+## Architecture
+
+```
+src/cloud_audit/
+├── cli.py              # Typer CLI entry point (scan, version commands)
+├── models.py           # Pydantic models: Finding, CheckResult, ScanSummary, ScanReport
+├── scanner.py          # Orchestrator: runs checks with Rich progress bar → ScanReport
+├── providers/
+│   ├── base.py         # BaseProvider ABC (get_account_id, get_checks, get_provider_name)
+│   └── aws/
+│       ├── provider.py # AWSProvider: boto3 session, region handling, check loading
+│       └── checks/     # One module per AWS service (iam, s3, ec2, vpc, rds, eip)
+└── reports/
+    ├── html.py         # Jinja2 renderer
+    └── templates/      # report.html.j2 (self-contained dark-mode HTML)
+```
+
+### Pipeline flow
+
+`CLI (cli.py)` → `Scanner (scanner.py)` → `Provider.get_checks()` → execute each check → aggregate into `ScanReport` → `_print_summary()` + optional HTML/JSON output.
+
+### Check registration pattern
+
+Each check module in `providers/aws/checks/` exports a `get_checks(provider)` function that returns `list[partial(check_fn, provider)]` with `.category` attribute attached to each partial for filtering.
+
+### Global vs. regional checks
+
+- **Global** (single API call): IAM, S3
+- **Regional** (loops `provider.regions`): EC2, RDS, VPC, EIP
+
+### Health score
+
+Starts at 100, subtracts per finding: CRITICAL=20, HIGH=10, MEDIUM=5, LOW=2. Floor at 0.
+
+### Error handling
+
+- Each check is wrapped in try/except — errors populate `CheckResult.error` without halting the scan.
+- CLI detects `all_errored` state (e.g., expired credentials) and shows "SCAN FAILED" panel with fix suggestions instead of a misleading score.
+
+## Adding a new check
+
+1. Create or edit a module in `src/cloud_audit/providers/aws/checks/`.
+2. Write a function `check_something(provider: AWSProvider) -> CheckResult`.
+3. Add it to the module's `get_checks()` return list with `.category` set.
+4. Register the module in `AWSProvider._CHECK_MODULES` list in `provider.py`.
+5. Update `README.md` checks table.
+
+## Adding a new provider
+
+1. Create `src/cloud_audit/providers/<name>/provider.py` implementing `BaseProvider`.
+2. Add the provider import to `cli.py`'s `scan()` command.
+
+## Key conventions
+
+- Python 3.10+ compatibility required (no `type` aliases, no `X | Y` in runtime annotations — use `from __future__ import annotations`).
+- Pydantic v2 models — immutable by default.
+- Ruff for linting (line-length=120, strict security rules enabled).
+- `S101` (assert) is ignored in ruff config for test compatibility.

cloud_audit-0.1.0/CODEOWNERS

@@ -0,0 +1,4 @@
+# Cloud-audit code owners
+# All changes require review from the maintainer
+
+* @gebalamariusz

cloud_audit-0.1.0/CODE_OF_CONDUCT.md

@@ -0,0 +1,40 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project maintainer at [kontakt@haitmg.pl](mailto:kontakt@haitmg.pl).
+
+All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html).

