Curated cloud security tools for teams building real guardrails across posture, identity, runtime, IaC, and compliance.
Most lists are link dumps. This repo is a schema-driven dataset for a public directory that prioritizes signal, category clarity, and practical implementation value.
| Metric |
Value |
| Total tools |
60 |
| Categories |
8 |
| Cloud support values in schema |
4 |
| Compliance frameworks referenced |
6 |
| Open Source tools |
51 |
| Commercial tools |
7 |
| Freemium tools |
2 |
category: CSPM, CNAPP, IaC Security, Secrets Scanning, Container Security, Compliance as Code, SBOM & Supply Chain, Cloud IAM Auditingclouds: AWS, Azure, GCP, Multitype: Open Source, Commercial, Freemium
| Tool |
Type |
Clouds |
Why It Stands Out |
| AWS Inventory |
Open Source |
AWS |
Builds comprehensive cross-region AWS asset inventories for exposure and drift analysis. |
| CloudMapper |
Open Source |
AWS |
Visualizes AWS account relationships and attack paths for security review. |
| CloudSploit Scans |
Open Source |
AWS |
Large set of AWS security checks for identifying cloud misconfigurations at scale. |
| Prowler |
Open Source |
AWS, Azure, GCP |
Large benchmark coverage with pragmatic cloud misconfiguration checks. |
| Scout Suite |
Open Source |
AWS, Azure, GCP |
Multi-cloud security audit with visualized findings and drill-down. |
| Security Monkey |
Open Source |
AWS |
Monitors cloud account changes and flags policy and configuration drift. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| Lacework |
Commercial |
Multi |
Behavior-based CNAPP detection across cloud, containers, and identities. |
| Orca Security |
Commercial |
Multi |
Agentless CNAPP platform focused on broad cloud asset and risk visibility. |
| Prisma Cloud |
Commercial |
Multi |
Broad CNAPP suite spanning code, runtime, and cloud posture domains. |
| Sysdig Secure |
Commercial |
Multi |
Combines cloud posture, runtime threat detection, and container vulnerability controls. |
| Tenable Cloud Security |
Commercial |
Multi |
CNAPP offering with strong posture analytics and entitlement risk visibility. |
| Wiz |
Commercial |
Multi |
Graph-based cloud attack path visibility across workloads and identities. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| cdk-nag |
Open Source |
AWS |
Applies security and compliance rules to AWS CDK constructs during development. |
| cfn-nag |
Open Source |
AWS |
Lints CloudFormation templates to detect risky security configurations before deploy. |
| CFripper |
Open Source |
AWS |
Static analysis for CloudFormation templates that finds risky permissions and misconfigurations pre-deploy. |
| Checkov |
Open Source |
AWS, Azure, GCP |
Policy-as-code scanning for Terraform, Kubernetes, and CloudFormation. |
| CloudFormation Guard |
Open Source |
AWS |
Policy-as-code validation for CloudFormation templates to block insecure infrastructure before deployment. |
| KICS |
Open Source |
Multi |
Static analysis engine for Terraform, Kubernetes, and other IaC formats. |
| Snyk IaC |
Freemium |
AWS, Azure, GCP |
Developer-first IaC checks tightly integrated into pull request flow. |
| Terragoat |
Open Source |
AWS |
Deliberately vulnerable Terraform stack for testing IaC misconfiguration detection. |
| Terrascan |
Open Source |
Multi |
Policy-based IaC scanner with broad cloud provider and framework coverage. |
| tfsec |
Open Source |
AWS, Azure, GCP |
Fast local Terraform static analysis with clear remediation output. |
| Yor |
Open Source |
AWS, Azure, GCP |
Automatically tags IaC resources with traceability metadata to strengthen ownership and control mapping. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| detect-secrets |
Open Source |
Multi |
Pre-commit focused secret scanner with baseline workflows for noisy repositories. |
| GitGuardian ggshield |
Freemium |
Multi |
Developer-friendly secret detection in commits and CI pipelines with strong accuracy. |
| Gitleaks |
Open Source |
Multi |
Simple, fast, and CI-friendly scanner for leaked credentials. |
| shhgit |
Open Source |
Multi |
Real-time GitHub secret monitoring to quickly surface exposed credentials. |
| TruffleHog |
Open Source |
Multi |
High-signal secret discovery with verified credential checks. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| Aqua Trivy |
