• Stars
    star
    3,304
  • Rank 13,575 (Top 0.3 %)
  • Language
    JavaScript
  • License
    GNU General Publi...
  • Created over 9 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cloud Security Posture Management (CSPM)

Build Status

CloudSploit by Aqua - Cloud Security Scans

Quick Start

Generic

$ git clone https://github.com/aquasecurity/cloudsploit.git
$ cd cloudsploit
$ npm install
$ ./index.js -h

Docker

$ git clone https://github.com/aquasecurity/cloudsploit.git
$ cd cloudsploit
$ docker build . -t cloudsploit:0.0.1
$ docker run cloudsploit:0.0.1 -h
$ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudsploit:0.0.1 --compliance=pci

Documentation

Background

CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.

Deployment Options

CloudSploit is available in two deployment options:

Self-Hosted

Follow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps.

Hosted at Aqua Wave

A commercial version of CloudSploit hosted at Aqua Wave. Try Aqua Wave today!

Installation

Ensure that NodeJS is installed. If not, install it from here.

$ git clone [email protected]:cloudsploit/scans.git
$ npm install

Configuration

CloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access:

For AWS, you can run CloudSploit directly and it will detect credentials using the default AWS credential chain.

CloudSploit Config File

The CloudSploit config file allows you to pass cloud provider credentials by:

  1. A JSON file on your file system
  2. Environment variables
  3. Hard-coding (not recommended)

Start by copying the example config file:

$ cp config_example.js config.js

Edit the config file by uncommenting the relevant sections for the cloud provider you are testing. Each cloud has both a credential_file option, as well as inline options. For example:

azure: {
    // OPTION 1: If using a credential JSON file, enter the path below
    // credential_file: '/path/to/file.json',
    // OPTION 2: If using hard-coded credentials, enter them below
    // application_id: process.env.AZURE_APPLICATION_ID || '',
    // key_value: process.env.AZURE_KEY_VALUE || '',
    // directory_id: process.env.AZURE_DIRECTORY_ID || '',
    // subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
}

Credential Files

If you use the credential_file option, point to a file in your file system that follows the correct format for the cloud you are using.

AWS

{
  "accessKeyId": "YOURACCESSKEY",
  "secretAccessKey": "YOURSECRETKEY"
}

Azure

{
  "ApplicationID": "YOURAZUREAPPLICATIONID",
  "KeyValue": "YOURAZUREKEYVALUE",
  "DirectoryID": "YOURAZUREDIRECTORYID",
  "SubscriptionID": "YOURAZURESUBSCRIPTIONID"
}

GCP

Note: For GCP, you generate a JSON file directly from the GCP console, which you should not edit.

{
    "type": "service_account",
    "project": "GCPPROJECTNAME",
    "client_email": "GCPCLIENTEMAIL",
    "private_key": "GCPPRIVATEKEY"
}

Oracle OCI

{
  "tenancyId": "YOURORACLETENANCYID",
  "compartmentId": "YOURORACLECOMPARTMENTID",
  "userId": "YOURORACLEUSERID",
  "keyFingerprint": "YOURORACLEKEYFINGERPRINT",
  "keyValue": "YOURORACLEKEYVALUE",
}

Environment Variables

CloudSploit supports passing environment variables, but you must first uncomment the section of your config.js file relevant to the cloud provider being scanned.

You can then pass the variables listed in each section. For example, for AWS:

{
  access_key: process.env.AWS_ACCESS_KEY_ID || '',
  secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '',
  session_token: process.env.AWS_SESSION_TOKEN || '',
}

Running

To run a standard scan, showing all outputs and results, simply run:

$ ./index.js

CLI Options

CloudSploit supports many options to customize the run time. Some popular options include:

  • AWS GovCloud support: --govcloud
  • AWS China support: --china
  • Save the raw cloud provider response data: --collection=file.json
  • Ignore passing (OK) results: --ignore-ok
  • Exit with a non-zero code if non-passing results are found: --exit-code
    • This is a good option for CI/CD systems
  • Change the output from a table to raw text: --console=text

See Output Formats below for more output options.

Click for a full list of options
$ ./index.js -h

  _____ _                 _  _____       _       _ _
  / ____| |               | |/ ____|     | |     (_) |
| |    | | ___  _   _  __| | (___  _ __ | | ___  _| |_
| |    | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
| |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_
  \_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
                                  | |
                                  |_|

  CloudSploit by Aqua Security, Ltd.
  Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub

usage: index.js [-h] --config CONFIG [--compliance {hipaa,cis,cis1,cis2,pci}] [--plugin PLUGIN] [--govcloud] [--china] [--csv CSV] [--json JSON] [--junit JUNIT]
                [--table] [--console {none,text,table}] [--collection COLLECTION] [--ignore-ok] [--exit-code] [--skip-paginate] [--suppress SUPPRESS]

optional arguments:
  -h, --help            show this help message and exit
  --config CONFIG
                        The path to a cloud provider credentials file.
  --compliance {hipaa,cis,cis1,cis2,pci}
                        Compliance mode. Only return results applicable to the selected program.
  --plugin PLUGIN       A specific plugin to run. If none provided, all plugins will be run. Obtain from the exports.js file. E.g. acmValidation
  --govcloud            AWS only. Enables GovCloud mode.
  --china               AWS only. Enables AWS China mode.
  --csv CSV             Output: CSV file
  --json JSON           Output: JSON file
  --junit JUNIT         Output: Junit file
  --table               Output: table
  --console {none,text,table}
                        Console output format. Default: table
  --collection COLLECTION
                        Output: full collection JSON as file
  --ignore-ok           Ignore passing (OK) results
  --exit-code           Exits with a non-zero status code if non-passing results are found
  --skip-paginate       AWS only. Skips pagination (for debugging).
  --suppress SUPPRESS   Suppress results matching the provided Regex. Format: pluginId:region:resourceId

Compliance

CloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the --compliance flag. For example:

$ ./index.js --compliance=hipaa
$ ./index.js --compliance=pci

Multiple compliance modes can be run at the same time:

$ ./index.js --compliance=cis1 --compliance=cis2

CloudSploit currently supports the following compliance mappings:

HIPAA

$ ./index.js --compliance=hipaa

HIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996.

PCI

$ ./index.js --compliance=pci

PCI scans map CloudSploit plugins to the Payment Card Industry Data Security Standard.

CIS Benchmarks

$ ./index.js --compliance=cis
$ ./index.js --compliance=cis1
$ ./index.js --compliance=cis2

CIS Benchmarks are supported, both for Level 1 and Level 2 controls. Passing --compliance=cis will run both level 1 and level 2 controls.

Output Formats

CloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table.

Note: You can pass multiple output formats and combine options for further customization. For example:

# Print a table to the console and save a CSV file
$ ./index.js --csv=file.csv --console=table

# Print text to the console and save a JSON and JUnit file while ignoring passing results
$ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok

Console Output

By default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:

$ ./index.js --console=text

Alternatively, you can suppress the console output entirely by running:

$ ./index.js --console=none

Ignoring Passing Results

You can ignore results from output that return an OK status by passing a --ignore-ok commandline argument.

CSV

$ ./index.js --csv=file.csv

JSON

$ ./index.js --json=file.json

JUnit XML

$ ./index.js --junit=file.xml

Collection Output

CloudSploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes.

$ ./index.js --collection=file.json

Suppressions

Results can be suppressed by passing the --suppress flag (multiple options are supported) with the following format:

--suppress pluginId:region:resourceId

For example:

# Suppress all results for the acmValidation plugin
$ ./index.js --suppress acmValidation:*:*

# Suppress all us-east-1 region results
$ ./index.js --suppress *:us-east-1:*

# Suppress all results matching the regex "certificate/*" in all regions for all plugins
$ ./index.js --suppress *:*:certificate/*

Running a Single Plugin

The --plugin flag can be used if you only wish to run one plugin.

$ ./index.js --plugin acmValidation

Architecture

CloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.

Writing a Plugin

Please see our contribution guidelines and complete guide to writing CloudSploit plugins.

Writing a remediation

The --remediate flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names. Please see our developing remediation guide for more details.

Other Notes

For other details about the Aqua Wave SaaS product, AWS security policies, and more, click here.

More Repositories

1

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Go
22,757
star
2

tfsec

Tfsec is now part of Trivy
Go
6,659
star
3

kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Go
5,935
star
4

kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Python
4,709
star
5

tracee

Linux Runtime Security and Forensics using eBPF
Go
3,601
star
6

starboard

Moved to https://github.com/aquasecurity/trivy-operator
Go
1,346
star
7

trivy-operator

Kubernetes-native security toolkit
Go
1,249
star
8

microscanner

Scan your container images for package vulnerabilities with Aqua Security
Dockerfile
856
star
9

kubectl-who-can

Show who has RBAC permissions to perform actions on different resources in Kubernetes
Go
810
star
10

trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Shell
807
star
11

libbpfgo

eBPF library for Go. Powered by libbpf.
Go
731
star
12

chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Go
725
star
13

cloud-security-remediation-guides

Security Remediation Guides
698
star
14

vuln-list

NVD, Ubuntu, Alpine
408
star
15

btfhub

BTFhub, in collaboration with the BTFhub Archive repository, supplies BTF files for all published kernels that lack native support for embedded BTF. This joint effort ensures that even kernels without built-in BTF support can effectively leverage the benefits of eBPF programs, promoting compatibility across various kernel versions.
Go
386
star
16

esquery

An idiomatic Go query builder for ElasticSearch
Go
305
star
17

traceeshark

Deep Linux runtime visibility meets Wireshark
C
244
star
18

trivy-db

Go
224
star
19

kube-query

[EXPERIMENTAL] Extend osquery to report on Kubernetes
Go
223
star
20

harbor-scanner-trivy

Use Trivy as a plug-in vulnerability scanner in the Harbor registry
Go
218
star
21

defsec

Trivy's misconfiguration scanning engine
Go
213
star
22

postee

Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Go
201
star
23

fanal

Static Analysis Library for Containers
Go
200
star
24

cloudsec-icons

A collection of cloud security icons ☁️🔒
Go
186
star
25

docker-bench

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark
Go
179
star
26

vuln-list-update

Go
173
star
27

manifesto

Use Manifesto to store and query metadata for container images.
Go
164
star
28

tfsec-pr-commenter-action

Add comments to pull requests where tfsec checks have failed
Go
164
star
29

linux-bench

Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark
Go
152
star
30

go-dep-parser

Dependency Parser for Multiple Programming Languages
Go
144
star
31

lmdrouter

Go HTTP router library for AWS API Gateway-invoked Lambda Functions
Go
135
star
32

appshield

Security configuration checks for popular cloud native applications and infrastructure.
Open Policy Agent
118
star
33

starboard-lens-extension

Lens extension for viewing Starboard security information
TypeScript
117
star
34

trivy-vscode-extension

A VS Code Extension for Trivy
TypeScript
116
star
35

btfhub-archive

The BTFhub Archive repository provides BTF files for those published kernels that lack native support for embedded BTF, thereby enhancing the versatility of eBPF programs across different kernel versions.
94
star
36

aqua-helm

Helm Charts For Installing Aqua Security Components
Mustache
86
star
37

table

🧮 Tables for terminals, in Go.
Go
81
star
38

tracee-action

Protect GitHub Actions with Tracee
Open Policy Agent
78
star
39

cfsec

Static analysis for CloudFormation templates to identify common misconfiguration
Go
58
star
40

starboard-octant-plugin

Octant plugin for viewing Starboard security information
Go
57
star
41

deployments

All Aqua deployments options and aquactl configuration
Shell
56
star
42

tfsec-sarif-action

Shell
52
star
43

tfsec-action

Vanilla GitHub action to run tfsec
Shell
52
star
44

trivy-azure-pipelines-task

An Azure Pipelines Task for trivy
TypeScript
46
star
45

community

Aqua Security's open source community
40
star
46

trivy-operator-lens-extension

https://github.com/aquasecurity/trivy-operator
TypeScript
37
star
47

terraform-provider-aquasec

Go
35
star
48

go-version

A Go library for parsing and verifying versions and version constraints.
Go
35
star
49

harbor-scanner-aqua

Aqua Enterprise scanner as a plug-in vulnerability scanner in the Harbor registry
Go
35
star
50

