cloud-audit 2.0.0__tar.gz → 2.0.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (137) hide show
  1. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CHANGELOG.md +6 -0
  2. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/PKG-INFO +69 -85
  3. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/README.md +66 -83
  4. cloud_audit-2.0.1/ROADMAP.md +95 -0
  5. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/mkdocs.yml +7 -3
  6. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/pyproject.toml +3 -2
  7. cloud_audit-2.0.0/ROADMAP.md +0 -149
  8. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.cloud-audit.example.yml +0 -0
  9. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/FUNDING.yml +0 -0
  10. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/bug_report.yml +0 -0
  11. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/config.yml +0 -0
  12. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/feature_request.yml +0 -0
  13. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/dependabot.yml +0 -0
  14. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/ci.yml +0 -0
  15. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/docs.yml +0 -0
  16. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/example-scan.yml +0 -0
  17. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/release.yml +0 -0
  18. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.gitignore +0 -0
  19. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.mcp.json +0 -0
  20. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.pre-commit-hooks.yaml +0 -0
  21. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CODEOWNERS +0 -0
  22. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CODE_OF_CONDUCT.md +0 -0
  23. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CONTRIBUTING.md +0 -0
  24. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/Dockerfile +0 -0
  25. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/LICENSE +0 -0
  26. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/Makefile +0 -0
  27. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/SECURITY.md +0 -0
  28. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/action.yml +0 -0
  29. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/demo.gif +0 -0
  30. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/logo-nobg.png +0 -0
  31. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/logo.png +0 -0
  32. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/report-preview.png +0 -0
  33. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/social-preview.png +0 -0
  34. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/daily-scan-with-diff.yml +0 -0
  35. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/github-actions.yml +0 -0
  36. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/post-deploy-scan.yml +0 -0
  37. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/scripts/generate_demo_gif.py +0 -0
  38. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/scripts/generate_report_screenshot.py +0 -0
  39. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/__init__.py +0 -0
  40. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/__main__.py +0 -0
  41. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/cli.py +0 -0
  42. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/__init__.py +0 -0
  43. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/engine.py +0 -0
  44. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/bsi_c5_2020.json +0 -0
  45. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/cis_aws_v3.json +0 -0
  46. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/hipaa_security.json +0 -0
  47. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/iso27001_2022.json +0 -0
  48. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/nis2_directive.json +0 -0
  49. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/soc2_type2.json +0 -0
  50. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/config.py +0 -0
  51. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/correlate.py +0 -0
  52. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/cost_model.py +0 -0
  53. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/diff.py +0 -0
  54. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/history.py +0 -0
  55. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/mcp_server.py +0 -0
  56. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/models.py +0 -0
  57. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/__init__.py +0 -0
  58. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/__init__.py +0 -0
  59. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/__init__.py +0 -0
  60. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/account.py +0 -0
  61. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/backup.py +0 -0
  62. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/bedrock.py +0 -0
  63. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/cloudtrail.py +0 -0
  64. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/cloudwatch.py +0 -0
  65. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/config_.py +0 -0
  66. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ec2.py +0 -0
  67. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ecs.py +0 -0
  68. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/efs.py +0 -0
  69. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/eip.py +0 -0
  70. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/guardduty.py +0 -0
  71. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/iam.py +0 -0
  72. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/inspector.py +0 -0
  73. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/kms.py +0 -0
  74. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/lambda_.py +0 -0
  75. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/rds.py +0 -0
  76. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/s3.py +0 -0
  77. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/sagemaker.py +0 -0
  78. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/secrets.py +0 -0
  79. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/securityhub.py +0 -0
  80. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ssm.py +0 -0
  81. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/vpc.py +0 -0
  82. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/waf.py +0 -0
  83. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/iam_analyzer.py +0 -0
  84. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/provider.py +0 -0
  85. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/base.py +0 -0
  86. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/py.typed +0 -0
  87. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/__init__.py +0 -0
  88. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/compliance_html.py +0 -0
  89. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/compliance_markdown.py +0 -0
  90. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/diff_markdown.py +0 -0
  91. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/html.py +0 -0
  92. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/markdown.py +0 -0
  93. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/sarif.py +0 -0
  94. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/templates/report.html.j2 +0 -0
  95. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/root_cause.py +0 -0
  96. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/scanner.py +0 -0
  97. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/simulate.py +0 -0
  98. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/__init__.py +0 -0
  99. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/__init__.py +0 -0
  100. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_bedrock.py +0 -0
  101. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cis_checks.py +0 -0
  102. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cloudtrail.py +0 -0
  103. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cloudwatch.py +0 -0
  104. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_config.py +0 -0
  105. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ec2.py +0 -0
  106. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ecs.py +0 -0
  107. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_eip.py +0 -0
  108. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_guardduty.py +0 -0
  109. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_iam.py +0 -0
  110. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_iam_analyzer.py +0 -0
  111. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_kms.py +0 -0
  112. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_lambda.py +0 -0
  113. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_rds.py +0 -0
  114. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_s3.py +0 -0
  115. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_sagemaker.py +0 -0
  116. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_secrets.py +0 -0
  117. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ssm.py +0 -0
  118. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_vpc.py +0 -0
  119. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/conftest.py +0 -0
  120. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cli.py +0 -0
  121. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cli_scan.py +0 -0
  122. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_compliance_frameworks.py +0 -0
  123. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_config.py +0 -0
  124. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_correlate.py +0 -0
  125. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cost_model.py +0 -0
  126. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_diff.py +0 -0
  127. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_history.py +0 -0
  128. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_html.py +0 -0
  129. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_markdown.py +0 -0
  130. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_mcp_server.py +0 -0
  131. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_models.py +0 -0
  132. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_provider.py +0 -0
  133. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_root_cause.py +0 -0
  134. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_sarif.py +0 -0
  135. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_scanner.py +0 -0
  136. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_simulate.py +0 -0
  137. {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_soc2_framework.py +0 -0
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.0.1] - 2026-04-17
11
+
12
+ ### Changed
13
+
14
+ - Canonical project Homepage in PyPI metadata now points to https://haitmg.pl/cloud-audit/ (was the GitHub repo URL). GitHub remains linked via the `Source` and `Repository` fields. No code changes.
15
+
10
16
  ## [2.0.0] - 2026-04-14
11
17
 
12
18
  ### Added
@@ -1,9 +1,10 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: cloud-audit
3
- Version: 2.0.0
3
+ Version: 2.0.1
4
4
  Summary: Open-source AWS security scanner with IAM escalation detection, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. 94 checks across 23 services. Every finding includes CLI + Terraform remediation.
5
- Project-URL: Homepage, https://github.com/gebalamariusz/cloud-audit
5
+ Project-URL: Homepage, https://haitmg.pl/cloud-audit/
6
6
  Project-URL: Documentation, https://haitmg.pl/cloud-audit/
7
+ Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
7
8
  Project-URL: Repository, https://github.com/gebalamariusz/cloud-audit
8
9
  Project-URL: Issues, https://github.com/gebalamariusz/cloud-audit/issues
9
10
  Project-URL: Changelog, https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md
@@ -52,16 +53,16 @@ Description-Content-Type: text/markdown
52
53
  <h1 align="center">cloud-audit</h1>
53
54
 
54
55
  <p align="center">
55
- <strong>Find AWS attack chains and get exact fixes.</strong>
56
+ <strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
56
57
  </p>
57
58
 
58
59
  <p align="center">
59
- Open-source CLI that correlates findings into exploitable paths,<br>
60
- generates copy-paste remediation, and simulates fixes before you apply them.
60
+ Open-source CLI scanner that helps you decide what to fix first &mdash;<br>
61
+ not just what's wrong.
61
62
  </p>
62
63
 
63
64
  <p align="center">
64
- Detect exploitable attack paths &nbsp;-&nbsp; Get AWS CLI + Terraform fixes &nbsp;-&nbsp; Run locally, no SaaS required
65
+ Find attack chains and IAM escalation paths &nbsp;-&nbsp; Simulate fixes before you apply them &nbsp;-&nbsp; Fix root causes, not individual findings
65
66
  </p>
66
67
 
67
68
  <p align="center">
@@ -80,13 +81,9 @@ Description-Content-Type: text/markdown
80
81
  <a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
81
82
  <a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
82
83
  <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
83
- <a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS</a> -
84
- <a href="https://haitmg.pl/cloud-audit/compliance/soc2-type2/">SOC 2</a> -
85
- <a href="https://haitmg.pl/cloud-audit/compliance/bsi-c5-2020/">BSI C5</a> -
86
- <a href="https://haitmg.pl/cloud-audit/compliance/iso27001-2022/">ISO 27001</a> -
87
- <a href="https://haitmg.pl/cloud-audit/compliance/hipaa-security/">HIPAA</a> -
88
- <a href="https://haitmg.pl/cloud-audit/compliance/nis2-directive/">NIS2</a> -
89
84
  <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
85
+ <a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
86
+ <a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
90
87
  <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
91
88
  </p>
92
89
 
