// PROJECTS / CLOUDGUARD

CloudGuard

Read-only cloud misconfiguration scanner. Azure live, AWS/GCP in progress. Maps every finding to CIS Benchmarks and OWASP Cloud Top 10 — then gives you the exact CLI command and Terraform block to fix it.

STABLEGitHub
Cloud SecurityAzureAWSGCPCIS BenchmarksOWASP Cloud Top 10TerraformDockerPython
3 Providers
Azure / AWS / GCP
6 Categories
Check Coverage
CIS + OWASP
Framework Aligned
Read-Only
Zero Write Access
// FEATURES
Read-Only by Design

CloudGuard only needs Reader + Security Reader on the subscription. Zero write access. Nothing gets changed during a scan — findings are observations, not actions.

CIS Benchmark Alignment

Every finding maps to a CIS control reference and OWASP Cloud Top 10 category. No invented severity — framework-grounded output you can hand to a compliance team.

Copy-Paste Remediation

Each finding ships with the exact az CLI command and a drop-in Terraform block to fix it. The gap between "finding" and "fix" is one paste.

Executive PDF Reports

pdf_report.py generates a structured report with severity summary, findings table, and remediation steps. Drop it in a customer email or a compliance ticket.

CI/CD Integration via REST API

POST /api/scan returns structured findings JSON. Select specific checks per run. Scan multiple subscriptions with the same service principal by passing different subscription_id values.

Docker-First Deployment

docker compose up -d and it's live at localhost:5000. Works anywhere Docker runs — local, VM, or pipeline container. No dependency sprawl.

// CHECK COVERAGE — AZURE
Identity & Access
  • Owner/Contributor roles at subscription scope (broad privilege audit)
  • Service principal exposure and excessive permissions
Storage & Data Protection
  • Public blob access on storage accounts
  • HTTPS enforcement and TLS version checks
  • Soft delete status across all storage accounts
Network Security
  • NSG rules exposing RDP (3389), SSH (22), WinRM (5985), Telnet (23) to 0.0.0.0/0
  • Unrestricted inbound access on management ports
Observability & Logging
  • Activity Log profile existence and retention >= 90 days
  • Activity Log Alerts configuration
Secrets Management
  • Key Vault existence per subscription
  • Soft delete + purge protection enabled
  • Public network access controls
Policy Enforcement
  • Defender for Cloud plans: Storage, Servers, SQL, App Services, Key Vault
// QUICKSTART
ash@badash99:~$ cat quickstart.sh
# 1. Clone
git clone https://github.com/BadAsh99/cloudguard.git && cd cloudguard

# 2. Create read-only service principal
az ad sp create-for-rbac \
  --name "cloudguard-scanner" \
  --role Reader \
  --scopes /subscriptions/<SUBSCRIPTION_ID>

# 3. Spin up
docker compose up -d
# Open http://localhost:5000

# 4. Or scan via API
curl -X POST http://localhost:5000/api/scan \
  -H "Content-Type: application/json" \
  -d '{"provider": "azure", "mode": "scan", "credentials": { ... }}'
// ARCHITECTURE
ash@badash99:~$ cat arch.txt

CloudGuard is structured as a payload framework — same mental model as LLMGuardT2, but for cloud infrastructure instead of LLM endpoints. Each check is a discrete payload with its own ID, category, CIS control reference, and check function.

azure_scanner.py handles Azure SDK calls via a service principal or az login session. scanner.py defines the payload registry and ScanFinding model — every result has a severity, CIS control, and two remediation blocks (CLI + Terraform).

exploiter.py is the red-team module — read-only exploitation simulation to demonstrate blast radius without making any changes. It uses the same credential path as the scanner.

The Flask app wraps everything with a simple REST API and browser UI. Designed to be dropped into a CI/CD pipeline or used interactively in a PS engagement.

Launch CloudGuard → View on GitHub ← All Projects