cloud_audit-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,166 @@
+# Contributing to cloud-audit
+
+Thank you for your interest in contributing to cloud-audit! This document provides guidelines and instructions for contributing.
+
+## How to Contribute
+
+1. **Fork** the repository
+2. **Create a branch** from `main` for your changes
+3. **Make your changes** following the guidelines below
+4. **Run checks** to ensure code quality
+5. **Submit a pull request** to `main`
+
+## Development Setup
+
+```bash
+git clone https://github.com/<your-username>/cloud-audit.git
+cd cloud-audit
+pip install -e ".[dev]"
+```
+
+## Code Quality Checks
+
+Before submitting a PR, make sure all checks pass:
+
+```bash
+# Lint
+ruff check src/ tests/
+
+# Format
+ruff format --check src/ tests/
+
+# Type check
+mypy src/
+
+# Tests
+pytest -v
+```
+
+## Adding a New AWS Check
+
+This is the most common contribution. Follow these steps:
+
+### 1. Create or edit a check module
+
+Check modules live in `src/cloud_audit/providers/aws/checks/`. Each module covers one AWS service.
+
+```python
+# src/cloud_audit/providers/aws/checks/cloudtrail.py
+
+from __future__ import annotations
+
+from functools import partial
+from typing import TYPE_CHECKING
+
+from cloud_audit.models import Category, CheckResult, Finding, Severity
+
+if TYPE_CHECKING:
+    from cloud_audit.providers.aws.provider import AWSProvider
+
+
+def check_cloudtrail_enabled(provider: AWSProvider) -> CheckResult:
+    """Check if CloudTrail is enabled with multi-region logging."""
+    result = CheckResult(
+        check_id="aws-ct-001",
+        check_name="CloudTrail enabled",
+    )
+
+    client = provider.session.client("cloudtrail")
+    trails = client.describe_trails()["trailList"]
+    result.resources_scanned = len(trails)
+
+    # ... check logic ...
+
+    return result
+
+
+def get_checks(provider: AWSProvider) -> list[partial[CheckResult]]:
+    checks = [
+        partial(check_cloudtrail_enabled, provider),
+    ]
+    for check in checks:
+        check.category = Category.SECURITY  # type: ignore[attr-defined]
+    return checks
+```
+
+### 2. Register the module
+
+Add the module name to `_CHECK_MODULES` in `src/cloud_audit/providers/aws/provider.py`:
+
+```python
+_CHECK_MODULES = [
+    "iam", "s3", "ec2", "vpc", "rds", "eip",
+    "cloudtrail",  # <-- add here
+]
+```
+
+### 3. Add tests
+
+Write tests using moto for AWS mocking:
+
+```python
+# tests/unit/aws/test_cloudtrail.py
+
+import boto3
+from moto import mock_aws
+
+def test_cloudtrail_enabled_pass():
+    """CloudTrail enabled should produce no findings."""
+    with mock_aws():
+        # Setup: create a trail
+        client = boto3.client("cloudtrail", region_name="eu-central-1")
+        client.create_trail(Name="main", S3BucketName="logs")
+        client.start_logging(Name="main")
+
+        # Run check and assert no findings
+        ...
+
+def test_cloudtrail_enabled_fail():
+    """No CloudTrail should produce a CRITICAL finding."""
+    with mock_aws():
+        # No trails created
+        # Run check and assert finding exists
+        ...
+```
+
+### 4. Update documentation
+
+- Add the check to the table in `README.md`
+- Add the check to `CHANGELOG.md` under `[Unreleased]`
+
+### 5. Submit
+
+Run all checks, then open a pull request.
+
+## Check Design Guidelines
+
+Every check in cloud-audit must follow these principles:
+
+1. **High-signal only** — Would an attacker exploit this? If not, don't add it.
+2. **Clear severity** — CRITICAL means "fix today", LOW means "nice to have".
+3. **Actionable recommendation** — Tell the user exactly what to do, not "consider enabling encryption".
+4. **Tested** — Every check needs at least one PASS and one FAIL test case.
+
+## Code Conventions
+
+- **Python 3.10+** — Use `from __future__ import annotations` in every file
+- **Pydantic v2** — All data models use Pydantic with immutable config
+- **Ruff** — Handles both linting and formatting (config in `pyproject.toml`)
+- **mypy strict** — All code must pass `mypy --strict`
+- **Line length** — 120 characters max
+
+## Reporting Bugs
+
+Use the [bug report template](https://github.com/gebalamariusz/cloud-audit/issues/new?template=bug_report.yml) on GitHub.
+
+## Suggesting Features
+
+Use the [feature request template](https://github.com/gebalamariusz/cloud-audit/issues/new?template=feature_request.yml) on GitHub.
+
+## Security Vulnerabilities
+
+**Do not open a public issue.** See [SECURITY.md](SECURITY.md) for responsible disclosure instructions.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE).

cloud_audit-0.1.0/Dockerfile

@@ -0,0 +1,15 @@
+FROM python:3.12-slim AS base
+
+LABEL maintainer="Mariusz Gebala <kontakt@haitmg.pl>"
+LABEL org.opencontainers.image.source="https://github.com/gebalamariusz/cloud-audit"
+LABEL org.opencontainers.image.description="Scan your cloud infrastructure for security, cost, and reliability issues."
+
+WORKDIR /app
+
+COPY pyproject.toml README.md ./
+COPY src/ src/
+
+RUN pip install --no-cache-dir .
+
+ENTRYPOINT ["cloud-audit"]
+CMD ["scan", "--help"]

cloud_audit-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mariusz Gebala / HAIT
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.