twistlock / Cloud Discovery
Licence: apache-2.0
Cloud Discovery provides a point in time enumeration of all the cloud native platform services
Stars: ✭ 119
Programming Languages
go
31211 projects - #10 most used programming language
Projects that are alternatives of or similar to Cloud Discovery
Dockle
Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
Stars: ✭ 1,713 (+1339.5%)
Mutual labels: security-tools, containers
Manageiq
ManageIQ Open-Source Management Platform
Stars: ✭ 1,089 (+815.13%)
Mutual labels: cloud, containers
Awesome Scalability Toolbox
My opinionated list of products and tools used for high-scalability projects
Stars: ✭ 34 (-71.43%)
Mutual labels: cloud, containers
Trivy
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
Stars: ✭ 9,673 (+8028.57%)
Mutual labels: security-tools, containers
Lastbackend
System for containerized apps management. From build to scaling.
Stars: ✭ 1,536 (+1190.76%)
Mutual labels: cloud, containers
Linuxkit
A toolkit for building secure, portable and lean operating systems for containers
Stars: ✭ 7,166 (+5921.85%)
Mutual labels: cloud, containers
Nff Go
NFF-Go -Network Function Framework for GO (former YANFF)
Stars: ✭ 1,036 (+770.59%)
Mutual labels: cloud, containers
My Arsenal Of Aws Security Tools
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Stars: ✭ 6,464 (+5331.93%)
Mutual labels: cloud, security-tools
Blockerized Dockchain
Because all problems are solvable with containers and blockchains
Stars: ✭ 77 (-35.29%)
Mutual labels: cloud, containers
Viewfinderjs
📷 ViewFinder - NodeJS product to make the browser into a web app. WTF RBI. CBII. Remote browser isolation, embeddable browserview, secure chrome saas. Licenses, managed, self-hosted. Like S2, WebGap, Bromium, Authentic8, Menlo Security and Broadcom, but open source with free live demos available now! Also, integrated RBI/CDR with CDR from https://github.com/dosyago/p2%2e
Stars: ✭ 1,175 (+887.39%)
Mutual labels: cloud, security-tools
Csp
The Cyber Security Platform MeliCERTes is part of the European Strategy for Cyber Security. MeliCERTes is a network for establishing confidence and trust among the national Computer Security Incident Response Teams (CSIRTs) of the Member States and for promoting swift and effective operational cooperation.
Stars: ✭ 23 (-80.67%)
Mutual labels: security-tools, containers
Karn
Simplifying Seccomp enforcement in containerized or non-containerized apps
Stars: ✭ 104 (-12.61%)
Mutual labels: security-tools, containers
Secretscanner
Find secrets and passwords in container images and file systems
Stars: ✭ 895 (+652.1%)
Mutual labels: security-tools, containers
Roboconf Platform
The core modules and the platform
Stars: ✭ 30 (-74.79%)
Mutual labels: cloud, containers
Che
The Kubernetes-Native IDE for Developer Teams
Stars: ✭ 6,572 (+5422.69%)
Mutual labels: cloud, containers
Addon Lxdone
Allows OpenNebula to manage Linux Containers via LXD
Stars: ✭ 36 (-69.75%)
Mutual labels: cloud, containers
Athenz
Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures. Athenz supports provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases.
Stars: ✭ 570 (+378.99%)
Mutual labels: cloud, containers
Cromwell
Scientific workflow engine designed for simplicity & scalability. Trivially transition between one off use cases to massive scale production environments
Stars: ✭ 655 (+450.42%)
Mutual labels: cloud, containers
Pulumi
Pulumi - Developer-First Infrastructure as Code. Your Cloud, Your Language, Your Way 🚀
Stars: ✭ 10,887 (+9048.74%)
Mutual labels: cloud, containers
Mist Ce
Mist is an open source, multi-cloud management platform
Stars: ✭ 1,391 (+1068.91%)
Mutual labels: cloud, containers
Twistlock Cloud Discovery
Cloud Discovery provides point in time enumeration of all the cloud native platform services, such as container registries, managed Kubernetes platforms, and serverless services used across your cloud providers, accounts, and regions. Its a powerful tool for audit and security practitioners that want a simple way to discover all the 'unknown unknowns' across environments without having to manually login to multiple provider consoles, click through many pages, and manually export the data.
Cloud Discovery connects to cloud providers' native platform APIs to discover services and their metadata and requires only read permissions. Cloud Discovery also has a network discovery option that uses port scanning to sweep IP ranges and discover cloud native infrastructure and apps, such as Docker Registries and Kubernetes API servers, with weak settings or authentication. This is useful to discover 'self-installed' cloud native components not provided as a service by a cloud provider, such as a Docker Registry running on an EC2 instance. Cloud Discovery is provided as a simple Docker container image that can be run anywhere and works well for both interactive use and automation.
Cloud Discovery is another open source contribution provided by Twistlock.
Environment variables
- BASIC_AUTH_USERNAME - This variable determines the username to use for basic authentication.
- BASIC_AUTH_PASSWORD - This variable determines the password to use for basic authentication.
- TLS_CERT_PATH - This variable determines the path to the TLS certificate inside the container. By default the service generates self-signed certificates for localhost usage.
- TLS_CERT_KEY - This variable determines the path to the TLS certificate key inside the container.
Example usage
Start the container
docker run -d --name cloud-discovery --restart=always \
-e BASIC_AUTH_USERNAME=admin -e BASIC_AUTH_PASSWORD=pass -e PORT=9083 -p 9083:9083 twistlock/cloud-discovery
Scan and list all AWS assets
curl -k -v -u admin:pass --raw --data \
'{"credentials": [{"id":"<AWS_ACCESS_KEY>","secret":"<AWS_ACCESS_PASSWORD>"}]}' \
https://localhost:9083/discover
Output
Type Region ID
EKS us-east-1 k8s-cluster-1
ECS us-east-1 cluster-1
ECS us-east-1 cluster-2
ECS us-east-1 cluster-3
ECR us-east-2 cluster-1
Scan all AWS assets and show full metadata for each of them
curl -k -v -u admin:pass --raw --data \
'{"credentials": [{"id":"<AWS_ACCESS_KEY>","secret":"<AWS_ACCESS_PASSWORD>"}]}' https://localhost:9083/discover?format=json
Scan and list all GCP assets
SERVICE_ACCOUNT=$(cat <service_account_secret> | base64 | tr -d '\n')
curl -k -v -u admin:pass --raw --data '{"credentials": [{"secret":"'${SERVICE_ACCOUNT}'", "provider":"gcp"}]}' https://localhost:9083/discover
Output
Type Region ID
GKE us-central1-a cluster-1
GKE us-central1-a cluster-2
GCR gcr.io registry-1
GCR gcr.io registry-2
Functions us-central1 function-1
Scan all GCP assets and show full metadata for each of them
SERVICE_ACCOUNT=$(cat <service_account_secret> | base64 | tr -d '\n')
curl -k -v -u admin:pass --raw --data '{"credentials": [{"secret":"'${SERVICE_ACCOUNT}'", "provider":"gcp"}]}' https://localhost:9083/discover?format=json
Port scan a subnet to discover cloud native infrastructure and apps
Scan all open ports and automatically detect insecure apps (native cloud apps configured without proper authorization) Remark: If the container runs in AWS cluster, the subnet can be automatically extracted from AWS metadata API server
curl -k -v -u admin:pass --raw --data '{"subnet":"172.17.0.1", "debug": true}' https://localhost:9083/nmap
Output
Host Port App Insecure
172.17.0.1 5000 docker registry true
172.17.0.1 5003 docker registry false
172.17.0.1 27017 mongod true
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].