Most IaC tools tell you everything that is wrong. CloudSecurity tells you what is most dangerous first.

It connects individual misconfigurations into realistic risk chains, validates which ones matter most, and gives teams a clear fix-first path before deployment. Open source, API-first, and designed for fast CI workflows.

CloudSecurity AF — shift-left attack path analysis

Trigger it with the af CLI (requires af ≥ 0.1.87) — it streams live progress and prints the result:

af call cloudsecurity.scan --in '{"repo_url": "https://github.com/org/infra-repo"}'

Prefer raw HTTP? Hit the API directly with curl:

curl -X POST http://localhost:8080/api/v1/execute/async/cloudsecurity.scan \
 -H "Content-Type: application/json" \
 -d '{"input": {"repo_url": "https://github.com/org/infra-repo"}}'

Returns risk-prioritized attack paths — not individual findings, but chains showing how misconfigurations combine into real exploits:

{
 "attack_paths": [
 {
 "severity": "critical",
 "title": "Public S3 → IAM Escalation → RDS Exfiltration",
 "chain": [
 {"step": 1, "resource": "aws_s3_bucket.uploads", "issue": "Public read access enabled"},
 {"step": 2, "resource": "aws_iam_role.lambda_exec", "issue": "Wildcard S3 permissions + RDS access"},
 {"step": 3, "resource": "aws_db_instance.production", "issue": "No VPC restriction, accessible from Lambda"}
 ],
 "impact": "Attacker reads S3 bucket → discovers Lambda credentials → pivots to production database",
 "verdict": "confirmed",
 "remediation": "Restrict S3 ACL, scope IAM policy to specific bucket ARN, add VPC security group to RDS"
 }
 ],
 "summary": {"total_findings": 23, "attack_paths": 4, "critical": 1, "high": 2, "confirmed": 3}
}

Checkov, tfsec, and KICS are strong at broad control checks. Wiz, Orca, and Prisma Cloud are strong once infrastructure is live. CloudSecurity fills the shift-left gap in between: priority-grade attack path analysis directly from IaC, before deployment.

CloudSecurity is not a replace-all scanner. It is the decision layer in a modern cloud security stack:

• Rule scanners (Checkov/tfsec/KICS): broad deterministic control coverage.
• CloudSecurity: pre-deploy risk prioritization and multi-resource attack-path context.
• Runtime CNAPP (Wiz/Orca/Prisma Cloud): deployed-cloud visibility and runtime monitoring.

Recommended operating model:

1. Run rule scanner + CloudSecurity in PR for breadth + fix-first prioritization.
2. Use runtime CNAPP after deploy for drift and production-state risk.

CloudSecurity AF Signal Cascade Pipeline

• RECON: Reads IaC, builds a resource graph, and optionally pulls live cloud state and drift.
• HUNT: Runs 7 parallel domain hunters (IAM, network, data, secrets, compute, logging, compliance).
• CHAIN: Combines individual findings into multi-step attack paths across resources.
• PROVE: Adversarial verification — tries to disprove each path. Near-zero false positives.
• REMEDIATE: Generates IaC fix diffs and evaluates breaking change / downtime impact.

Full architecture deep-dive: docs/ARCHITECTURE.md

git clone https://github.com/Agent-Field/cloudsecurity-af.git && cd cloudsecurity-af
cp .env.example .env # Add OPENROUTER_API_KEY
docker compose up --build

Starts AgentField control plane (http://localhost:8080) + CloudSecurity agent.

Trigger a scan:

curl -X POST http://localhost:8080/api/v1/execute/async/cloudsecurity.scan \
 -H "Content-Type: application/json" \
 -d '{"input": {"repo_url": "https://github.com/org/infra-repo"}}'

Poll for results:

curl http://localhost:8080/api/v1/executions/<execution_id>

CloudSecurity exposes two reasoners through the AgentField control plane. All requests go to the control plane (default http://localhost:8080), which routes execution to the agent.

curl -X POST http://localhost:8080/api/v1/execute/async/cloudsecurity.scan \
 -H "Content-Type: application/json" \
 -d '{
 "input": {
 "repo_url": "https://github.com/org/infra-repo",
 "branch": "main",
 "depth": "quick",
 "severity_threshold": "low",
 "output_formats": ["sarif", "json"]
 }
 }'