@@ -105,13 +102,11 @@ cloud-audit demo
105
102
 
106
103
  ---
107
104
 
108
- ## What You Get
105
+ ## Why It's Different
109
106
 
110
- ```
111
- +------- Health Score -------+
112
- | 34 / 100 | Risk exposure: $1.2M - $9.5M
113
- +----------------------------+
107
+ Most scanners give you findings. cloud-audit helps you **decide what to fix first**.
114
108
 
109
+ ```
115
110
  +---- Attack Chains (5 detected) -----------------------------------+
116
111
  | CRITICAL Internet-Exposed Admin Instance |
117
112
  | i-0abc123 - public SG + admin IAM role + IMDSv1 |
@@ -130,11 +125,16 @@ cloud-audit demo
130
125
  | 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
131
126
  | 2. Add OIDC sub condition -> breaks 6 chains |
132
127
  +--------------------------------------------------------------------+
128
+ ```
133
129
 
134
- Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
130
+ Other tools give you 200 findings sorted by severity. cloud-audit groups them by root cause, shows which single fixes collapse the most attack paths, and lets you simulate the impact before you touch anything:
131
+
132
+ ```bash
133
+ cloud-audit simulate --fix aws-vpc-002
134
+ # Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
135
135
  ```
136
136
 
137
- 94 checks across 23 AWS services. Every finding includes AWS CLI + Terraform remediation code. Root-cause grouping tells you which fixes break the most chains so you fix what matters first.
137
+ 94 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
138
138
 
139
139
  <p align="center">
140
140
  <a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
@@ -144,7 +144,17 @@ Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
144
144
  <sub>Watch the 1-minute demo</sub>
145
145
  </p>
146
146
 
147
- If cloud-audit helped you find something you missed, consider giving it a star. It helps others discover the project.
147
+ ---
148
+
149
+ ## What's New in 2.0
150
+
151
+ | Feature | What it does |
152
+ |---|---|
153
+ | **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
154
+ | **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
155
+ | **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
156
+ | **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
157
+ | **AI-SPM** | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
148
158
 
149
159
  ---
150
160
 
@@ -152,113 +162,97 @@ If cloud-audit helped you find something you missed, consider giving it a star.
152
162
 
153
163
  ### Attack Chain Detection
154
164
 
155
- Other scanners give you a flat list of findings. cloud-audit correlates them into attack paths an attacker would actually exploit.
165
+ 31 rules correlate individual findings into exploitable attack paths.
156
166
 
157
167
  ```
158
168
  Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
159
169
  aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
160
170
  ```
161
171
 
162
- Examples from the 31 built-in rules:
163
-
164
172
  | Chain | What it catches |
165
173
  |---|---|
166
174
  | IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
167
- | Internet-Exposed Admin Instance | Public SG + admin IAM role + IMDSv1 = account takeover |
175
+ | Internet-Exposed Admin | Public SG + admin IAM role + IMDSv1 = account takeover |
168
176
  | CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
169
- | SSRF to Credential Theft | Public instance + IMDSv1 + no VPC flow logs = invisible exfiltration |
170
- | AI Model Data Exfiltration | Bedrock model with public endpoint + no logging = silent data leak |
177
+ | LLMjacking | Bedrock no logging + no guardrails = undetected model abuse |
171
178
 
172
- Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [Datadog pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules in the docs](https://haitmg.pl/cloud-audit/features/attack-chains/).
179
+ Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules](https://haitmg.pl/cloud-audit/features/attack-chains/).
173
180
 
174
- ### Copy-Paste Remediation + What-If Simulator
181
+ ### Remediation + Simulator
175
182
 
176
- Every finding includes AWS CLI commands, Terraform HCL, and documentation links. Export all fixes as a runnable script:
183
+ Every finding includes AWS CLI, Terraform HCL, and docs links. Export all fixes:
177
184
 
178
185
  ```bash
179
186
  cloud-audit scan --export-fixes fixes.sh
180
187
  ```
181
188
 
182
- Simulate a fix before applying it to see which chains it breaks and how your score changes:
189
+ Simulate before applying:
183
190
 
184
191
  ```bash
185
192
  cloud-audit simulate --fix aws-vpc-002
186
193
  # Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
187
- ```
188
194
 
189
- ### Scan Diff and Trend Tracking
195
+ cloud-audit simulate --fix aws-vpc-002,aws-ct-001,aws-iam-007
196
+ # Score: 34 -> 82 (+48) | Chains broken: 19 of 22
197
+ ```
190
198
 
191
- Compare scans to track drift. Catches ClickOps changes, manual console edits, and regressions that IaC scanning misses.
199
+ ### Trend Tracking
192
200
 
