Claude Code for CloudSploit Scanning (2026)

Last updated: April 17, 2026

Cloud security scanning is a critical component of any modern DevSecOps pipeline. CloudSploit, an open-source cloud security scanner, helps developers and security teams identify misconfigurations across AWS, Azure, Google Cloud, and Oracle Cloud. However, running CloudSploit effectively requires proper configuration, result parsing, and integration into development workflows. This is where Claude Code shines, automating the entire scanning lifecycle, from setup to remediation tracking.

What is CloudSploit?

CloudSploit is an open-source tool that scans cloud environments for security misconfigurations. It supports major cloud providers and checks for issues like:

• Open S3 buckets and improper bucket policies
• Overly permissive IAM roles and policies
• Unencrypted storage volumes and databases
• Exposed Lambda functions
• Insecure security group configurations
• Missing multi-factor authentication on accounts

The tool runs collection scripts against cloud APIs, then executes plugins that check for specific misconfigurations. Each plugin returns results with severity levels, descriptions, and remediation guidance.

CloudSploit organizes findings into four severity tiers: CRITICAL, HIGH, MEDIUM, and LOW. Critical findings represent immediate threats, publicly exposed databases, S3 buckets with no access controls, or IAM root access keys in active use. High findings are serious issues that should be resolved within days, not weeks. Medium and Low findings provide a long-term hardening backlog. Understanding this structure is essential to building a workflow that reacts proportionally to each category.

Setting Up CloudSploit with Claude Code

Before integrating with Claude Code, ensure CloudSploit is installed in your environment:

Clone the CloudSploit repository
git clone https://github.com/cloudsploit/cloudsploit.git
cd cloudsploit
Install dependencies
npm install
Configure your cloud credentials
For AWS:
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_DEFAULT_REGION=us-east-1
For Azure (Service Principal):
export AZURE_SUBSCRIPTION_ID=your_subscription_id
export AZURE_TENANT_ID=your_tenant_id
export AZURE_CLIENT_ID=your_client_id
export AZURE_CLIENT_SECRET=your_client_secret
For GCP:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json

For production use, you should never hardcode credentials in environment variables interactively. Instead, use a secrets manager like AWS Secrets Manager, HashiCorp Vault, or environment variables injected by your CI/CD system at runtime. Claude Code can help automate credential retrieval as part of the pre-scan setup phase.

Claude Code can then manage the entire scanning workflow through custom skills. Create a skill that encapsulates CloudSploit execution, result parsing, and reporting.

Creating a CloudSploit Scanning Skill

A well-designed Claude Code skill for CloudSploit should handle several key functions:

// cloudsploit-scanner.js - Core scanning function
const { exec } = require('child_process');
const fs = require('fs');
const path = require('path');
async function runScan(providers = ['aws'], outputFormat = 'json') {
 const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
 const outputFile = `scan-results-${timestamp}.${outputFormat}`;
 const providerArgs = providers.map(p => `--${p}`).join(' ');
 const command = `./index.js ${providerArgs} --json > ${outputFile}`;
 return new Promise((resolve, reject) => {
 exec(command, { cwd: '/path/to/cloudsploit' }, (error, stdout, stderr) => {
 if (error) {
 reject(new Error(`Scan failed: ${stderr}`));
 return;
 }
 resolve(outputFile);
 });
 });
}
async function parseScanResults(outputFile) {
 const raw = fs.readFileSync(outputFile, 'utf-8');
 const results = JSON.parse(raw);
 const grouped = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [], UNKNOWN: [] };
 results.forEach(finding => {
 const level = finding.status || 'UNKNOWN';
 if (grouped[level]) {
 grouped[level].push(finding);
 } else {
 grouped.UNKNOWN.push(finding);
 }
 });
 return grouped;
}
module.exports = { runScan, parseScanResults };

This basic structure provides the foundation for more sophisticated automation. The skill should accept parameters like provider selection, scan scope, and output preferences.

