PyPI - cloud-audit - Versions diffs - 2.0.1__tar.gz → 2.2.0__tar.gz - Mend

cloud-audit 2.0.1tar.gz → 2.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (163) hide show

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/.github/workflows/docs.yml RENAMED Viewed

@@ -6,6 +6,7 @@ on:
     paths:
       - 'docs/**'
       - 'mkdocs.yml'
+      - 'overrides/**'
 permissions:
   contents: write

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/.gitignore RENAMED Viewed

@@ -37,6 +37,7 @@ coverage.xml
 # Reports (generated output, not source)
 *.html
 !src/cloud_audit/reports/templates/*.html.j2
+!overrides/*.html
 # Internal / local-only .md files (never push) - allowlist specific docs below
 *.md

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,112 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [2.2.0] - 2026-05-12
+### Added
+- **Threat Feed v1** — new `cloud-audit threat-feed` command and a dedicated
+  detector pipeline (`providers/aws/threat_feed/`) that flags ACTIVE abuse
+  indicators rather than misconfiguration. Each pattern has a versioned
+  `TF-XXX` ID, maps to the new `Category.THREAT`, and carries external
+  references (research reports, CVE links) on every Finding for credibility.
+  Rules pack version: **2026-Q2**.
+  Ten patterns shipped:
+  - `TF-001-ses-phishing-setup` (MEDIUM/HIGH) — SES email/domain identities
+    verified within the last 14 days, with severity escalating when an
+    out-of-sandbox account hosts a typosquat-style email identity that has
+    no matching domain identity. Tracks the Wiz May 2025 + BleepingComputer
+    May 2026 SES abuse campaigns.
+  - `TF-002-lambda-function-url-persistence` (HIGH/CRITICAL) — Lambda
+    functions exposed via `AuthType=NONE` Function URLs, escalating to
+    CRITICAL when the execution role grants admin-class permissions
+    (matching the role profile of the Nov-Dec 2025 cryptomining campaign).
+  - `TF-003-quarantine-policy` (CRITICAL) — IAM principals with
+    `AWSCompromisedKeyQuarantineV1/V2/V3` attached. AWS auto-attaches these
+    after detecting credential exposure (typically a public GitHub commit).
+  - `TF-004-trufflehog-ua-cloudtrail` (CRITICAL) — `sts:GetCallerIdentity`
+    calls in the last 24h whose user-agent matches known leaked-credentials
+    discovery scanners (TruffleHog, gitleaks, CloudGrappler, DetentionDodger,
+    NoseyParker). Confirmed credential validation by an external scanner.
+  - `TF-005-cryptomining-role` (HIGH/CRITICAL) — IAM roles created within
+    the last 48 hours that carry broad compute managed policies (EC2 Full,
+    PowerUser, Admin, ECS Full, Lambda Full). Escalates to CRITICAL when
+    the same role also has SES sending permissions (mining + email-spam
+    combo from the documented late-2025 campaign cluster).
+  - `TF-006-mmdsv1-in-use` (HIGH/CRITICAL) — EC2 instances where
+    `HttpTokens != required` (IMDSv1 still callable) and Bedrock AgentCore
+    agents on `metadataVersion=v1` (CRITICAL — addresses Unit 42 'Cracks in
+    the Bedrock' research and the Feb 2026 MMDSv2 default).
+  - `TF-007-whoami-confusion` (MEDIUM) — IAM roles trusted by CI/CD
+    identities (codebuild service principals, GitHub OIDC, GitLab OIDC,
+    Buildkite federation) that have a broad EC2 managed policy attached —
+    the precondition for the Datadog Feb 2025 whoAMI confusion attack.
+  - `TF-008-cloudtrail-tampering` (HIGH/CRITICAL) — CloudTrail trails with
+    `IsLogging=False` (CRITICAL — canonical post-credential-theft attacker
+    behaviour, AiTM phishing follow-on per Datadog March 2026) or with a
+    populated `LatestDeliveryError` (HIGH — S3 destination broken).
+  - `TF-009-roles-anywhere-abuse` (HIGH/MEDIUM) — IAM Roles Anywhere trust
+    anchors with `sourceType=CERTIFICATE_BUNDLE` instead of the recommended
+    AWS_ACM_PCA. Anyone able to issue a chain-valid cert can mint AWS