193
201
  ```bash
194
- cloud-audit diff yesterday.json today.json
195
- cloud-audit trend # Time-series posture history
202
+ cloud-audit diff yesterday.json today.json # Catches ClickOps drift
203
+ cloud-audit trend # Posture over time
196
204
  ```
197
205
 
198
- Exit code 0 = no new findings, 1 = regression. See [daily-scan-with-diff.yml](examples/daily-scan-with-diff.yml) for a CI/CD workflow.
199
-
200
206
  ### 6 Compliance Frameworks
201
207
 
202
- Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
203
-
204
208
  - **CIS AWS v3.0** - 62 controls, 55 automated (89%)
205
209
  - **SOC 2 Type II** - 43 criteria, 24 automated (56%)
206
210
  - **BSI C5:2020** `Beta` - 134 criteria, 57 automated/partial
207
- - **ISO 27001:2022** `Beta` - 93 Annex A controls, 47 automated/partial
211
+ - **ISO 27001:2022** `Beta` - 93 controls, 47 automated/partial
208
212
  - **HIPAA Security Rule** `Beta` - 47 specs, 29 automated/partial
209
213
  - **NIS2 Directive** `Beta` - 43 measures, 33 automated/partial
210
214
 
211
215
  ### Breach Cost Estimation
212
216
 
213
- Every finding includes a dollar-range risk estimate based on published breach data (IBM Cost of a Data Breach 2024, Verizon DBIR, enforcement actions). Attack chains use compound risk multipliers. Every estimate links to its source.
217
+ Every finding and chain includes a dollar-range risk estimate based on IBM/Verizon breach data, with source links.
214
218
 
215
219
  ### MCP Server for AI Agents
216
220
 
217
- Ask Claude Code, Cursor, or VS Code Copilot to scan your AWS account:
218
-
219
221
  ```bash
220
222
  claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
221
223
  ```
222
224
 
223
- 6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone - no SaaS account needed.
225
+ 6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone.
224
226
 
225
227
  ---
226
228
 
227
229
  ## How It Compares
228
230
 
229
- | Feature | Prowler | Trivy | Checkov | cloud-audit |
230
- |---------|---------|-------|---------|-------------|
231
- | Checks | 576 | 517 | 2500+ | **94** |
232
- | Attack chain detection | No | No | No | **31 rules + root-cause grouping** |
233
- | What-If remediation simulator | No | No | No | **Yes** |
234
- | IAM privilege escalation paths | No | No | No | **25 methods** |
235
- | Remediation per finding | CIS only | No | Links | **100% (CLI + Terraform)** |
236
- | Breach cost estimation | No | No | No | **Per finding + chain** |
237
- | AI-SPM (Bedrock/SageMaker) | No | No | No | **Yes** |
238
- | Compliance frameworks | CIS only | — | — | **6 (CIS, SOC 2 + 4 Beta)** |
239
- | MCP server (AI agents) | Paid ($99/mo) | No | No | **Free, standalone** |
231
+ | Feature | Prowler | Trivy | cloud-audit |
232
+ |---------|---------|-------|-------------|
233
+ | Checks | 576 | 517 | **94** |
234
+ | Attack chains + root-cause grouping | No | No | **31 rules** |
235
+ | What-If remediation simulator | No | No | **Yes** |
236
+ | IAM privilege escalation | No | No | **25 methods** |
237
+ | Remediation per finding | CIS only | No | **100% (CLI + TF)** |
238
+ | AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
239
+ | Compliance frameworks | CIS | -- | **6** |
240
240
 
241
- cloud-audit has fewer checks than Prowler but goes deeper per finding: remediation code, attack chain correlation, cost estimates, and a What-If simulator that shows the impact of each fix before you apply it. If you need exhaustive compliance coverage across multiple clouds, Prowler is the better choice. If you need a focused scan that shows how findings chain into real attack paths and prioritizes what to fix first, cloud-audit is built for that.
241
+ cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
242
242
 
243
- <sub>Feature snapshot as of v2.0.0 (April 2026). Verify against upstream docs for the latest details.</sub>
243
+ <sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
244
244
 
245
245
  ---
246
246
 
247
247
  ## Reports
248
248
 
249
249
  ```bash
250
- cloud-audit scan --format html --output report.html # Client-ready HTML
251
- cloud-audit scan --format json --output report.json # Machine-readable
252
- cloud-audit scan --format sarif --output results.sarif # GitHub Code Scanning
253
- cloud-audit scan --format markdown --output report.md # PR comments
250
+ cloud-audit scan --format html -o report.html # Client-ready HTML
251
+ cloud-audit scan --format json -o report.json # Machine-readable
252
+ cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
253
+ cloud-audit scan --format markdown -o report.md # PR comments
254
254
  ```
255
255
 