Automating Scan Execution

One of Claude Code’s strengths is orchestrating complex workflows. For CloudSploit, this means:

1. Pre-scan validation: Verify credentials are configured, required permissions exist, and the environment is ready
2. Scan execution: Run CloudSploit with appropriate flags and handle any errors gracefully
3. Result parsing: Extract findings and categorize by severity
4. Reporting: Generate actionable reports in formats your team needs

Here is a more complete orchestration wrapper that you can call from a Claude Code skill or a CI step:

// orchestrate-scan.js
const { runScan, parseScanResults } = require('./cloudsploit-scanner');
const { sendSlackAlert } = require('./notifiers/slack');
const { createJiraIssues } = require('./ticketing/jira');
const fs = require('fs');
async function orchestrate(config) {
 const { providers, dryRun, notifySlack, createTickets } = config;
 console.log(`[INFO] Starting CloudSploit scan for: ${providers.join(', ')}`);
 let outputFile;
 try {
 outputFile = await runScan(providers);
 } catch (err) {
 console.error('[ERROR] Scan execution failed:', err.message);
 process.exit(1);
 }
 const grouped = await parseScanResults(outputFile);
 const summary = {
 critical: grouped.CRITICAL.length,
 high: grouped.HIGH.length,
 medium: grouped.MEDIUM.length,
 low: grouped.LOW.length,
 };
 console.log('[SUMMARY]', JSON.stringify(summary, null, 2));
 if (notifySlack && (summary.critical > 0 || summary.high > 0)) {
 await sendSlackAlert({ summary, findings: [...grouped.CRITICAL, ...grouped.HIGH] });
 }
 if (createTickets && !dryRun) {
 await createJiraIssues(grouped.CRITICAL, 'Critical');
 await createJiraIssues(grouped.HIGH, 'High');
 }
 // Fail the process if critical issues exist, useful for CI gates
 if (summary.critical > 0) {
 console.error(`[FAIL] ${summary.critical} critical findings require immediate attention.`);
 process.exit(1);
 }
}
orchestrate({
 providers: ['aws'],
 dryRun: process.env.DRY_RUN === 'true',
 notifySlack: true,
 createTickets: true,
});

Practical Integration Examples

CI/CD Pipeline Integration

Integrate CloudSploit scanning into your CI/CD pipeline to catch misconfigurations before deployment:

.github/workflows/cloudsploit-scan.yml
name: Cloud Security Scan
on:
 push:
 branches: [main, develop]
 pull_request:
 branches: [main]
 schedule:
 - cron: '0 6 * * *' # Daily at 6am UTC
jobs:
 cloudsploit-scan:
 runs-on: ubuntu-latest
 permissions:
 id-token: write
 contents: read
 steps:
 - uses: actions/checkout@v3
 - name: Configure AWS credentials (OIDC)
 uses: aws-actions/configure-aws-credentials@v2
 with:
 role-to-assume: arn:aws:iam::123456789012:role/CloudSploitScanRole
 aws-region: us-east-1
 - name: Setup Node.js
 uses: actions/setup-node@v3
 with:
 node-version: '18'
 - name: Install CloudSploit
 run: |
 git clone https://github.com/cloudsploit/cloudsploit.git
 cd cloudsploit && npm install
 - name: Run CloudSploit Scan
 run: |
 cd cloudsploit
 ./index.js --aws --json > ../results.json
 - name: Check for Critical Findings
 run: |
 CRITICAL=$(jq '[.[] | select(.status == "FAIL" and .severity == "critical")] | length' results.json)
 HIGH=$(jq '[.[] | select(.status == "FAIL" and .severity == "high")] | length' results.json)
 echo "Critical: $CRITICAL, High: $HIGH"
 if [ "$CRITICAL" -gt 0 ]; then
 echo "FAIL: Found $CRITICAL critical security issues"
 exit 1
 fi
 - name: Upload Results as Artifact
 if: always()
 uses: actions/upload-artifact@v3
 with:
 name: cloudsploit-results
 path: results.json
 retention-days: 30

Using OIDC-based authentication (shown above) instead of long-lived access keys is a security best practice. The scan role should have read-only permissions across the services CloudSploit checks.

