explaingit

aquasecurity/cloudsploit

Analysis updated 2026-07-03

3,731JavaScriptAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

An open-source command-line tool that scans AWS, Azure, Google Cloud, and Oracle Cloud accounts for security misconfigurations and compliance gaps, checking hundreds of best practices without needing write access to your account.

Mindmap

mindmap
  root((cloudsploit))
    What it does
      Scans cloud accounts
      Reports misconfigurations
      Compliance mode checks
    Supported Clouds
      AWS
      Azure
      Google Cloud
      Oracle Cloud
    Output Formats
      Terminal table
      CSV or JSON
      JUnit XML
    Compliance Standards
      PCI
      HIPAA
      CIS benchmarks
    Setup
      Node.js CLI
      Docker option
      Read-only creds only
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a full security scan of your AWS account to get a prioritized list of misconfigurations like public S3 buckets or overly permissive IAM roles.

USE CASE 2

Filter results to the PCI or HIPAA compliance profile to produce a targeted report showing only the checks required for your regulatory framework.

USE CASE 3

Add CloudSploit to your CI/CD pipeline using JUnit XML output so cloud security checks fail a build the same way unit tests do.

USE CASE 4

Write a custom plugin to add a security check specific to your organization that the default rule set does not cover.

What is it built with?

JavaScriptNode.jsDocker

How does it compare?

aquasecurity/cloudsploitefforg/privacybadgerforwardemail/email-templates
Stars3,7313,7313,733
LanguageJavaScriptJavaScriptJavaScript
Setup difficultymoderateeasymoderate
Complexity3/51/52/5
Audienceops devopsgeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires read-only cloud credentials configured via a config file or environment variables before the first scan.

Open-source, the tool is free to use and self-host. A commercial hosted version with more features is available from Aqua Security.

In plain English

CloudSploit is an open-source tool that scans your cloud accounts on AWS, Azure, Google Cloud, and Oracle Cloud and reports back a list of security problems and misconfigurations. If you have cloud infrastructure running and want to know whether it is set up securely, this tool checks it against hundreds of known best practices and tells you what is wrong. The tool runs from the command line. You give it read-only credentials for your cloud account, and it goes through your settings looking for issues: storage buckets left open to the public, outdated encryption settings, overly permissive access rules, and similar problems. Results can be shown as a table in your terminal, exported to CSV or JSON files, or formatted as JUnit XML for use in automated testing pipelines. CloudSploit also supports compliance modes, which filter the results to show only the checks relevant to a specific regulatory standard. The supported standards include PCI (payment card industry rules), HIPAA (US healthcare data regulations), and several CIS benchmark profiles. If your organization needs to demonstrate compliance with one of these frameworks, the tool can run a targeted scan focused on those requirements. You can run it yourself by installing Node.js and cloning the repository, or you can run it inside Docker without installing any dependencies locally. Aqua Security, the company behind the project, also offers a commercial hosted version with additional features. The open-source command-line version is self-contained and does not require a paid account. Credentials are passed through a config file or environment variables. The tool only needs read-only access, so it can inspect your setup without making any changes to your account. There is also a plugin system that lets developers write new security checks for custom use cases not covered by the default set.

Copy-paste prompts

Prompt 1
I want to run CloudSploit against my AWS account. Write a minimal config file with read-only IAM credentials and a Node.js command to scan and output results to a JSON file.
Prompt 2
Here are my CloudSploit JSON results: [paste JSON]. Write a Python script that groups findings by severity, counts them per category, and prints a summary table.
Prompt 3
I need to check my Azure environment for HIPAA compliance using CloudSploit. Show me the exact CLI command and any config changes needed to run a HIPAA-filtered scan.
Prompt 4
Write a GitHub Actions workflow that runs CloudSploit against an AWS account using secrets for credentials and fails the job if any CRITICAL findings are returned.
Prompt 5
I want to write a new CloudSploit plugin that checks whether all EC2 instances have detailed monitoring enabled. Show me the plugin file structure and logic.

Frequently asked questions

What is cloudsploit?

An open-source command-line tool that scans AWS, Azure, Google Cloud, and Oracle Cloud accounts for security misconfigurations and compliance gaps, checking hundreds of best practices without needing write access to your account.

What language is cloudsploit written in?

Mainly JavaScript. The stack also includes JavaScript, Node.js, Docker.

What license does cloudsploit use?

Open-source, the tool is free to use and self-host. A commercial hosted version with more features is available from Aqua Security.

How hard is cloudsploit to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cloudsploit for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub aquasecurity on gitmyhub

Verify against the repo before relying on details.