Open Source |
Multi |
Single CLI for image, filesystem, and IaC vulnerability checks. |
| Falco |
Open Source |
Multi |
Runtime threat detection for containers and Kubernetes workloads. |
| kube-bench |
Open Source |
Multi |
Runs CIS Kubernetes benchmark checks against cluster nodes and control planes. |
| kube-hunter |
Open Source |
Multi |
Performs active reconnaissance to identify exposed Kubernetes security weaknesses. |
| Kubescape |
Open Source |
Multi |
Kubernetes posture scanner with framework mappings and risk prioritization guidance. |
| Trivy Operator |
Open Source |
Multi |
Brings continuous vulnerability and configuration scanning into Kubernetes clusters. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| Automated Security Helper (ASH) |
Open Source |
AWS |
Runs multiple code and IaC security scanners in isolated containers with one aggregated security report. |
| aws-nuke |
Open Source |
AWS |
Automates safe teardown of AWS resources to enforce clean account baselines. |
| Cloud Custodian |
Open Source |
AWS, Azure, GCP |
Policy-driven cloud resource governance and automated remediation. |
| Cloud-Nuke |
Open Source |
AWS |
Deletes cloud resources at scale to enforce clean account baselines and reduce stale attack surface. |
| CloudQuery |
Open Source |
Multi |
Extracts cloud configuration data into SQL tables for policy checks and reporting. |
| Kubewarden |
Open Source |
Multi |
Admission policy framework using WebAssembly for portable Kubernetes enforcement. |
| Kyverno |
Open Source |
Multi |
Kubernetes-native policy engine for enforceable guardrails and admission controls. |
| Open Policy Agent |
Open Source |
Multi |
General-purpose policy engine used from CI to admission control. |
| Steampipe |
Open Source |
Multi |
Query cloud APIs with SQL for rapid compliance checks and dashboards. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| Grype |
Open Source |
Multi |
Vulnerability scanner designed to pair directly with generated SBOMs. |
| Syft |
Open Source |
Multi |
Developer-friendly SBOM generator with broad package ecosystem support. |
| Tool |
Type |
Clouds |
Why It Stands Out |
| Cartography |
Open Source |
Multi |
Graphs cloud assets and trust relationships to uncover risky access paths. |
| cloudfox |
Open Source |
AWS, Azure, GCP |
Enumerates cloud attack paths and identity exposure from an attacker perspective for rapid triage. |
| CloudGoat |
Open Source |
AWS |
Purpose-built AWS scenarios for validating detection and IAM attack-path readiness. |
| Cloudsplaining |
Open Source |
AWS |
Identifies risky IAM permissions and privilege-escalation patterns in AWS policies. |
| CloudTracker |
Open Source |
AWS |
Compares CloudTrail activity to granted IAM permissions to spot over-privileged identities. |
| iam-floyd |
Open Source |
AWS |
Generates AWS IAM policies programmatically with a fluent interface to reduce policy authoring mistakes. |
| IAMSpy |
Open Source |
AWS |
Analyzes IAM permissions and trust paths to surface unintended access and escalation opportunities. |
| Pacu |
Open Source |
AWS |
AWS exploitation framework for testing IAM abuse paths and cloud misconfigurations. |
| Parliament |
Open Source |
AWS |
Lints IAM policies to catch privilege, wildcard, and risky permission issues early. |
| Peirates |
Open Source |
AWS |
Simulates common Kubernetes-to-cloud privilege escalation paths in AWS environments. |
| Permiso |
Commercial |
AWS, Azure, GCP |
Identity-centric detection focused on cloud service account abuse. |
| PMapper |
Open Source |
AWS |
Privilege escalation path analysis for AWS IAM role relationships. |
| Policy Sentry |
Open Source |
AWS |
Builds and analyzes least-privilege IAM policies using an action and resource database model. |
| SkyArk |
Open Source |
AWS |
Finds and assesses highly privileged AWS entities that increase account takeover risk. |
| Stratus Red Team |
Open Source |
AWS, Azure, GCP |
Executes cloud attack emulation scenarios to validate detections and incident response workflows. |
- Follow
schema/tools.schema.json exactly.
- Keep entries objective, concise, and non-promotional.
- Use
https:// vendor/project URLs only.
- One tool per change is preferred for easier review.
Generated automatically from data/tools.json + schema/tools.schema.json.