Scheduled Security Audits

Use Claude Code to schedule regular scans and send alerts:

// Scheduled scan example
const cron = require('node-cron');
cron.schedule('0 2 * * *', async () => {
 console.log('Starting scheduled CloudSploit scan...');
 const scanner = require('./cloudsploit-scanner');
 const results = await scanner.runScan(['aws', 'azure', 'gcp']);
 const criticalIssues = results.filter(r => r.severity === 'CRITICAL');
 if (criticalIssues.length > 0) {
 await sendAlert({
 channel: '#security',
 message: `Found ${criticalIssues.length} critical issues`,
 findings: criticalIssues
 });
 }
});

For teams with multi-account AWS setups, you can extend this scheduler to loop over a list of account IDs, assume a cross-account role in each, run the scan, and aggregate results into a central reporting bucket. Claude Code can manage this iteration logic and handle failures in individual accounts without aborting the entire run.

Comparison: Manual vs. Claude Code-Orchestrated Workflow

Task	Manual Approach	Claude Code Workflow
Credential setup	Manual export or .env file	Automated retrieval from Secrets Manager
Scan execution	Run CLI command by hand	Triggered by push, PR, or schedule
Result parsing	Read raw JSON output	Grouped by severity, filtered by tags
Alerting	Manual Slack message	Automated with structured finding details
Ticket creation	Copy-paste findings to Jira	Auto-created with severity, plugin, and resource
Trend reporting	Ad-hoc spreadsheet	Time-series dashboard from stored scan artifacts

The manual approach is fine for occasional audits. For teams running more than one cloud account or deploying multiple times per week, the overhead of manual triage makes automation essential.

Best Practices for CloudSploit Workflows

1. Scan Scope Management

Avoid scanning everything at once. Instead, break scans into logical segments:

• Identity and Access Management: Focus on IAM users, roles, and policies
• Storage: Examine S3 buckets, EBS volumes, and database encryption
• Network: Review security groups, VPCs, and firewall rules
• Compute: Check EC2 instances, Lambda functions, and containers

This modular approach makes results more actionable and easier to triage. You can also assign each module to the team that owns it, storage findings go to the platform team, IAM findings go to the security team, and compute findings go to the application owners.

1. Result Filtering and Prioritization

Not all findings require immediate attention. Configure your workflow to filter based on:

• Severity level: Focus on Critical and High findings first
• Resource tags: Exclude development or test resources from production reports
• Known exceptions: Track acknowledged risks that accept certain trade-offs

Here is a filtering helper that skips resources tagged as non-production:

function filterProductionFindings(findings) {
 return findings.filter(f => {
 // Skip resources explicitly tagged as non-prod
 const tags = f.tags || {};
 const env = (tags.Environment || tags.environment || '').toLowerCase();
 return !['dev', 'development', 'test', 'staging', 'sandbox'].includes(env);
 });
}

Pairing this filter with a CloudSploit run that covers all environments lets you generate both a strict production report and a broader infrastructure inventory in a single pass.

1. Remediation Tracking

Scan results are only valuable if they lead to fixes. Create a workflow that:

• Files issues in your tracking system (Jira, GitHub Issues, Linear)
• Assigns findings to appropriate owners based on resource tags
• Tracks remediation progress over time
• Provides metrics on security posture trends

A useful pattern is to store each scan’s JSON output in an S3 bucket with a date-stamped key, then query it with Athena to generate trend reports. You can ask Claude Code to write the Athena query for a specific plugin over a date range, showing whether a class of findings has been growing or shrinking.

1. Least-Privilege Scan Roles

CloudSploit only needs read access to audit your environment. Create a dedicated IAM role with read-only permissions and nothing else. Avoid using your deployment role or an admin role for scanning, this reduces the blast radius if credentials are ever compromised.

Example IAM policy for AWS scanning:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "ec2:Describe*",
 "iam:List*",
 "iam:Get*",
 "s3:GetBucketAcl",
 "s3:GetBucketPolicy",
 "s3:GetBucketPublicAccessBlock",
 "s3:ListAllMyBuckets",
 "rds:Describe*",
 "lambda:List*",
 "lambda:GetPolicy",
 "cloudtrail:DescribeTrails",
 "config:DescribeConfigurationRecorders"
 ],
 "Resource": "*"
 }
 ]
}

CloudSploit’s documentation lists the exact permissions each plugin requires, making it easy to tighten this policy further.

