MCPcopy Index your code
hub / github.com/clouditor/clouditor

github.com/clouditor/clouditor @v2.0.0-ccit

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.0.0-ccit ↗ · + Follow
5,636 symbols 13,080 edges 247 files 1,148 documented · 20%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Clouditor Community Edition

build Go Report Card codecov OpenSSF Best Practices

[!NOTE] Note: We are currently preparing a v2 release of Clouditor, which will be somewhat incompatible with regards to storage to v1. The APIs will remain largely the same, but will be improved and cleaned. We will regularly release pre-release v2 versions, but do not have a concrete time-frame for a stable v2 yet.

If you are looking for a stable version, please use the v1.10.1 release.

Introduction

Clouditor is a tool which supports continuous cloud assurance. Its main goal is to continuously evaluate if a cloud-based application (built using, e.g., Amazon Web Services (AWS) or Microsoft Azure) is configured in a secure way and thus complies with security requirements defined by, e.g., Cloud Computing Compliance Controls Catalogue (C5) issued by the German Office for Information Security (BSI) or the Cloud Control Matrix (CCM) published by the Cloud Security Alliance (CSA).

Features

Clouditor currently supports over 60 checks for Amazon Web Services (AWS), Microsoft Azure and OpenStack. Results of these checks are evaluated against security requirements of the BSI C5 and CSA CCM.

Key features are:

  • automated compliance rules for AWS and MS Azure
  • granular report of detected non-compliant configurations
  • quick and adaptive integration with existing service through automated service discovery
  • descriptive development of custom rules using Cloud Compliance Language (CCL) to support individual evaluation scenarios
  • integration of custom security requirements and mapping to rules

QuickStart with UI

In order to just build and run the Clouditor, without generating the protobuf file, one can use the run-engine-with-ui.sh script. This still requires Go and Node.js to be installed. For example, to run the engine in-memory with the Azure provider the following command can be used:

./run-engine-with-ui.sh --discovery-provider=azure

This will start the all-in-on-engine with all discoverers enabled and launches the UI on http://localhost:5173. The default credentials are clouditor/clouditor.

Using the extra discoverers (e.g. CSAF)

Next to the regular cloud provider discoverers, Clouditor also comes with a a set of extra discoverers for dedicated protocols, for example CSAF. The CSAF discoverer allows the conformance check of a CSAF (trusted) provider.

It can be used with the following command:

./run-engine-with-ui.sh --discovery-provider=csaf --discovery-csaf-domain=clouditor.io

The domain clouditor.io can be replace with your actual domain.

Build

Install necessary protobuf tools, including buf. Please refer to the buf install guide.

go install github.com/srikrsna/protoc-gen-gotag \
github.com/oxisto/owl2proto/cmd/owl2proto

Also make sure that $HOME/go/bin is on your $PATH and build:

go generate ./...
go build -o ./engine cmd/engine/engine.go

Usage

To test, start the engine with an in-memory DB

./engine --db-in-memory

Alternatively, be sure to start a postgre DB:

docker run -e POSTGRES_HOST_AUTH_METHOD=trust -d -p 5432:5432 postgres

Clouditor CLI

The Go components contain a basic CLI command called cl. It can be installed using go install cmd/cli/cl.go. Make sure that your ~/go/bin is within your $PATH. Afterwards the binary can be used to connect to a Clouditor instance.

cl login <host:grpcPort>

The CLI can also be used to interact with the experimental resource graph, for example to add additional information about an application and its dependencies:

cl service discovery experimental update-resource \
'{"id": "log4j", "certificationTargetId": "00000000-0000-0000-0000-000000000000", "resourceType": "Library,Resource", "properties":{"name": "log4j", "groupId": "org.apache.logging.log4j", "artifactId": "log4j-core", "version": "2.17.0", "dependencyType": "maven", "url": "https://github.com/apache/logging-log4j2", "vulnerabilities": ["CVE-2021-44832"]}}'
cl service discovery experimental update-resource \
'{"id": "Main.java", "certificationTargetId": "00000000-0000-0000-0000-000000000000", "resourceType": "TranslationUnitDeclaration,Resource", "properties":{"name": "Main.java", "code": "class Main { public static void main(String[] args) { return; } }"}}'
cl service discovery experimental update-resource \
'{"id": "MyApplication", "certificationTargetId": "00000000-0000-0000-0000-000000000000", "resourceType": "Application,Resource", "properties":{"@type":"type.googleapis.com/clouditor.ontology.v1.Application", "id:": "MyApplication", "name": "MyApplication","dependencies":["log4j"],"translationUnits":["Main.java"]}}'
cl service discovery experimental update-resource \
'{"id": "github.com/org/app", "certificationTargetId": "00000000-0000-0000-0000-000000000000", "resourceType": "CodeRepository,Resource", "properties":{"id:": "github.com/org/app", "name": "github.com/org/app", "parent": "MyApplication", "url": "github.com/org/app"}}'

Command Completion

The CLI offers command completion for most shells using the cl completion command. Specific instructions to install the shell completions can be accessed using cl completion --help.

Extension points exported contracts — how you extend this code

PayloadRequest (Interface)
PayloadRequest describes any kind of requests that carries a certain payload. Defined in internal/api to avoid cyclic de [23 …
internal/api/request.go
PaginatedRequest (Interface)
PaginatedRequest contains the typical parameters for a paginated request, usually a request for a List gRPC call. [13 …
api/pagination.go
Discoverer (Interface)
Discoverer is a part of the discovery service that takes care of the actual discovering and translation into vocabulary [6 …
api/discovery/discovery.go
IsResource (Interface)
(no doc) [46 implementers]
api/ontology/ontology.go
Service (Interface)
(no doc) [5 implementers]
service/service.go
AuthorizationStrategy (Interface)
AuthorizationStrategy is an interface that implements a function which checkers whether the current certification target [3 …
service/authorization.go
LambdaAPI (Interface)
LambdaAPI describes the lambda api interface which is implemented by the official AWS client and mock clients in tests [3 …
service/discovery/aws/compute.go
PolicyEval (Interface)
PolicyEval is an interface for the policy evaluation engine [2 implementers]
policies/policies.go

Core symbols most depended-on inside this repo

Equal
called by 468
internal/testutil/assert/assert.go
Ref
called by 436
internal/util/deref.go
Create
called by 199
persistence/persistence.go
NewInMemoryStorage
called by 158
internal/testutil/storage.go
Deref
called by 116
internal/util/deref.go
NewAuthorizationStrategy
called by 114
internal/testutil/servicetest/authz.go
Validate
called by 100
api/validate.go
String
called by 75
service/discovery/aws/storage.go

Shape

Method 3,828
Function 964
Struct 733
Interface 78
FuncType 22
TypeAlias 11

Languages

Go100%

Modules by API surface

api/ontology/ontology.pb.go2,516 symbols
api/orchestrator/orchestrator.pb.go644 symbols
api/orchestrator/orchestrator_grpc.pb.go241 symbols
api/orchestrator/orchestrator.pb.gw.go98 symbols
api/evaluation/evaluation.pb.go97 symbols
api/assessment/metric.pb.go95 symbols
api/assessment/assessment.pb.go69 symbols
api/evidence/evidence_store.pb.go59 symbols
api/discovery/discovery.pb.go58 symbols
api/discovery/experimental.pb.go39 symbols
service/assessment/assessment_test.go38 symbols
service/evidence/evidence_store_test.go31 symbols

For agents

$ claude mcp add clouditor \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact