feat: multi-cloud security scanning — 48 AWS checks, CloudAccountConfig CRD, CNAPP v1.0 (#65)

* feat: add multi-cloud security scanning with 48 AWS checks across 6 CNAPP categories

Implements Phase 1 Cloud Expansion, transforming Zelyo from K8s-only to a
full CNAPP with the Detect-Correlate-Fix pipeline extended to cloud
infrastructure.

New capabilities:
- CloudAccountConfig CRD for onboarding AWS accounts (IRSA, Pod Identity, Secret auth)
- 48 cloud security scanners: CSPM (8), CIEM (8), Network (8), DSPM (8),
  Supply Chain (8), CI/CD Pipeline (8)
- CloudScanner interface + thread-safe Registry (parallel to K8s Scanner)
- AWS SDK v2 client factory with multi-region scanning support
- SOC 2, PCI-DSS, HIPAA compliance framework mappings (30 cloud controls)
- Cloud IaC remediation prompts (Terraform/CloudFormation-aware)
- Cloud scan metrics (completed total, findings gauge, resources scanned, duration)
- RBAC roles (admin/editor/viewer) for CloudAccountConfig
- Helm chart updated with cloud CRD, ClusterRole, and credential annotations
- Documentation rewritten for CNAPP positioning with cloud scanning recipes
- Version bumped to 1.0.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: consolidate quickstart and update LLM model examples to Claude Sonnet 4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review — multi-region clients, GenerateName, wildcard principals, ECR tags

- ScanReport now uses GenerateName to avoid 63-char K8s name limit
- Multi-region scanning creates per-region AWS clients instead of
  reusing a single-region client for all regions
- Cross-account trust scanner now flags wildcard principals ("*")
  without conditions as dangerous
- ECR scanner checks the most recently pushed image instead of
  hardcoding the "latest" tag
- Extracted runSingleScanner helper to reduce cyclomatic complexity

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: rewrite README for accuracy — fix diagrams, badges, examples, remove duplicates

- Removed duplicate badge row pointing to non-existent zelyo-ai/zelyo repo
- Updated pipeline diagram to include CloudAccountConfig cloud scanning
- Updated architecture diagram to show cloud scanner and AWS API inputs
- Fixed SecurityPolicy example (removed non-existent fields)
- Fixed RemediationPolicy branchPrefix to "zelyo-operator/fix-"
- Added CloudAccountConfig quick example
- Removed duplicate quickstart.md references in docs table
- Updated Go version to 1.26+ (matches Dockerfile)
- Updated test package count to 15 (verified)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: add Claude Code review workflow for @claude mentions on issues and PRs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: remove Claude Code workflows, add CLAUDE.md project guide

Remove GitHub Action workflows (claude.yml, claude-review.yml) since
they require a paid API key. Keep CLAUDE.md for local Claude Code usage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add zelyo-policies Helm chart with tiered security profiles

Introduces a helper chart that deploys production-ready default policies
covering all 56 scanners. Three security profiles (starter, standard,
strict) with per-environment namespace targeting, compliance presets
(CIS, SOC2, PCI-DSS, HIPAA, NIST, ISO 27001), and full configurability
for cloud accounts, notifications, GitOps, and remediation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: rewrite quickstart as production-grade guide

Remove k3d/local-build references, assume existing cluster with kubectl.
Restructure as a linear 4-step install (cert-manager → operator → LLM key
→ zelyo-policies). Convert inline kubectl-apply blocks to clean YAML
snippets. Simplify teardown to Helm uninstalls only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: remove cert-manager version pin from install commands

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mayurkr

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 env:
-  GO_VERSION: "1.25"
+  GO_VERSION: "1.26"
   GOLANGCI_LINT_VERSION: "v2.8.0"
 
 jobs:

.golangci.yml

@@ -98,6 +98,13 @@ linters:
       - path: internal/controller/
         linters:
           - dupl
+      # Cloud scanner implementations — interface methods and AWS SDK value types
+      - path: internal/cloudscanner/
+        linters:
+          - revive
+          - dupl
+          - gocritic
+          - goconst
       # Kubebuilder-generated main.go
       - path: cmd/main\.go
         linters:

AGENTS.md

@@ -9,9 +9,10 @@ This document details the internal intelligence architecture.
 ```mermaid
 graph TB
     subgraph "Observe"
-        SC["SecurityPolicy Controller<br/>security scanning"]
+        SC["SecurityPolicy Controller<br/>K8s pod scanning"]
         MC["MonitoringPolicy Controller<br/>pod restarts, events"]
         CS["ClusterScan Controller<br/>scheduled compliance scans"]
+        CA["CloudAccountConfig Controller<br/>cloud API scanning"]
     end
 
     subgraph "Reason"
@@ -29,6 +30,7 @@ graph TB
     end
 
     SC -->|findings| CE
+    CA -->|cloud findings| CE
     MC -->|pod metrics| AD
     AD -->|anomalies| CE
     CS -->|findings| CF
@@ -103,10 +105,11 @@ Maps security findings to industry compliance controls, generating **audit-ready
 
 | Feature | Implementation |
 |---|---|
-| **CIS Kubernetes Benchmark** | 15 controls mapped to scanner rule types (pod-security, RBAC, secrets, etc.) |
+| **CIS Kubernetes Benchmark** | 15 K8s controls mapped to scanner rule types (pod-security, RBAC, secrets, etc.) |
+| **SOC 2 / PCI-DSS / HIPAA** | 30 cloud controls mapped to CSPM, CIEM, Network, DSPM, Supply Chain, and CI/CD rule types |
 | **Finding Evaluation** | `EvaluateFindings()` maps findings to controls via `RelatedRuleTypes`, attaches evidence |
-| **Multi-Framework** | Architecture supports CIS, NIST 800-53, SOC 2, PCI-DSS, HIPAA, ISO 27001 |
-| **ClusterScan Integration** | After every scan, evaluates CIS compliance and emits `ComplianceViolation` Kubernetes events |
+| **Multi-Framework** | CIS K8s, NIST 800-53, SOC 2, PCI-DSS, HIPAA, ISO 27001 |
+| **ClusterScan + Cloud Integration** | After every K8s or cloud scan, evaluates compliance and emits events |
 
 ### 6. Live Drift Detection (`internal/drift`)
 
@@ -147,14 +150,17 @@ The reasoning core. Built for resilient, cost-effective, 24/7 autonomous operati
 
 ## Controller Orchestration
 
-The AI Security Agent's autonomy lives in the **7 Kubernetes controllers** that wire the pipeline together:
+The AI Security Agent's autonomy lives in the **10 Kubernetes controllers** that wire the pipeline together:
 
 | Controller | Detect | Correlate | Fix |
 |---|---|---|---|
-| `SecurityPolicy` | Scans pods for violations | Feeds findings into correlator | — |
+| `SecurityPolicy` | Scans K8s pods for violations | Feeds findings into correlator | — |
+| `CloudAccountConfig` | Scans cloud accounts (48 checks) | Evaluates SOC2/PCI-DSS/HIPAA | Creates ScanReport CRs |
 | `MonitoringPolicy` | Watches pod restart counts | Feeds into anomaly detector → correlator | — |
 | `RemediationPolicy` | — | Queries correlator for open incidents | Generates LLM plan → opens GitOps PR |
-| `ClusterScan` | Runs scheduled security scans | Evaluates CIS compliance | Creates ScanReport CRs |
+| `ClusterScan` | Runs scheduled K8s security scans | Evaluates CIS compliance | Creates ScanReport CRs |
+| `ScanReport` | Stores scan results | — | — |
+| `NotificationChannel` | — | — | Routes alerts to Slack, Teams, PagerDuty |
 | `GitOpsRepository` | Discovers repo structure | — | Provides Git context for remediation |
 | `CostPolicy` | Analyzes resource utilization | Identifies optimization opportunities | — |
 | `ZelyoConfig` | — | — | Configures global settings |

CLAUDE.md

@@ -0,0 +1,47 @@
+# Zelyo Operator — Project Guide for Claude
+
+## What is this project?
+
+Zelyo Operator is an open-source **Cloud-Native Application Protection Platform (CNAPP)** that runs as a Kubernetes operator. It detects security issues across Kubernetes workloads and AWS cloud accounts, correlates findings with an LLM, and auto-generates GitOps pull requests with fixes.
+
+**Core identity:** Zelyo is a security product. Every code change must be evaluated through a security lens.
+
+## Architecture
+
+- **10 controllers** in `internal/controller/` orchestrate the Detect → Correlate → Fix pipeline
+- **8 K8s scanners** in `internal/scanner/` check pods for security violations
+- **48 cloud scanners** in `internal/cloudscanner/` (CSPM, CIEM, Network, DSPM, Supply Chain, CI/CD) scan AWS accounts
+- **LLM reasoner** in `internal/remediation/` generates structured JSON fix plans
+- **GitHub engine** in `internal/github/` opens PRs autonomously
+
+## Key design constraints
+
+1. **Read-only access** — Zelyo never mutates cluster state or cloud resources. All scanners use read-only APIs only.
+2. **Non-destructive remediation** — fixes are always PRs, never direct changes. Human review required.
+3. **63-char K8s name limit** — ScanReport names must use `GenerateName`, not `Name`.
+4. **AWS per-region clients** — AWS SDK v2 clients are region-bound at creation. Use `NewClientsForRegion()` factory for multi-region scanning.
+
+## Code conventions
+
+- **Go 1.26**, **golangci-lint v2** with 30+ linters (gocyclo threshold: 15)
+- Errors wrapped with `fmt.Errorf("context: %w", err)` — never bare `return err`
+- Large structs passed by pointer (enforced by gocritic)
+- All cloud scanner types implement `cloudscanner.CloudScanner` interface
+- All K8s scanner types implement `scanner.Scanner` interface
+- Rule type constants live in `api/v1alpha1/condition_types.go`
+- Findings are always `scanner.Finding` — no custom finding structs
+
+## Testing
+
+- `make test` runs 15 packages
+- Controllers use Ginkgo/Gomega with envtest
+- Unit tests use standard `testing` package
+- Cloud scanners should test pagination, empty results, and error paths
+
+## What NOT to do
+
+- Do not add AWS write permissions (no PutObject, DeleteBucket, etc.)
+- Do not bypass golangci-lint checks with `//nolint` without justification
+- Do not add external dependencies without strong justification
+- Do not use `Name:` for ScanReport creation — always `GenerateName:`
+- Do not log secrets, credentials, or API keys at any log level

PROJECT

@@ -94,4 +94,13 @@ resources:
   kind: GitOpsRepository
   path: github.com/zelyo-ai/zelyo-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: zelyo.ai
+  group: zelyo-operator
+  kind: CloudAccountConfig
+  path: github.com/zelyo-ai/zelyo-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"