cloudguard
by @suhteevah
Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misc...
clawhub install cloudguardπ About This Skill
name: CloudGuard version: 1.0.0 description: "Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misconfigurations" homepage: https://cloudguard.pages.dev metadata: { "openclaw": { "emoji": "\u2601\ufe0f", "primaryEnv": "CLOUDGUARD_LICENSE_KEY", "requires": { "bins": ["git", "bash", "python3", "jq"] }, "configPaths": ["~/.openclaw/openclaw.json"], "install": [ { "id": "lefthook", "kind": "brew", "formula": "lefthook", "bins": ["lefthook"], "label": "Install lefthook (git hooks manager)" } ], "os": ["darwin", "linux", "win32"] } } user-invocable: true disable-model-invocation: false
CloudGuard -- Cloud Infrastructure & IaC Security Scanner
CloudGuard scans codebases for insecure cloud infrastructure patterns including Terraform misconfigurations, open S3 buckets, overly permissive IAM policies, missing encryption at rest, exposed ports, absent logging and monitoring, and general cloud compliance gaps. It uses 90 regex-based patterns across 6 security categories, produces severity-graded reports with actionable remediation, and integrates with git hooks via lefthook. 100% local. Zero telemetry.
Commands
Free Tier (No license required)
#### cloudguard scan [file|directory]
One-shot cloud security scan of infrastructure-as-code files or directories.
How to execute:
bash "/scripts/dispatcher.sh" --path [target]
What it does: 1. Accepts a file path or directory (defaults to current directory) 2. Discovers all IaC and configuration files (Terraform .tf, CloudFormation .yml/.yaml/.json, Dockerfiles, Kubernetes manifests, cloud config files) 3. Runs 30 cloud security patterns against each file (free tier limit) 4. Skips .git, node_modules, .terraform, vendor, and other non-IaC directories 5. Respects .gitignore and allowlist files 6. Calculates a cloud security score (0-100) per file and overall 7. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60) 8. Outputs findings with: file, line number, check ID, severity, category, description, recommendation 9. Exit code 0 if score >= 70, exit code 1 if score < 70 (too many misconfigurations) 10. Free tier limited to first 30 of 90 patterns
Example usage scenarios:
cloudguard scan .cloudguard scan infra/cloudguard scan terraform/cloudguard scan .Pro Tier ($19/user/month -- requires CLOUDGUARD_LICENSE_KEY)
#### cloudguard scan [file|directory] (Pro -- 60 patterns)
Full scan with 60 of 90 patterns unlocked covering all 6 categories in depth.
bash "/scripts/dispatcher.sh" --path [target] --tier pro
#### cloudguard hooks install
Install git pre-commit hooks that scan staged IaC files for cloud security issues before every commit.
How to execute:
bash "/scripts/dispatcher.sh" hooks install
What it does: 1. Validates Pro+ license 2. Copies lefthook config to project root 3. Installs lefthook pre-commit and pre-push hooks 4. On every commit: scans all staged IaC files for cloud misconfigurations, blocks commit if critical/high findings, shows remediation advice
#### cloudguard hooks uninstall
Remove CloudGuard git hooks.
bash "/scripts/dispatcher.sh" hooks uninstall
#### cloudguard report [directory]
Generate a markdown cloud security report with findings, severity breakdown, category analysis, and remediation steps.
bash "/scripts/dispatcher.sh" --path [directory] --format text report
What it does: 1. Validates Pro+ license 2. Runs full scan of the directory with 60 patterns 3. Generates a formatted markdown report from template 4. Includes per-category breakdowns, cloud security score, remediation priority 5. Output suitable for security reviews and compliance audits
#### cloudguard audit [directory]
Deep cloud security audit across all categories.
bash "/scripts/dispatcher.sh" --path [directory] audit
What it does: 1. Validates Pro+ license 2. Runs comprehensive scan with extended pattern set 3. Provides per-category severity analysis 4. Reports compliance gaps across S3, IAM, networking, encryption, logging, and configuration
Team Tier ($39/user/month -- requires CLOUDGUARD_LICENSE_KEY with team tier)
#### cloudguard scan [file|directory] (Team -- all 90 patterns)
Full scan with all 90 patterns unlocked.
bash "/scripts/dispatcher.sh" --path [target] --tier team
#### cloudguard scan --format json [directory]
JSON output for CI/CD pipeline integration.
bash "/scripts/dispatcher.sh" --path [directory] --format json
What it does: 1. Validates Team+ license 2. Runs full scan with all 90 patterns 3. Outputs findings in structured JSON format 4. Compatible with CI/CD pipelines, dashboards, and automated tooling 5. Includes rule definitions, severity mappings, and category breakdowns
#### cloudguard scan --format html [directory]
HTML report output for stakeholder sharing.