+    credentials (fwd:cloudsec 2025 'Let's Encrypt for AWS Console').
+  - `TF-010-datazone-overgrant` (HIGH) — `AmazonDataZoneFullAccess` attached
+    to non-admin principals (the "easy" onboarding policy that bridges
+    identity, Glue catalog, and S3 storage in a single grant).
+  CLI: `cloud-audit threat-feed [--list] [--pattern <id>] [--regions ...]
+  [--profile ...] [--threat-feed-version 2026-Q2]`. Exits 1 when CRITICAL
+  or HIGH detected (CI gate friendly). Patterns also surface in standard
+  `cloud-audit scan --categories threat` output (JSON, SARIF, HTML).
+### Changed
+- `Category` enum gains `THREAT` value for active-abuse findings (separate
+  from `SECURITY` misconfiguration).
+- `Finding` model gains `threat_pattern_id: str | None` and
+  `references: list[str]` for backing research links.
+- 23rd registered AWS check module (`threat_feed`) loaded by `AWSProvider`.
+### Tests
+- 638 -> 742 (+104). Each pattern ships 9-12 unit tests covering positive
+  detection, negative cases, false-positive guards, severity escalation,
+  multi-resource aggregation, AccessDenied resilience, and metadata
+  exposure.
+## [2.1.0] - 2026-04-28
+### Added
+- **IAM Privilege Escalation - Tier 1 + Tier 2 + Tier 3**: 39 new detection methods, total 64 across 9 categories (was 25/6). Coverage of all known IAM privilege escalation paths in pathfinding.cloud.
+  Tier 1 (20 methods - PassRole variants + resource policy abuse + deny removal):
+  - PassRole + Glue variants: `glue:CreateJob`, `glue:UpdateJob`, `glue:CreateSession`
+  - PassRole + ECS variants: `ecs:UpdateService`, `ecs:RegisterTaskDefinition` (auto-deploy)
+  - PassRole + CloudFormation: `cloudformation:UpdateStack`
+  - PassRole + EC2 instance profile hijack: `ec2:AssociateIamInstanceProfile`, `ec2:ReplaceIamInstanceProfileAssociation`
+  - PassRole + Lambda event source mapping
+  - Instance profile role swap (no PassRole): `iam:RemoveRoleFromInstanceProfile` + `iam:AddRoleToInstanceProfile`
+  - **NEW Resource Policy Abuse category**: `lambda:AddPermission`, `lambda:AddLayerVersionPermission`
+  - IAM deny-removal patterns: `iam:DeleteRolePolicy`, `iam:DeleteUserPolicy`, `iam:DetachRolePolicy`, `iam:DetachUserPolicy`, `iam:CreateServiceLinkedRole`
+  - Credential access extensions: `iam:UpdateAccessKey`, `iam:DeactivateMFADevice`, `iam:DeleteVirtualMFADevice` (MFA bypass paths)
+  Tier 2 (12 methods - new compute primitives + SSM):
+  - PassRole + new services: `codebuild:CreateProject`, `apprunner:CreateService`, `sagemaker:CreateNotebookInstance`, `sagemaker:CreateProcessingJob`, `bedrock:CreateAgent`, `states:CreateStateMachine`
+  - **NEW Compute Hijack category**: `ssm:SendCommand`, `ssm:StartSession` (managed EC2 abuse), `ec2-instance-connect:SendSSHPublicKey` (60s SSH key push), `codebuild:UpdateProject` (hijack existing CI build), `apprunner:UpdateService` (replace running container)
+  - Credential access extension: `ssm:GetParameter` (read secrets from Parameter Store)
+  Tier 3 (4 methods - lateral movement via AssumeRole graph - NEW pipeline):
+  - **NEW Lateral AssumeRole category** with new module `iam_trust_graph.py` parsing `AssumeRolePolicyDocument` and building a directed graph
+  - `AssumeRole:Direct` - 1-hop assume from a principal to a role with admin permissions
+  - `AssumeRole:Chain` - multi-hop assume chain (up to 4 hops) ending at admin
+  - `AssumeRole:WildcardTrust` - any role with `Principal: "*"` trust policy
+  - `AssumeRole:CrossAccountRoot` - any role trusting external account `:root`
+  - Same-account root expansion: roles trusting `arn:aws:iam::SAME:root` are reachable by any principal in account with `sts:AssumeRole`
+  - Bare 12-digit account IDs are normalized to `:root` ARNs
+  - Trust conditions (MFA / ExternalId / SourceArn) are flagged but not semantically evaluated
 ## [2.0.1] - 2026-04-17
 ### Changed