256
- Format is auto-detected from file extension.
257
-
258
- <p align="center">
259
- <img src="assets/report-preview.png" alt="cloud-audit HTML report" width="700">
260
- </p>
261
-
262
256
  ## Installation
263
257
 
264
258
  ```bash
@@ -282,6 +276,8 @@ cloud-audit scan --regions all # All enabled regions
282
276
  cloud-audit scan --min-severity high # Filter by severity
283
277
  cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
284
278
  cloud-audit scan --quiet # Exit code only (CI/CD)
279
+ cloud-audit simulate --fix aws-vpc-002 # What-If simulator
280
+ cloud-audit trend # Posture over time
285
281
  cloud-audit list-checks # List all checks
286
282
  ```
287
283
 
@@ -359,33 +355,22 @@ cloud-audit never modifies your infrastructure. The `simulate` command runs loca
359
355
 
360
356
  [See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
361
357
 
362
- ## Alternatives
363
-
364
- - **[Prowler](https://github.com/prowler-cloud/prowler)** - 576+ checks, multi-cloud, full CIS coverage, auto-remediation. The most comprehensive open-source scanner.
365
- - **[Trivy](https://github.com/aquasecurity/trivy)** - Container, IaC, and cloud scanner. Strong on containers, growing cloud coverage.
366
- - **[Steampipe](https://github.com/turbot/steampipe)** - SQL-based cloud querying. Very flexible.
367
- - **[AWS Security Hub](https://aws.amazon.com/security-hub/)** - Native AWS service with continuous monitoring. Free 30-day trial.
368
-
369
358
  ## Documentation
370
359
 
371
- cloud-audit has grown beyond what a single README can cover. The full documentation is at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)** and includes:
360
+ Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
372
361
 
373
362
  - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
374
- - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
375
363
  - **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
376
- - **[MCP Server](https://haitmg.pl/cloud-audit/features/mcp-server/)** - full setup guide for Claude Code, Cursor, VS Code
377
- - **[Configuration](https://haitmg.pl/cloud-audit/configuration/config-file/)** - config file, env vars, suppressions
378
- - **[CI/CD](https://haitmg.pl/cloud-audit/ci-cd/github-actions/)** - GitHub Actions, SARIF, pre-commit hooks
379
- - **[Reports](https://haitmg.pl/cloud-audit/reports/html/)** - HTML, JSON, SARIF, Markdown output formats
364
+ - **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
365
+ - **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
366
+ - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
380
367
  - **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
381
368
 
382
- This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
383
-
384
369
  ## What's Next
385
370
 
386
371
  - Multi-account scanning (AWS Organizations)
372
+ - SCP + permission boundary evaluation in IAM escalation
387
373
  - Terraform drift detection
388
- - Data perimeter checks (S3, KMS, STS boundary policies)
389
374
 
390
375
  Past releases: [CHANGELOG.md](CHANGELOG.md)
391
376
 
@@ -396,9 +381,8 @@ git clone https://github.com/gebalamariusz/cloud-audit.git
396
381
  cd cloud-audit
397
382
  pip install -e ".[dev]"
398
383
 