aqua-operator

The aqua-operator is a group of controllers that runs within a Kubernetes or Openshift cluster that provides a means to deploy and manage Aqua Security cluster and Components.
Go
34
star
51

trivy-checks

Go
34
star
52

trivy-java-db

Go
30
star
53

vscode-tfsec

vscode extension for tfsec
TypeScript
30
star
54

trivy-kubernetes

Trivy kubernetes library
Go
29
star
55

trivy-plugin-kubectl

A Trivy plugin that scans the images of a kubernetes resource
Shell
25
star
56

trivy-docker-extension

Docker Desktop Extension for Trivy
TypeScript
20
star
57

trivy-plugin-referrer

Trivy plugin for OCI referrers
Go
20
star
58

trivy-enforcer

[EXPERIMENTAL] Kubernetes Operator for Image Assurance
Go
20
star
59

chain-bench-action

Shell
19
star
60

aqua-aws

The repository not supported any more. Please use this one https://github.com/aquasecurity/deployments
HCL
18
star
61

trivy-pipe

Bitbucket Pipe for running Trivy in a Pipeline
Shell
17
star
62

starboard-operator

The Starboard Operator has moved to the main Starboard repo, and this one is being retired
Go
16
star
63

windows-bench

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark
Go
16
star
64

saas-terraform-connection

Terraform modules for CloudSploit Scanner
HCL
14
star
65

trivy-ci-test

Dockerfile
14
star
66

vexhub

13
star
67

saas-api-samples

Sample code snippets for consuming the CloudSploit API
JavaScript
13
star
68

helm-charts

Aqua Open Source Helm Chart Repository
13
star
69

circleci-orb-microscanner

Enables scanning of docker builds in CircleCi for OS package vulnerabilities.
Dockerfile
13
star
70

vim-trivy

Vim Plugin for Trivy
Vim Script
13
star
71

vim-tfsec

List your tfsec issues in the QuickFix window with this plugin.
Vim Script
12
star
72

trivy-aws

Go
11
star
73

trivy-plugin-aqua

Makefile
11
star
74

go-git-pr-commenter

library for adding comments to git PRs
Go
11
star
75

binfinder

Find binary files not installed through package manager
Go
11
star
76

trivy-sarif-demo

JavaScript
9
star
77

cloud-metadata

Common metadata repository for CSPM and TFSec checks
Go
9
star
78

tracee-test-kernels

Kernels for testing tracee CO-RE feature
C
9
star
79

bench-common

Common code for hardening benchmarks
Go
9
star
80

trivy-repo

deb/rpm repository for Trivy
9
star
81

aws-security-hub-plugin

Aqua Security AWS Security Hub plugin
9
star
82

tracee-tester

This is a spin-off from Tracee project responsible for generating the docker image that tests open-source signatures.
Shell
9
star
83

gobard

Unofficial Golang API for Bard Chat.
Go
8
star
84

aqua-dash

Sample Aqua CSP dashboard
Vue
8
star
85

trivy-iac

Go
7
star
86

scan-cve-2018-8115

Python
7
star
87

amazon-eks-devsecops

PHP
7
star
88

pipeline-enforcer-action

TypeScript
7
star
89

intellij-trivy

Trivy Plugin for the JetBrains family of IDEs
Java
7
star
90

go-pep440-version

A golang library for parsing PEP 440 compliant Python versions
Go
7
star
91

tfsec-azure-pipelines-task

An Azure DevOps Task for tfsec
TypeScript
7
star
92

build-security-action

GitHub Action for Aqua Build Security
Shell
7
star
93

go-npm-version

A golang library for parsing npm versions
Go
6
star
94

saas-integrations

CloudSploit third-party integrations
JavaScript
6
star
95

trivy-plugin-attest

Publish SBOM attestation
Go
6
star
96

k8s-node-collector

Go
6
star
97

secfixes-tracker

Forked from https://gitlab.alpinelinux.org/kaniini/secfixes-tracker
Python
6
star
98

trivy-module-wordpress

Trivy example module for WordPress
Go
5
star
99

reportgen

PDF reports for Aqua CSP image and host vulnerabilities
Go
5
star
100

vuln-list-nvd

NVD
5
star