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/PKG-INFO RENAMED Viewed

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 2.0.1
-Summary: Open-source AWS security scanner with IAM escalation detection, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. 94 checks across 23 services. Every finding includes CLI + Terraform remediation.
+Version: 2.2.0
+Summary: Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation.
 Project-URL: Homepage, https://haitmg.pl/cloud-audit/
 Project-URL: Documentation, https://haitmg.pl/cloud-audit/
 Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
@@ -83,6 +83,7 @@ Description-Content-Type: text/markdown
   <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
   <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
   <a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
+  <a href="https://haitmg.pl/cloud-audit/features/threat-feed/">Threat Feed</a> -
   <a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
   <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
 </p>
@@ -100,6 +101,21 @@ Uses your default AWS credentials and region. Try without an AWS account:
 cloud-audit demo
 ```
+### NEW in v2.2: Threat Feed
+Detect ACTIVE abuse patterns from 2025-2026 incidents (cryptomining campaigns,
+SES phishing setup, leaked-credential scanner activity, AgentCore CVEs):
+```bash
+cloud-audit threat-feed              # scan all 10 patterns
+cloud-audit threat-feed --list       # show registered patterns
+cloud-audit threat-feed --pattern aws-tf-003   # one pattern only
+```
+Each pattern carries external research references (Wiz, Datadog Security Labs,
+Unit 42, Permiso) on every finding. Exit code 1 when CRITICAL/HIGH detected
+(CI gate friendly). See [Threat Feed docs](https://haitmg.pl/cloud-audit/features/threat-feed/).
 ---
 ## Why It's Different
@@ -150,7 +166,7 @@ cloud-audit simulate --fix aws-vpc-002
 | Feature | What it does |
 |---|---|
-| **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
+| **IAM Privilege Escalation** | 61 escalation methods across 9 categories, including lateral movement detection via AssumeRole graph traversal. PMapper has been dead since 2022 -- this is its open-source replacement, and it covers paths PMapper never did. |
 | **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
 | **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
 | **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
@@ -228,19 +244,28 @@ claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
 ## How It Compares
-| Feature | Prowler | Trivy | cloud-audit |
-|---------|---------|-------|-------------|
-| Checks | 576 | 517 | **94** |
-| Attack chains + root-cause grouping | No | No | **31 rules** |
-| What-If remediation simulator | No | No | **Yes** |
-| IAM privilege escalation | No | No | **25 methods** |
-| Remediation per finding | CIS only | No | **100% (CLI + TF)** |
-| AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
-| Compliance frameworks | CIS | -- | **6** |
+[Prowler](https://github.com/prowler-cloud/prowler) is the AWS security standard: 572 checks across 83 services, 41 compliance frameworks (CIS, PCI-DSS, HIPAA, SOC2, NIST 800, ISO 27001, GDPR, FedRAMP, NIS2, MITRE ATT&CK and more), 55 auto-remediation fixers, and graph-based attack path analysis in the Prowler App (Cartography + Neo4j). It also covers Azure, GCP, Kubernetes, M365, and 10+ other providers.
+cloud-audit is AWS-only and intentionally narrower (94 curated checks). It goes deep where Prowler goes wide: attack chain correlation and IAM escalation detection run in the free CLI with zero infrastructure, every finding ships with reviewable Terraform + AWS CLI remediation, and scan diff / drift tracking is built into the CLI.
+| Feature | Prowler | cloud-audit |
+|---------|---------|-------------|
+| AWS checks | 572 across 83 services | 94 across 23 services |
+| Compliance frameworks (AWS) | 41 (CIS, PCI-DSS, HIPAA, SOC2, NIST, ISO 27001, GDPR, FedRAMP, NIS2, ...) | 6 (CIS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2) |
+| Auto-remediation | 55 fixers across 17 AWS services (direct API calls) | 94/94 findings with CLI + Terraform output (reviewable, you apply) |
+| Attack path / graph analysis | Prowler App (Cartography + graph queries) | CLI-native (31 rules, no infra) |
+| IAM privilege escalation graph | Prowler App | CLI-native (61 methods + AssumeRole graph) |
+| What-If remediation simulator | No | Yes |
+| AI/ML security checks (Bedrock + SageMaker) | ~20 checks | 5 checks + 3 attack chain rules |
+| Scan diff / drift tracking | Prowler App | Built-in CLI (`cloud-audit diff`) |
+| Breach cost estimates (USD) | No | Per-finding + per-chain |
+| MCP Server | Free | Free |
+| Multi-cloud | AWS + 13 others | AWS only |
+| License | Apache 2.0 | MIT |
-cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
+Use Prowler for compliance breadth, multi-cloud coverage, and graph-based attack path analysis. Use cloud-audit for fast CLI-native attack chain detection, reviewable Terraform remediation, and CI/CD drift tracking. They are complementary, not competitors - a common setup is Prowler for quarterly compliance evidence plus cloud-audit daily in CI/CD.
-<sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
+<sub>Prowler stats verified from github.com/prowler-cloud/prowler (April 2026). cloud-audit snapshot as of v2.0.1.</sub>
 ---
@@ -361,7 +386,7 @@ Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
 - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
 - **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
-- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
+- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 61 methods, 9 categories (action-based + lateral AssumeRole graph)
 - **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
 - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
 - **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/README.md RENAMED Viewed

@@ -36,6 +36,7 @@
   <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
   <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
   <a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
+  <a href="https://haitmg.pl/cloud-audit/features/threat-feed/">Threat Feed</a> -
   <a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
   <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
 </p>
@@ -53,6 +54,21 @@ Uses your default AWS credentials and region. Try without an AWS account:
 cloud-audit demo
 ```
+### NEW in v2.2: Threat Feed
+Detect ACTIVE abuse patterns from 2025-2026 incidents (cryptomining campaigns,
+SES phishing setup, leaked-credential scanner activity, AgentCore CVEs):
+```bash
+cloud-audit threat-feed              # scan all 10 patterns
+cloud-audit threat-feed --list       # show registered patterns
+cloud-audit threat-feed --pattern aws-tf-003   # one pattern only
+```
+Each pattern carries external research references (Wiz, Datadog Security Labs,
+Unit 42, Permiso) on every finding. Exit code 1 when CRITICAL/HIGH detected
+(CI gate friendly). See [Threat Feed docs](https://haitmg.pl/cloud-audit/features/threat-feed/).
 ---
 ## Why It's Different
@@ -103,7 +119,7 @@ cloud-audit simulate --fix aws-vpc-002
 | Feature | What it does |
 |---|---|
-| **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
+| **IAM Privilege Escalation** | 61 escalation methods across 9 categories, including lateral movement detection via AssumeRole graph traversal. PMapper has been dead since 2022 -- this is its open-source replacement, and it covers paths PMapper never did. |
 | **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
 | **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
 | **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
@@ -181,19 +197,28 @@ claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
 ## How It Compares
-| Feature | Prowler | Trivy | cloud-audit |
-|---------|---------|-------|-------------|
-| Checks | 576 | 517 | **94** |
-| Attack chains + root-cause grouping | No | No | **31 rules** |
-| What-If remediation simulator | No | No | **Yes** |
-| IAM privilege escalation | No | No | **25 methods** |
-| Remediation per finding | CIS only | No | **100% (CLI + TF)** |
-| AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
-| Compliance frameworks | CIS | -- | **6** |
+[Prowler](https://github.com/prowler-cloud/prowler) is the AWS security standard: 572 checks across 83 services, 41 compliance frameworks (CIS, PCI-DSS, HIPAA, SOC2, NIST 800, ISO 27001, GDPR, FedRAMP, NIS2, MITRE ATT&CK and more), 55 auto-remediation fixers, and graph-based attack path analysis in the Prowler App (Cartography + Neo4j). It also covers Azure, GCP, Kubernetes, M365, and 10+ other providers.
+cloud-audit is AWS-only and intentionally narrower (94 curated checks). It goes deep where Prowler goes wide: attack chain correlation and IAM escalation detection run in the free CLI with zero infrastructure, every finding ships with reviewable Terraform + AWS CLI remediation, and scan diff / drift tracking is built into the CLI.
+| Feature | Prowler | cloud-audit |
+|---------|---------|-------------|
+| AWS checks | 572 across 83 services | 94 across 23 services |
+| Compliance frameworks (AWS) | 41 (CIS, PCI-DSS, HIPAA, SOC2, NIST, ISO 27001, GDPR, FedRAMP, NIS2, ...) | 6 (CIS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2) |
+| Auto-remediation | 55 fixers across 17 AWS services (direct API calls) | 94/94 findings with CLI + Terraform output (reviewable, you apply) |
+| Attack path / graph analysis | Prowler App (Cartography + graph queries) | CLI-native (31 rules, no infra) |
+| IAM privilege escalation graph | Prowler App | CLI-native (61 methods + AssumeRole graph) |
+| What-If remediation simulator | No | Yes |
+| AI/ML security checks (Bedrock + SageMaker) | ~20 checks | 5 checks + 3 attack chain rules |
+| Scan diff / drift tracking | Prowler App | Built-in CLI (`cloud-audit diff`) |
+| Breach cost estimates (USD) | No | Per-finding + per-chain |
+| MCP Server | Free | Free |
+| Multi-cloud | AWS + 13 others | AWS only |
+| License | Apache 2.0 | MIT |
-cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
+Use Prowler for compliance breadth, multi-cloud coverage, and graph-based attack path analysis. Use cloud-audit for fast CLI-native attack chain detection, reviewable Terraform remediation, and CI/CD drift tracking. They are complementary, not competitors - a common setup is Prowler for quarterly compliance evidence plus cloud-audit daily in CI/CD.
-<sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
+<sub>Prowler stats verified from github.com/prowler-cloud/prowler (April 2026). cloud-audit snapshot as of v2.0.1.</sub>
 ---
@@ -314,7 +339,7 @@ Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
 - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
 - **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
-- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
+- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 61 methods, 9 categories (action-based + lateral AssumeRole graph)
 - **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
 - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
 - **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/mkdocs.yml RENAMED Viewed