399
- pytest -v # tests
384
+ pytest -v # 496 tests
400
385
  ruff check src/ tests/ # lint
401
- ruff format --check src/ tests/ # format
402
386
  mypy src/ # type check
403
387
  ```
404
388
 
@@ -6,16 +6,16 @@
6
6
  <h1 align="center">cloud-audit</h1>
7
7
 
8
8
  <p align="center">
9
- <strong>Find AWS attack chains and get exact fixes.</strong>
9
+ <strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
10
10
  </p>
11
11
 
12
12
  <p align="center">
13
- Open-source CLI that correlates findings into exploitable paths,<br>
14
- generates copy-paste remediation, and simulates fixes before you apply them.
13
+ Open-source CLI scanner that helps you decide what to fix first &mdash;<br>
14
+ not just what's wrong.
15
15
  </p>
16
16
 
17
17
  <p align="center">
18
- Detect exploitable attack paths &nbsp;-&nbsp; Get AWS CLI + Terraform fixes &nbsp;-&nbsp; Run locally, no SaaS required
18
+ Find attack chains and IAM escalation paths &nbsp;-&nbsp; Simulate fixes before you apply them &nbsp;-&nbsp; Fix root causes, not individual findings
19
19
  </p>
20
20
 
21
21
  <p align="center">
@@ -34,13 +34,9 @@
34
34
  <a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
35
35
  <a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
36
36
  <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
37
- <a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS</a> -
38
- <a href="https://haitmg.pl/cloud-audit/compliance/soc2-type2/">SOC 2</a> -
39
- <a href="https://haitmg.pl/cloud-audit/compliance/bsi-c5-2020/">BSI C5</a> -
40
- <a href="https://haitmg.pl/cloud-audit/compliance/iso27001-2022/">ISO 27001</a> -
41
- <a href="https://haitmg.pl/cloud-audit/compliance/hipaa-security/">HIPAA</a> -
42
- <a href="https://haitmg.pl/cloud-audit/compliance/nis2-directive/">NIS2</a> -
43
37
  <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
38
+ <a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
39
+ <a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
44
40
  <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
45
41
  </p>
46
42
 
@@ -59,13 +55,11 @@ cloud-audit demo
59
55
 
60
56
  ---
61
57
 
62
- ## What You Get
58
+ ## Why It's Different
63
59
 
64
- ```
65
- +------- Health Score -------+
66
- | 34 / 100 | Risk exposure: $1.2M - $9.5M
67
- +----------------------------+
60
+ Most scanners give you findings. cloud-audit helps you **decide what to fix first**.
68
61
 
62
+ ```
69
63
  +---- Attack Chains (5 detected) -----------------------------------+
70
64
  | CRITICAL Internet-Exposed Admin Instance |
71
65
  | i-0abc123 - public SG + admin IAM role + IMDSv1 |
@@ -84,11 +78,16 @@ cloud-audit demo
84
78
  | 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
85
79
  | 2. Add OIDC sub condition -> breaks 6 chains |
86
80
  +--------------------------------------------------------------------+
81
+ ```
87
82
 
88
- Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
83
+ Other tools give you 200 findings sorted by severity. cloud-audit groups them by root cause, shows which single fixes collapse the most attack paths, and lets you simulate the impact before you touch anything:
84
+
85
+ ```bash
86
+ cloud-audit simulate --fix aws-vpc-002
87
+ # Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
89
88
  ```
90
89
 
91
- 94 checks across 23 AWS services. Every finding includes AWS CLI + Terraform remediation code. Root-cause grouping tells you which fixes break the most chains so you fix what matters first.
90
+ 94 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
92
91
 
93
92
  <p align="center">
94
93
  <a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
@@ -98,7 +97,17 @@ Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
98
97
  <sub>Watch the 1-minute demo</sub>
99
98
  </p>
100
99
 
101
- If cloud-audit helped you find something you missed, consider giving it a star. It helps others discover the project.
100
+ ---
101
+
102
+ ## What's New in 2.0
103
+
104
+ | Feature | What it does |
105
+ |---|---|
106
+ | **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
107
+ | **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
108
+ | **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
109
+ | **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
110
+ | **AI-SPM** | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
102
111
 
103
112
  ---
104
113
 
@@ -106,113 +115,97 @@ If cloud-audit helped you find something you missed, consider giving it a star.
106
115
 
107
116
  ### Attack Chain Detection
108
117
 
109
- Other scanners give you a flat list of findings. cloud-audit correlates them into attack paths an attacker would actually exploit.
118
+ 31 rules correlate individual findings into exploitable attack paths.
110
119
 
111
120
  ```
112
121
  Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
113
122
  aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
114
123
  ```
115
124
 
116
- Examples from the 31 built-in rules:
117
-
118
125
  | Chain | What it catches |
119
126
  |---|---|
120
127
  | IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
121
- | Internet-Exposed Admin Instance | Public SG + admin IAM role + IMDSv1 = account takeover |
128
+ | Internet-Exposed Admin | Public SG + admin IAM role + IMDSv1 = account takeover |
122
129
  | CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
123
- | SSRF to Credential Theft | Public instance + IMDSv1 + no VPC flow logs = invisible exfiltration |
124
- | AI Model Data Exfiltration | Bedrock model with public endpoint + no logging = silent data leak |
130
+ | LLMjacking | Bedrock no logging + no guardrails = undetected model abuse |
125
131
 
126
- Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [Datadog pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules in the docs](https://haitmg.pl/cloud-audit/features/attack-chains/).
132
+ Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules](https://haitmg.pl/cloud-audit/features/attack-chains/).
127
133
 
128
- ### Copy-Paste Remediation + What-If Simulator
134
+ ### Remediation + Simulator
129
135
 
130
- Every finding includes AWS CLI commands, Terraform HCL, and documentation links. Export all fixes as a runnable script:
136
+ Every finding includes AWS CLI, Terraform HCL, and docs links. Export all fixes:
131
137
 
132
138
  ```bash
133
139
  cloud-audit scan --export-fixes fixes.sh
134
140
  ```
135
141
 
136
- Simulate a fix before applying it to see which chains it breaks and how your score changes:
142
+ Simulate before applying:
137
143
 
138
144
  ```bash
139
145
  cloud-audit simulate --fix aws-vpc-002
140
146
  # Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
141
- ```
142
147
 
143
- ### Scan Diff and Trend Tracking
148
+ cloud-audit simulate --fix aws-vpc-002,aws-ct-001,aws-iam-007
149
+ # Score: 34 -> 82 (+48) | Chains broken: 19 of 22
150
+ ```
144
151
 
145
- Compare scans to track drift. Catches ClickOps changes, manual console edits, and regressions that IaC scanning misses.
152
+ ### Trend Tracking
146
153
 
147
154
  ```bash
148
- cloud-audit diff yesterday.json today.json
149
- cloud-audit trend # Time-series posture history
155
+ cloud-audit diff yesterday.json today.json # Catches ClickOps drift
156
+ cloud-audit trend # Posture over time
150
157
  ```
151
158
 
152
- Exit code 0 = no new findings, 1 = regression. See [daily-scan-with-diff.yml](examples/daily-scan-with-diff.yml) for a CI/CD workflow.
153
-
154
159
  ### 6 Compliance Frameworks
155
160
 
156
- Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
157
-
158
161
  - **CIS AWS v3.0** - 62 controls, 55 automated (89%)
159
162
  - **SOC 2 Type II** - 43 criteria, 24 automated (56%)
160
163
  - **BSI C5:2020** `Beta` - 134 criteria, 57 automated/partial
161
- - **ISO 27001:2022** `Beta` - 93 Annex A controls, 47 automated/partial
164
+ - **ISO 27001:2022** `Beta` - 93 controls, 47 automated/partial
162
165
  - **HIPAA Security Rule** `Beta` - 47 specs, 29 automated/partial
163
166
  - **NIS2 Directive** `Beta` - 43 measures, 33 automated/partial
164
167
 
165
168
  ### Breach Cost Estimation
166
169
 
167
- Every finding includes a dollar-range risk estimate based on published breach data (IBM Cost of a Data Breach 2024, Verizon DBIR, enforcement actions). Attack chains use compound risk multipliers. Every estimate links to its source.
170
+ Every finding and chain includes a dollar-range risk estimate based on IBM/Verizon breach data, with source links.
168
171
 
169
172
  ### MCP Server for AI Agents
170
173
 
171
- Ask Claude Code, Cursor, or VS Code Copilot to scan your AWS account:
172
-
173
174
  ```bash
174
175
  claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
175
176
  ```
176
177
 
177
- 6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone - no SaaS account needed.
178
+ 6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone.
178
179
 
179
180
  ---
180
181
 
181
182
  ## How It Compares
182
183
 
183
- | Feature | Prowler | Trivy | Checkov | cloud-audit |
184
- |---------|---------|-------|---------|-------------|
185
- | Checks | 576 | 517 | 2500+ | **94** |
186
- | Attack chain detection | No | No | No | **31 rules + root-cause grouping** |
187
- | What-If remediation simulator | No | No | No | **Yes** |
188
- | IAM privilege escalation paths | No | No | No | **25 methods** |
189
- | Remediation per finding | CIS only | No | Links | **100% (CLI + Terraform)** |
190
- | Breach cost estimation | No | No | No | **Per finding + chain** |
191
- | AI-SPM (Bedrock/SageMaker) | No | No | No | **Yes** |
192
- | Compliance frameworks | CIS only | — | — | **6 (CIS, SOC 2 + 4 Beta)** |
193
- | MCP server (AI agents) | Paid ($99/mo) | No | No | **Free, standalone** |
184
+ | Feature | Prowler | Trivy | cloud-audit |
185
+ |---------|---------|-------|-------------|
186
+ | Checks | 576 | 517 | **94** |
187
+ | Attack chains + root-cause grouping | No | No | **31 rules** |
188
+ | What-If remediation simulator | No | No | **Yes** |
189
+ | IAM privilege escalation | No | No | **25 methods** |
190
+ | Remediation per finding | CIS only | No | **100% (CLI + TF)** |
191
+ | AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
192
+ | Compliance frameworks | CIS | -- | **6** |
194
193
 
195
- cloud-audit has fewer checks than Prowler but goes deeper per finding: remediation code, attack chain correlation, cost estimates, and a What-If simulator that shows the impact of each fix before you apply it. If you need exhaustive compliance coverage across multiple clouds, Prowler is the better choice. If you need a focused scan that shows how findings chain into real attack paths and prioritizes what to fix first, cloud-audit is built for that.