Response:

{
 "execution_id": "exec_20260312_063521_ik2ghzst",
 "run_id": "run_20260312_063521_f6zfmc7q",
 "status": "queued",
 "target": "cloudsecurity.scan",
 "created_at": "2026年03月12日T06:35:21Z"
}

curl http://localhost:8080/api/v1/executions/{execution_id}

Returns queued → running → completed (or failed).

curl http://localhost:8080/api/v1/executions/{execution_id}/result

curl -X POST http://localhost:8080/api/v1/execute/async/cloudsecurity.prove \
 -H "Content-Type: application/json" \
 -d '{
 "input": {
 "repo_url": "https://github.com/org/infra-repo",
 "cloud_provider": "aws",
 "cloud_regions": ["us-east-1"],
 "assume_role_arn": "arn:aws:iam::123456789012:role/SecurityAuditRole",
 "depth": "standard",
 "severity_threshold": "medium",
 "output_formats": ["sarif", "json"]
 }
 }'

{
 "input": {
 "repo_url": "https://github.com/org/infra-repo",
 "branch": "main",
 "commit_sha": null,
 "base_commit_sha": null,
 "depth": "quick | standard | thorough",
 "severity_threshold": "critical | high | medium | low | info",
 "output_formats": ["sarif", "json", "markdown"],
 "compliance_frameworks": ["cis_aws", "soc2", "hipaa", "pci_dss"],
 "include_paths": ["modules/networking/"],
 "exclude_paths": ["tests/", ".git/"],
 "is_pr": false,
 "pr_id": null,
 "fail_on_findings": false,
 "max_cost_usd": 5.0,
 "max_duration_seconds": 3600,
 "max_concurrent_hunters": 7,
 "max_concurrent_provers": 3
 }
}

{
 "input": {
 "repo_url": "...",
 "cloud_provider": "aws",
 "cloud_regions": ["us-east-1", "eu-west-1"],
 "assume_role_arn": "arn:aws:iam::123456789012:role/SecurityAuditRole"
 }
}

CloudSecurity is designed for PR-time scanning with SARIF upload:

name: cloudsecurity-scan
on:
 pull_request:
 paths:
 - '**/*.tf'
 - '**/*.yaml'
 - '**/*.yml'
jobs:
 infrastructure-scan:
 runs-on: ubuntu-latest
 permissions:
 contents: read
 security-events: write
 steps:
 - uses: actions/checkout@v4
 - name: Trigger CloudSecurity
 run: |
 curl -sS -X POST "$AGENTFIELD_SERVER/api/v1/execute/async/cloudsecurity.scan" \
 -H "Content-Type: application/json" \
 -d '{"input":{"repo_url":".","depth":"quick","output_formats":["sarif","json"]}}'

See docs/GITHUB_ACTIONS.md for full Tier 1 and Tier 2 workflows.

• sarif: SARIF 2.1.0 for GitHub code scanning and security platforms
• json: Full structured output for pipelines and APIs
• markdown: Human-readable report for platform/security reviews

• repo_url, branch, commit_sha, base_commit_sha
• depth (quick | standard | thorough)
• severity_threshold (critical | high | medium | low | info)
• output_formats (sarif | json | markdown)
• compliance_frameworks (for example: cis_aws, soc2, hipaa, pci_dss)
• cloud (provider, regions, account_id, assume_role_arn) for Tier 2+
• Budget controls: max_cost_usd, max_duration_seconds, max_concurrent_hunters, max_concurrent_provers
• Scope filters: include_paths, exclude_paths
• CI fields: is_pr, pr_id, fail_on_findings

python -m venv .venv
source .venv/bin/activate
pip install -e .[dev]
pytest
ruff check src tests
mypy src
# Build and run via Docker
docker compose build
docker compose up -d

Package metadata:

• Python: >=3.11
• License: Apache-2.0
• Core deps: agentfield, pydantic>=2.0, pyhcl2>=2.0

CloudSecurity uses an open-core model: scan and prove remain open source (Apache 2.0), while enterprise adds org-scale controls such as multi-account management, scheduled monitoring, and RBAC/audit features. See docs/OPEN_CORE.md for the full tier breakdown.

CloudSecurity AF is licensed under Apache 2.0. See LICENSE.