@@ -6,6 +6,7 @@ repo_name: gebalamariusz/cloud-audit
 theme:
   name: material
+  custom_dir: overrides
   palette:
     - scheme: slate
       primary: deep purple
@@ -59,6 +60,7 @@ nav:
   - Features:
     - Attack Chains: features/attack-chains.md
     - IAM Privilege Escalation: features/iam-escalation.md
+    - Threat Feed: features/threat-feed.md
     - What-If Simulator: features/simulate.md
     - Security Posture Trend: features/trend.md
     - AI-SPM (Bedrock/SageMaker): features/ai-spm.md

cloud_audit-2.2.0/overrides/main.html ADDED Viewed

@@ -0,0 +1,139 @@
+{% extends "base.html" %}
+{#
+  JSON-LD structured data for the cloud-audit documentation site.
+  Rendered only on the site homepage (docs/index.md).
+  Updating: when cloud-audit version bumps, change the "softwareVersion"
+  value below. Keep featureList in sync with docs/index.md.
+#}
+{% block extrahead %}
+  {{ super() }}
+  {% if page.is_homepage %}
+  <script type="application/ld+json">
+  {
+    "@context": "https://schema.org",
+    "@graph": [
+      {
+        "@type": "SoftwareApplication",
+        "@id": "https://haitmg.pl/cloud-audit/#software",
+        "name": "cloud-audit",
+        "alternateName": "cloud-audit CLI",
+        "applicationCategory": "SecurityApplication",
+        "operatingSystem": "Linux, macOS, Windows",
+        "softwareVersion": "2.0.1",
+        "url": "https://haitmg.pl/cloud-audit/",
+        "downloadUrl": "https://pypi.org/project/cloud-audit/",
+        "softwareHelp": "https://haitmg.pl/cloud-audit/getting-started/installation/",
+        "license": "https://opensource.org/licenses/MIT",
+        "programmingLanguage": "Python",
+        "description": "Open-source AWS security scanner with attack chain detection, IAM privilege escalation analysis, and copy-paste CLI + Terraform remediation for every finding. 94 curated checks across 23 AWS services.",
+        "offers": {
+          "@type": "Offer",
+          "price": "0",
+          "priceCurrency": "USD",
+          "availability": "https://schema.org/InStock"
+        },
+        "author": { "@id": "https://haitmg.pl/#mariusz" },
+        "publisher": { "@id": "https://haitmg.pl/#org" },
+        "featureList": [
+          "94 curated AWS security checks across 23 services",
+          "31 attack chain rules correlating findings into exploit paths",
+          "25 IAM privilege escalation detection methods",
+          "What-If remediation simulator",
+          "Security posture trend tracking",
+          "AI-SPM support (Bedrock + SageMaker)",
+          "6 compliance frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2",
+          "Breach cost estimation based on published incident data",
+          "MCP Server for AI agents",
+          "Copy-paste AWS CLI and Terraform remediation for every finding",
+          "SARIF, HTML, Markdown, and JSON output formats",
+          "GitHub Actions and pre-commit hook integration"
+        ],
+        "keywords": "AWS security scanner, attack chains, IAM privilege escalation, PMapper alternative, CIS AWS v3.0, cloud security, DevSecOps, Terraform remediation, SARIF, MCP server, breach cost estimation",