Advanced: Custom CloudSploit Plugins

CloudSploit’s plugin architecture allows you to write custom checks for organization-specific policies:

// custom-policy-check.js
module.exports = {
 metadata: {
 pluginName: 'custom_requires_tags',
 pluginType: 'resourcetype',
 pluginDescription: 'Ensures all resources have required tags',
 actionName: 'custom_requires_tags'
 },
 run: (resources, callback) => {
 const requiredTags = ['Environment', 'Owner', 'CostCenter'];
 const errors = [];
 resources.forEach(resource => {
 const missingTags = requiredTags.filter(
 tag => !resource.Tags || !resource.Tags[tag]
 );
 if (missingTags.length > 0) {
 errors.push({
 resource: resource.ARN,
 status: 'FAIL',
 message: `Missing required tags: ${missingTags.join(', ')}`
 });
 }
 });
 callback(errors);
 }
};

Integrate custom plugins into your Claude Code workflow to enforce organization-specific policies alongside standard security checks.

A practical extension is a plugin that verifies your organization’s approved AMI list. If an EC2 instance is running an AMI not on the approved list, it flags the instance for review. Claude Code can maintain the approved list as a config file, compare it against the scan output, and open tickets for any violations.

Generating Executive Reports

Security teams often need to present findings to non-technical stakeholders. Claude Code can transform raw CloudSploit JSON into a clean HTML or PDF summary report:

// generate-report.js
const fs = require('fs');
function generateHtmlReport(grouped, scanDate) {
 const total = Object.values(grouped).flat().length;
 const critCount = grouped.CRITICAL.length;
 const highCount = grouped.HIGH.length;
 const rows = [...grouped.CRITICAL, ...grouped.HIGH].map(f => `
 <tr class="${f.status === 'FAIL' ? 'fail' : 'pass'}">
 <td>${f.plugin}</td>
 <td>${f.resource}</td>
 <td>${f.severity}</td>
 <td>${f.message}</td>
 </tr>
 `).join('');
 return `
 <html>
 <head><title>CloudSploit Report - ${scanDate}</title></head>
 <body>
 <h1>Cloud Security Scan Report</h1>
 <p>Scan Date: ${scanDate}</p>
 <p>Total Findings: ${total} | Critical: ${critCount} | High: ${highCount}</p>
 <table border="1">
 <thead><tr><th>Plugin</th><th>Resource</th><th>Severity</th><th>Message</th></tr></thead>
 <tbody>${rows}</tbody>
 </table>
 </body>
 </html>
 `;
}
const grouped = JSON.parse(fs.readFileSync('grouped-results.json'));
const html = generateHtmlReport(grouped, new Date().toISOString().split('T')[0]);
fs.writeFileSync('security-report.html', html);
console.log('Report written to security-report.html');

This report can be emailed automatically after each scheduled scan, attached to Jira tickets, or hosted in an internal wiki.

Conclusion

Claude Code transforms CloudSploit from a manual security tool into an automated, intelligent scanning workflow. By creating reusable skills, integrating with CI/CD pipelines, and implementing proper result handling, you can establish continuous cloud security scanning that catches misconfigurations early and tracks remediation effectively.

The key is starting simple, run basic scans, establish baseline findings, then layer on automation, filtering, and reporting as your workflow matures. Use the severity grouping to drive proportional responses: auto-block on critical, alert on high, log medium and low for weekly review. With Claude Code orchestrating the process, your team can focus on fixing issues rather than managing the scanning infrastructure.

As your organization scales, extend the workflow to cover multiple cloud accounts and providers in parallel, aggregate findings into a central data store, and generate trend metrics that show your security posture improving over time. CloudSploit combined with Claude Code provides the foundation for a mature, measurable cloud security program.

---

---

Try it: Paste your error into our Error Diagnostic for an instant fix.

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=claude-code-for-cloudsploit-scanning-workflow)** $99 once. Free forever. 47/500 founding spots left.

Related Reading

• Claude Code Container Security Scanning Workflow Guide
• Claude Code for Gitleaks Secret Scanning Workflow
• AI Assisted Architecture Design Workflow Guide

Built by theluckystrike. More at zovo.one

Find the right skill → Browse 155+ skills in our Skill Finder.

Configure permissions → Build your settings with our Permission Configurator.