CloudSploit scans is an open-source project designed to allow detection of security risks in an AWS account. These scripts are designed to run against an AWS account and return a series of potential misconfigurations and security risks.
This project builds and runs the scanner from a Docker container but is not associated with Cloudsploit in any way.
Project URL: https://github.com/jumanjihouse/docker-cloudsploit
Docker hub: https://registry.hub.docker.com/u/jumanjiman/cloudsploit/
Upstream source: https://github.com/cloudsploit/scans
An unattended test harness runs the build script and runs simple tests. If all tests pass on master branch in the unattended test harness, it pushes the built images to the Docker hub.
These images are built as part of the test harness on CircleCI. If all tests pass on master branch, then the image is pushed into the docker hub.
docker pull jumanjiman/cloudsploit:latest
We push the tags automatically from the test harness, and we occasionally delete old tags from the Docker hub by hand.
Create a file credentials.env
which contains read-only credentials:
AWS_ACCESS_KEY_ID=yourkeyid
AWS_SECRET_ACCESS_KEY=youraccesskey
AWS_SESSION_TOKEN=
AWS_DEFAULT_REGION=us-west-2
#
# Optional:
PROXY=http://proxy.example.com:3128
See the upstream README.md for details about the required read-only permissions.
Then run a container like this:
docker run --rm --read-only --env-file credentials.env cloudsploit
Build an image locally on a host with Docker:
script/build
Both the upstream source and this project are licensed under the GNU General Public License v3.