+        "subjectOf": {
+          "@type": "NewsArticle",
+          "headline": "Cloud-audit: Fast, open-source AWS security scanner",
+          "url": "https://www.helpnetsecurity.com/2026/03/11/cloud-audit-open-source-aws-security-scanner/",
+          "datePublished": "2026-03-11",
+          "publisher": {
+            "@type": "Organization",
+            "name": "Help Net Security",
+            "url": "https://www.helpnetsecurity.com/"
+          }
+        },
+        "sameAs": [
+          "https://github.com/gebalamariusz/cloud-audit",
+          "https://pypi.org/project/cloud-audit/",
+          "https://ghcr.io/gebalamariusz/cloud-audit",
+          "https://registry.modelcontextprotocol.io/v0/servers?search=cloud-audit",
+          "https://glama.ai/mcp/servers/gebalamariusz/cloud-audit"
+        ],
+        "codeRepository": "https://github.com/gebalamariusz/cloud-audit",
+        "releaseNotes": "https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md"
+      },
+      {
+        "@type": "Organization",
+        "@id": "https://haitmg.pl/#org",
+        "name": "HAIT",
+        "legalName": "HAIT",
+        "url": "https://haitmg.pl",
+        "email": "kontakt@haitmg.pl",
+        "sameAs": [
+          "https://github.com/gebalamariusz",
+          "https://dev.to/haitmg"
+        ]
+      },
+      {
+        "@type": "Person",
+        "@id": "https://haitmg.pl/#mariusz",
+        "name": "Mariusz Gebala",
+        "jobTitle": "Cloud and DevOps Engineer",
+        "url": "https://haitmg.pl/about/",
+        "sameAs": [
+          "https://github.com/gebalamariusz",
+          "https://dev.to/haitmg"
+        ],
+        "worksFor": { "@id": "https://haitmg.pl/#org" },
+        "knowsAbout": [
+          "AWS",
+          "Palo Alto Networks",
+          "Terraform",
+          "Cloud Security",
+          "IAM Privilege Escalation",
+          "DevOps"
+        ],
+        "hasCredential": [
+          {
+            "@type": "EducationalOccupationalCredential",
+            "name": "AWS Certified Solutions Architect - Associate",
+            "credentialCategory": "certification"
+          },
+          {
+            "@type": "EducationalOccupationalCredential",
+            "name": "Microsoft Certified: Azure Administrator Associate",
+            "credentialCategory": "certification"
+          },
+          {
+            "@type": "EducationalOccupationalCredential",
+            "name": "Palo Alto Networks PCNSA",
+            "credentialCategory": "certification"
+          }
+        ]
+      },
+      {
+        "@type": "WebSite",
+        "@id": "https://haitmg.pl/cloud-audit/#website",
+        "name": "cloud-audit documentation",
+        "url": "https://haitmg.pl/cloud-audit/",
+        "description": "Official documentation for the cloud-audit open-source AWS security scanner",
+        "publisher": { "@id": "https://haitmg.pl/#org" },
+        "about": { "@id": "https://haitmg.pl/cloud-audit/#software" },
+        "inLanguage": "en"
+      }
+    ]
+  }
+  </script>
+  {% endif %}
+{% endblock %}