194
+ cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
196
195
 
197
- <sub>Feature snapshot as of v2.0.0 (April 2026). Verify against upstream docs for the latest details.</sub>
196
+ <sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
198
197
 
199
198
  ---
200
199
 
201
200
  ## Reports
202
201
 
203
202
  ```bash
204
- cloud-audit scan --format html --output report.html # Client-ready HTML
205
- cloud-audit scan --format json --output report.json # Machine-readable
206
- cloud-audit scan --format sarif --output results.sarif # GitHub Code Scanning
207
- cloud-audit scan --format markdown --output report.md # PR comments
203
+ cloud-audit scan --format html -o report.html # Client-ready HTML
204
+ cloud-audit scan --format json -o report.json # Machine-readable
205
+ cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
206
+ cloud-audit scan --format markdown -o report.md # PR comments
208
207
  ```
209
208
 
210
- Format is auto-detected from file extension.
211
-
212
- <p align="center">
213
- <img src="assets/report-preview.png" alt="cloud-audit HTML report" width="700">
214
- </p>
215
-
216
209
  ## Installation
217
210
 
218
211
  ```bash
@@ -236,6 +229,8 @@ cloud-audit scan --regions all # All enabled regions
236
229
  cloud-audit scan --min-severity high # Filter by severity
237
230
  cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
238
231
  cloud-audit scan --quiet # Exit code only (CI/CD)
232
+ cloud-audit simulate --fix aws-vpc-002 # What-If simulator
233
+ cloud-audit trend # Posture over time
239
234
  cloud-audit list-checks # List all checks
240
235
  ```
241
236
 
@@ -313,33 +308,22 @@ cloud-audit never modifies your infrastructure. The `simulate` command runs loca
313
308
 
314
309
  [See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
315
310
 
316
- ## Alternatives
317
-
318
- - **[Prowler](https://github.com/prowler-cloud/prowler)** - 576+ checks, multi-cloud, full CIS coverage, auto-remediation. The most comprehensive open-source scanner.
319
- - **[Trivy](https://github.com/aquasecurity/trivy)** - Container, IaC, and cloud scanner. Strong on containers, growing cloud coverage.
320
- - **[Steampipe](https://github.com/turbot/steampipe)** - SQL-based cloud querying. Very flexible.
321
- - **[AWS Security Hub](https://aws.amazon.com/security-hub/)** - Native AWS service with continuous monitoring. Free 30-day trial.
322
-
323
311
  ## Documentation
324
312
 
325
- cloud-audit has grown beyond what a single README can cover. The full documentation is at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)** and includes:
313
+ Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
326
314
 
327
315
  - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
328
- - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
329
316
  - **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
330
- - **[MCP Server](https://haitmg.pl/cloud-audit/features/mcp-server/)** - full setup guide for Claude Code, Cursor, VS Code
331
- - **[Configuration](https://haitmg.pl/cloud-audit/configuration/config-file/)** - config file, env vars, suppressions
332
- - **[CI/CD](https://haitmg.pl/cloud-audit/ci-cd/github-actions/)** - GitHub Actions, SARIF, pre-commit hooks
333
- - **[Reports](https://haitmg.pl/cloud-audit/reports/html/)** - HTML, JSON, SARIF, Markdown output formats
317
+ - **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
318
+ - **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
319
+ - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
334
320
  - **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
335
321
 
336
- This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
337
-
338
322
  ## What's Next
339
323
 
340
324
  - Multi-account scanning (AWS Organizations)
325
+ - SCP + permission boundary evaluation in IAM escalation
341
326
  - Terraform drift detection
342
- - Data perimeter checks (S3, KMS, STS boundary policies)
343
327
 
344
328
  Past releases: [CHANGELOG.md](CHANGELOG.md)
345
329
 
@@ -350,9 +334,8 @@ git clone https://github.com/gebalamariusz/cloud-audit.git
350
334
  cd cloud-audit
351
335
  pip install -e ".[dev]"
352
336
 
353
- pytest -v # tests
337
+ pytest -v # 496 tests
354
338
  ruff check src/ tests/ # lint
355
- ruff format --check src/ tests/ # format
356
339
  mypy src/ # type check
357
340
  ```
358
341