bash "/scripts/dispatcher.sh" --path [directory] --format html
#### cloudguard scan --category [category] [directory]
Category-filtered scan for focused audits.
bash "/scripts/dispatcher.sh" --path [directory] --category S3
What it does: 1. Validates Team+ license 2. Runs only the patterns for the specified category 3. Available categories: S3, IM, NW, EN, LG, CF 4. Useful for targeted compliance checks
#### cloudguard status
Show license and configuration information.
bash "/scripts/dispatcher.sh" status
Check Categories
CloudGuard detects 90 cloud security patterns across 6 categories:
| Category | Code | Patterns | Examples | Severity Range | |----------|------|----------|----------|----------------| | Storage Security | S3 | 15 | Public S3 buckets, missing encryption, no versioning, overly permissive bucket policies, missing access logging, no lifecycle rules | Critical/High/Medium | | IAM & Permissions | IM | 15 | Wildcard IAM policies, AdministratorAccess, overly broad assume role, missing MFA, root account usage, no least privilege | Critical/High/Medium | | Network Security | NW | 15 | Open security groups (0.0.0.0/0), exposed ports (22, 3389, 3306), missing VPC, no network ACLs, public subnets without NAT, SSH open to world | Critical/High/Medium | | Encryption | EN | 15 | Missing encryption at rest, no KMS key rotation, unencrypted EBS volumes, missing SSL/TLS, no transit encryption, weak cipher suites | Critical/High/Medium/Low | | Logging & Monitoring | LG | 15 | Missing CloudTrail, no VPC flow logs, disabled GuardDuty, missing alarm configurations, no SNS notifications, absent audit logs | High/Medium/Low | | Configuration & Compliance | CF | 15 | Missing tags, no resource naming convention, hardcoded regions, missing backups, no disaster recovery, drift detection gaps | Medium/Low |
Severity Levels
| Level | Points Deducted | Meaning | Action Required | |-------|----------------|---------|-----------------| | Critical | 25 | Immediate infrastructure compromise risk (open to internet, no auth, wildcard admin) | Fix immediately; block deployment | | High | 15 | Significant security gap that could be exploited (missing encryption, overly permissive policies) | Fix within current sprint | | Medium | 8 | Security best practice violation that increases attack surface | Plan remediation within 30 days | | Low | 3 | Informational finding, minor hygiene issue, or hardening recommendation | Address when convenient |
Scoring System
CloudGuard uses a 0-100 scoring system:
Grade Scale
| Grade | Score Range | Meaning | |-------|------------|---------| | A | 90-100 | Excellent -- minimal or no cloud security issues | | B | 80-89 | Good -- minor issues that should be addressed | | C | 70-79 | Acceptable -- passing but needs improvement | | D | 60-69 | Poor -- significant security gaps requiring attention | | F | Below 60 | Failing -- critical misconfigurations must be fixed immediately |
Tier-Based Pattern Access
| Tier | Patterns Available | Categories | |------|-------------------|------------| | Free | 30 patterns | First 5 patterns per category | | Pro | 60 patterns | First 10 patterns per category | | Team | 90 patterns (all) | All 15 patterns per category | | Enterprise | 90 patterns (all) | All 15 patterns per category + priority support |
Configuration
Users can configure CloudGuard in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"cloudguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"severityThreshold": "high",
"ignorePatterns": ["/test/", "/examples/", "/fixtures/"],
"ignoreChecks": [],
"reportFormat": "text",
"categories": ["S3", "IM", "NW", "EN", "LG", "CF"]
}
}
}
}
}
Supported File Types
CloudGuard scans the following file types for cloud security patterns:
| File Type | Extensions | Use Case |
|-----------|------------|----------|
| Terraform | .tf, .tfvars | HashiCorp Terraform IaC definitions |
| CloudFormation | .yml, .yaml, .json, .template | AWS CloudFormation templates |
| Kubernetes | .yml, .yaml | Kubernetes manifests and Helm charts |
| Docker | Dockerfile, docker-compose.yml | Container configurations |
| Ansible | .yml, .yaml | Ansible playbooks and roles |
| General Config | .conf, .cfg, .ini, .toml, .hcl | Infrastructure configuration files |
| Scripts | .sh, .bash, .ps1, .py | Deployment and provisioning scripts |
| Policy | .json, .rego | IAM policies, OPA Rego rules |
Important Notes
Error Handling
hooks install, prompt to install itWhen to Use CloudGuard
The user might say things like:
βοΈ Configuration
Users can configure CloudGuard in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"cloudguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"severityThreshold": "high",
"ignorePatterns": ["/test/", "/examples/", "/fixtures/"],
"ignoreChecks": [],
"reportFormat": "text",
"categories": ["S3", "IM", "NW", "EN", "LG", "CF"]
}
}
}
}
}