{cloud_audit-2.0.1 → cloud_audit-2.2.0}/pyproject.toml RENAMED Viewed

@@ -4,8 +4,8 @@ build-backend = "hatchling.build"
 [project]
 name = "cloud-audit"
-version = "2.0.1"
-description = "Open-source AWS security scanner with IAM escalation detection, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. 94 checks across 23 services. Every finding includes CLI + Terraform remediation."
+version = "2.2.0"
+description = "Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation."
 readme = "README.md"
 license = "MIT"
 requires-python = ">=3.10"
@@ -81,6 +81,13 @@ select = ["E", "F", "I", "N", "W", "UP", "S", "B", "A", "C4", "SIM", "TCH", "RUF
 "src/cloud_audit/reports/compliance_markdown.py" = ["E501"]
 "src/cloud_audit/cli.py" = ["TC003"]
 "src/cloud_audit/mcp_server.py" = ["TC003"]
+# Threat-feed modules and tests intentionally use boto3-style CamelCase
+# kwargs (UserName, RoleName, FunctionName, EmailIdentity) to match the
+# AWS API surface they wrap. N803 (lower_snake_case argument) is wrong here.
+# Inner exception classes used to simulate boto3 errors don't need the
+# Error suffix N818 mandates. Lambda/SES helpers also use Optional implicitly.
+"src/cloud_audit/providers/aws/threat_feed/*.py" = ["N803", "N818", "RUF013", "E501", "S112"]
+"tests/aws/threat_feed/*.py" = ["S101", "N803", "N806", "N818", "RUF013", "E501", "TC003", "E402"]
 "tests/**" = ["S101", "TC003", "E402"]
 [tool.mypy]

cloud_audit-2.2.0/server.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.gebalamariusz/cloud-audit",
+  "title": "cloud-audit",
+  "description": "AWS security scanner with attack chain detection, IAM privilege escalation, and fixes",
+  "websiteUrl": "https://haitmg.pl/cloud-audit/",
+  "repository": {
+    "url": "https://github.com/gebalamariusz/cloud-audit",
+    "source": "github"
+  },
+  "version": "2.0.1",
+  "packages": [
+    {
+      "registryType": "pypi",
+      "identifier": "cloud-audit",
+      "version": "2.0.1",
+      "transport": {
+        "type": "stdio"
+      },
+      "runtimeHint": "uvx",
+      "runtimeArguments": [
+        {
+          "type": "named",
+          "name": "--from",
+          "value": "cloud-audit"
+        },
+        {
+          "type": "positional",
+          "value": "cloud-audit-mcp"
+        }
+      ]
+    }
+  ]
+}

cloud-audit 2.0.1__tar.gz → 2.2.0__tar.gz

cloud-audit 2.0.1tar.gz → 2.2.0tar.gz