CloudSploit scans is an open-source project designed to allow detection of security risks in an AWS account. These scripts are designed to run against an AWS account and return a series of potential misconfigurations and security risks.

This project builds and runs the scanner from a Docker container but is not associated with Cloudsploit in any way.

Project URL: https://github.com/jumanjihouse/docker-cloudsploit
Docker hub: https://registry.hub.docker.com/u/jumanjiman/cloudsploit/
Upstream source: https://github.com/cloudsploit/scans

An unattended test harness runs the build script and runs simple tests. If all tests pass on master branch in the unattended test harness, it pushes the built images to the Docker hub.

These images are built as part of the test harness on CircleCI. If all tests pass on master branch, then the image is pushed into the docker hub.

docker pull jumanjiman/cloudsploit:latest

We push the tags automatically from the test harness, and we occasionally delete old tags from the Docker hub by hand.

Create a file credentials.env which contains read-only credentials:

AWS_ACCESS_KEY_ID=yourkeyid
AWS_SECRET_ACCESS_KEY=youraccesskey
AWS_SESSION_TOKEN=
AWS_DEFAULT_REGION=us-west-2
#
# Optional:
PROXY=http://proxy.example.com:3128

See the upstream README.md for details about the required read-only permissions.

Then run a container like this:

docker run --rm --read-only --env-file credentials.env cloudsploit

Build an image locally on a host with Docker:

script/build

Both the upstream source and this project are licensed under the GNU General Public License v3.