Metadata-Version: 2.4
Name: cloudops-guard
Version: 0.1.0
Summary: Cloud-native guardrails for Terraform, Kubernetes, and serverless deployments.
Author: CloudOps Guard
License-Expression: MIT
Project-URL: Homepage, https://github.com/bharathjanumpally/cloudops-guard
Project-URL: Issues, https://github.com/bharathjanumpally/cloudops-guard/issues
Keywords: cloud,security,terraform,kubernetes,serverless,iac,devops
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: PyYAML>=6.0
Provides-Extra: dev
Requires-Dist: pytest>=8.0; extra == "dev"
Requires-Dist: build>=1.2; extra == "dev"
Requires-Dist: twine>=5.0; extra == "dev"
Dynamic: license-file

# CloudOps Guard

Cloud-native guardrails for Terraform, Kubernetes, and serverless deployments.

CloudOps Guard scans infrastructure-as-code before deployment and reports risky architecture patterns such as public storage, missing encryption, permissive IAM, missing health checks, public Kubernetes services, weak Lambda settings, missing retry/dead-letter queues, and missing ownership or cost tags.

## Install

```bash
pip install cloudops-guard
```

## CLI

```bash
cloudops-guard scan .
cloudops-guard scan infra/ --format json --output risk-report.json
cloudops-guard scan . --fail-on high
cloudops-guard list-checks
```

Exit codes:

- `0`: no findings at or above `--fail-on`
- `1`: findings matched the failure threshold
- `2`: CLI usage or scanning error

## Python API

```python
from cloudops_guard import scan_path

report = scan_path("infra")
for finding in report.findings:
    print(finding.severity, finding.check_id, finding.message)
```

## Covered Risks

- Terraform AWS S3 buckets: public ACLs/policies, missing encryption, missing public-access block, missing ownership/cost tags
- Terraform IAM policies and role policies: wildcard actions/resources and administrative permissions
- Terraform Lambda functions: timeout and memory risk, missing DLQ, missing tags
- Terraform autoscaling resources: missing min/max or unhealthy capacity settings
- Kubernetes Services: public `LoadBalancer`/`NodePort`
- Kubernetes workloads: missing readiness/liveness probes, missing resource limits, missing labels
- Kubernetes HPAs: missing or ineffective min/max replica bounds
- Serverless Framework functions: timeout/memory risk, missing DLQ, missing tags

The Terraform parser is intentionally dependency-light and supports common `.tf` block structures. JSON Terraform plans/config files and YAML Kubernetes/serverless files are parsed with structured parsers.

## Report Formats

- `table`: human-readable terminal output
- `json`: machine-readable report
- `markdown`: CI artifact or review comment
- `sarif`: GitHub code scanning compatible output

## License

MIT
