Skip to content

SKILL.md

Latest commit

 

History

History
300 lines (241 loc) · 12 KB

SKILL.md

File metadata and controls

300 lines (241 loc) · 12 KB
name CloudGuard
version 1.0.0
description Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misconfigurations
homepage https://cloudguard.pages.dev
metadata
openclaw
emoji primaryEnv requires install os
☁️
CLOUDGUARD_LICENSE_KEY
bins
git
bash
id kind formula bins label
lefthook
brew
lefthook
lefthook
Install lefthook (git hooks manager)
darwin
linux
win32
user-invocable true
disable-model-invocation false

CloudGuard -- Cloud Infrastructure & IaC Security Scanner

CloudGuard scans codebases for insecure cloud infrastructure patterns including Terraform misconfigurations, open S3 buckets, overly permissive IAM policies, missing encryption at rest, exposed ports, absent logging and monitoring, and general cloud compliance gaps. It uses 90 regex-based patterns across 6 security categories, produces severity-graded reports with actionable remediation, and integrates with git hooks via lefthook. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

cloudguard scan [file|directory]

One-shot cloud security scan of infrastructure-as-code files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Discovers all IaC and configuration files (Terraform .tf, CloudFormation .yml/.yaml/.json, Dockerfiles, Kubernetes manifests, cloud config files)
  3. Runs 30 cloud security patterns against each file (free tier limit)
  4. Skips .git, node_modules, .terraform, vendor, and other non-IaC directories
  5. Respects .gitignore and allowlist files
  6. Calculates a cloud security score (0-100) per file and overall
  7. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
  8. Outputs findings with: file, line number, check ID, severity, category, description, recommendation
  9. Exit code 0 if score >= 70, exit code 1 if score < 70 (too many misconfigurations)
  10. Free tier limited to first 30 of 90 patterns

Example usage scenarios:

  • "Scan my Terraform for security issues" -> runs cloudguard scan .
  • "Check my cloud config for misconfigurations" -> runs cloudguard scan infra/
  • "Audit my AWS infrastructure code" -> runs cloudguard scan terraform/
  • "Find open S3 buckets in my IaC" -> runs cloudguard scan .

Pro Tier ($19/user/month -- requires CLOUDGUARD_LICENSE_KEY)

cloudguard scan [file|directory] (Pro -- 60 patterns)

Full scan with 60 of 90 patterns unlocked covering all 6 categories in depth.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

cloudguard hooks install

Install git pre-commit hooks that scan staged IaC files for cloud security issues before every commit.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit and pre-push hooks
  4. On every commit: scans all staged IaC files for cloud misconfigurations, blocks commit if critical/high findings, shows remediation advice

cloudguard hooks uninstall

Remove CloudGuard git hooks.

bash "<SKILL_DIR>/scripts/dispatcher.sh" hooks uninstall

cloudguard report [directory]

Generate a markdown cloud security report with findings, severity breakdown, category analysis, and remediation steps.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format text report

What it does:

  1. Validates Pro+ license
  2. Runs full scan of the directory with 60 patterns
  3. Generates a formatted markdown report from template
  4. Includes per-category breakdowns, cloud security score, remediation priority
  5. Output suitable for security reviews and compliance audits

cloudguard audit [directory]

Deep cloud security audit across all categories.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] audit

What it does:

  1. Validates Pro+ license
  2. Runs comprehensive scan with extended pattern set
  3. Provides per-category severity analysis
  4. Reports compliance gaps across S3, IAM, networking, encryption, logging, and configuration

Team Tier ($39/user/month -- requires CLOUDGUARD_LICENSE_KEY with team tier)

cloudguard scan [file|directory] (Team -- all 90 patterns)

Full scan with all 90 patterns unlocked.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier team

cloudguard scan --format json [directory]

JSON output for CI/CD pipeline integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

What it does:

  1. Validates Team+ license
  2. Runs full scan with all 90 patterns
  3. Outputs findings in structured JSON format
  4. Compatible with CI/CD pipelines, dashboards, and automated tooling
  5. Includes rule definitions, severity mappings, and category breakdowns

cloudguard scan --format html [directory]

HTML report output for stakeholder sharing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

cloudguard scan --category [category] [directory]

Category-filtered scan for focused audits.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category S3

What it does:

  1. Validates Team+ license
  2. Runs only the patterns for the specified category
  3. Available categories: S3, IM, NW, EN, LG, CF
  4. Useful for targeted compliance checks

cloudguard status

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

CloudGuard detects 90 cloud security patterns across 6 categories:

Category Code Patterns Examples Severity Range
Storage Security S3 15 Public S3 buckets, missing encryption, no versioning, overly permissive bucket policies, missing access logging, no lifecycle rules Critical/High/Medium
IAM & Permissions IM 15 Wildcard IAM policies, AdministratorAccess, overly broad assume role, missing MFA, root account usage, no least privilege Critical/High/Medium
Network Security NW 15 Open security groups (0.0.0.0/0), exposed ports (22, 3389, 3306), missing VPC, no network ACLs, public subnets without NAT, SSH open to world Critical/High/Medium
Encryption EN 15 Missing encryption at rest, no KMS key rotation, unencrypted EBS volumes, missing SSL/TLS, no transit encryption, weak cipher suites Critical/High/Medium/Low
Logging & Monitoring LG 15 Missing CloudTrail, no VPC flow logs, disabled GuardDuty, missing alarm configurations, no SNS notifications, absent audit logs High/Medium/Low
Configuration & Compliance CF 15 Missing tags, no resource naming convention, hardcoded regions, missing backups, no disaster recovery, drift detection gaps Medium/Low

Severity Levels

Level Points Deducted Meaning Action Required
Critical 25 Immediate infrastructure compromise risk (open to internet, no auth, wildcard admin) Fix immediately; block deployment
High 15 Significant security gap that could be exploited (missing encryption, overly permissive policies) Fix within current sprint
Medium 8 Security best practice violation that increases attack surface Plan remediation within 30 days
Low 3 Informational finding, minor hygiene issue, or hardening recommendation Address when convenient

Scoring System

CloudGuard uses a 0-100 scoring system:

  • Starting score: 100 (perfect, no findings)
  • Deductions: Each finding deducts points based on severity
  • Floor: Score cannot go below 0
  • Pass threshold: 70 (exit code 0)
  • Fail threshold: Below 70 (exit code 1)

Grade Scale

Grade Score Range Meaning
A 90-100 Excellent -- minimal or no cloud security issues
B 80-89 Good -- minor issues that should be addressed
C 70-79 Acceptable -- passing but needs improvement
D 60-69 Poor -- significant security gaps requiring attention
F Below 60 Failing -- critical misconfigurations must be fixed immediately

Tier-Based Pattern Access

Tier Patterns Available Categories
Free 30 patterns First 5 patterns per category
Pro 60 patterns First 10 patterns per category
Team 90 patterns (all) All 15 patterns per category
Enterprise 90 patterns (all) All 15 patterns per category + priority support

Configuration

Users can configure CloudGuard in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "cloudguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "high",
          "ignorePatterns": ["**/test/**", "**/examples/**", "**/fixtures/**"],
          "ignoreChecks": [],
          "reportFormat": "text",
          "categories": ["S3", "IM", "NW", "EN", "LG", "CF"]
        }
      }
    }
  }
}

Supported File Types

CloudGuard scans the following file types for cloud security patterns:

File Type Extensions Use Case
Terraform .tf, .tfvars HashiCorp Terraform IaC definitions
CloudFormation .yml, .yaml, .json, .template AWS CloudFormation templates
Kubernetes .yml, .yaml Kubernetes manifests and Helm charts
Docker Dockerfile, docker-compose.yml Container configurations
Ansible .yml, .yaml Ansible playbooks and roles
General Config .conf, .cfg, .ini, .toml, .hcl Infrastructure configuration files
Scripts .sh, .bash, .ps1, .py Deployment and provisioning scripts
Policy .json, .rego IAM policies, OPA Rego rules

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code is sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Pattern matching only -- no AST parsing, no external dependencies beyond bash and grep
  • Supports scanning all IaC file types in a single pass
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = pass (score >= 70), 1 = fail (score < 70, for CI/CD integration)
  • Category-level breakdown shows exactly where security gaps exist

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://cloudguard.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no scannable IaC files found in target, report clean scan with info message
  • If invalid category specified with --category, show available categories
  • If grep does not support -E flag (rare), fall back gracefully with error message

When to Use CloudGuard

The user might say things like:

  • "Scan my Terraform for security issues"
  • "Check my cloud infrastructure code"
  • "Find open S3 buckets in my IaC"
  • "Audit my AWS configuration"
  • "Check for missing encryption in my infrastructure"
  • "Find overly permissive IAM policies"
  • "Scan for exposed ports in my security groups"
  • "Are my CloudFormation templates secure?"
  • "Check my Kubernetes manifests for security"
  • "Run a cloud security audit"
  • "Find missing CloudTrail in my Terraform"
  • "Detect VPC misconfigurations"
  • "Scan for hardcoded regions in my IaC"
  • "Check if my EBS volumes are encrypted"
  • "Find missing tags in my cloud resources"
  • "Set up pre-commit hooks for cloud security"
  • "Generate a cloud security report for my team"