Your cloud infra is leaking. CloudGuard seals every crack.

Static analysis for your Infrastructure-as-Code. Finds insecure Terraform, open S3 buckets, permissive IAM policies, missing encryption, and exposed ports before they reach production.

Get Started Free Get Pro
$ clawhub install cloudguard click to copy
cloudguard scan --dir ./infra
$ cloudguard scan --dir ./infra
 
☁️ CloudGuard v2.4.1 — Scanning infrastructure...
 
Scanning 23 files across 5 modules...
 
  ■ CRITICAL  S3-001  S3 bucket with public-read ACL
    at infra/storage.tf:15
 
  ■ CRITICAL  IM-003  IAM policy with Action: * on Resource: *
    at iam/admin-role.tf:22
 
  ■ HIGH     NW-002  Security group allows 0.0.0.0/0 on port 22
    at network/sg.tf:34
 
  ■ HIGH     EN-001  EBS volume without encryption
    at compute/instances.tf:48
 
  ■ MEDIUM   LG-004  CloudTrail not enabled for data events
    at monitoring/trail.tf:12
 
Found 2 critical, 2 high, 1 medium issues across 23 files
 
  Score: 38/100 (Grade: F)
82%
of cloud breaches from misconfigurations
$4.45M
avg. cost of a cloud data breach
90+
security rules across 6 categories
<5s
avg. scan time for a full IaC repo

What it catches

90+ rules across 6 critical security domains. Every misconfiguration, before it ships.

📦

Storage Security

15 rules

Public S3 buckets, missing server-side encryption, disabled versioning, overly permissive bucket policies, and unprotected static website hosting.

🔐

IAM & Permissions

15 rules

Wildcard IAM policies, missing MFA enforcement, root account usage, overly broad trust relationships, and unused access keys.

🌐

Network Security

15 rules

Open security groups allowing 0.0.0.0/0, exposed SSH/RDP ports, missing VPC configurations, and unrestricted egress rules.

🔒

Encryption

15 rules

Missing at-rest encryption on EBS, RDS, and S3. No KMS key rotation, unencrypted data in transit, and weak TLS configurations.

📊

Logging & Monitoring

15 rules

Missing CloudTrail logging, disabled VPC flow logs, no GuardDuty integration, and absent CloudWatch alarms for critical metrics.

⚙️

Configuration

15 rules

Missing resource tags, no backup plans, hardcoded region strings, disabled deletion protection, and non-compliant naming conventions.

Three steps to secure infrastructure

1

Install

One command via ClawHub. CloudGuard plugs into your CI pipeline or runs locally against your IaC directory.

clawhub install cloudguard
2

Scan

Point CloudGuard at your Terraform, CloudFormation, or Kubernetes manifests. It analyzes every resource for misconfigurations.

cloudguard scan --dir ./infra
3

Fix

Get actionable remediation for every finding. Severity ratings, file locations, and fix suggestions in your terminal or CI output.

cloudguard fix --auto

How CloudGuard compares

Feature Free Pro Team
Price $0 $19/mo $39/mo
Terraform scanning
CloudFormation scanning
Kubernetes manifest scanning
Built-in rules 30 90+ 90+
Custom rules
Auto-fix suggestions
CI/CD integration Basic
SARIF / JSON reports
Drift detection
Policy-as-code enforcement
Compliance reporting (SOC2, CIS)
Team dashboard
Priority support

Simple, transparent pricing

Start scanning for free. Upgrade for full coverage and auto-fix.

Free
$0
  • Terraform scanning
  • 30 built-in rules
  • CLI output
  • Markdown reports
  • Basic CI integration
Install Free
Pro
$19/mo
  • Everything in Free
  • 90+ security rules
  • CloudFormation scanning
  • Kubernetes manifest scanning
  • Custom rules engine
  • Auto-fix suggestions
  • SARIF / JSON reports
  • Priority support
Get Pro
Team
$39/mo
  • Everything in Pro
  • Drift detection
  • Policy-as-code enforcement
  • SOC2 & CIS compliance reports
  • Team dashboard
  • Org-wide policy management
  • Slack / Teams notifications
  • Dedicated support
Get Team

Your next terraform apply could expose everything

Install CloudGuard in 30 seconds. Scan your infra before it ships. Free, fast, and thorough.

$ clawhub install cloudguard click to copy