Quick Start
Basic scan
bash
cloud-audit scan
Uses your default AWS credentials and region. You get a health score, attack chains, and findings.
With remediation details
bash
cloud-audit scan -R
Shows AWS CLI commands and Terraform HCL to fix each finding.
Specific profile and regions
bash
cloud-audit scan --profile production --regions eu-central-1,eu-west-1
Generate reports
```bash
HTML report (client-ready, dark mode)
cloud-audit scan --format html --output report.html
SARIF for GitHub Code Scanning
cloud-audit scan --format sarif --output results.sarif
Markdown for PR comments
cloud-audit scan --format markdown --output report.md ```
Format is auto-detected from the file extension.
Export fixes as a script
bash
cloud-audit scan --export-fixes fixes.sh
The script uses set -e with every command commented out. Review, uncomment what you want, and run.
Cross-account scanning
bash
cloud-audit scan --role-arn arn:aws:iam::987654321098:role/auditor
Filter results
bash
cloud-audit scan --min-severity high # Only HIGH and CRITICAL
cloud-audit scan --categories security # Only security checks
cloud-audit scan --quiet # Exit code only (CI/CD)
Exit codes
| Code | Meaning |
|---|---|
| 0 | No findings (after suppressions and severity filter) |
| 1 | Findings detected |
| 2 | Scan error (bad credentials, invalid config) |