Skip to content

gebalamariusz/cloud-audit

v0.6.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

audit aws aws-audit aws-security cis-benchmarks cli
+13 more
cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

rce_ssrf deps

Summary

AI summary

Bump Jinja2 minimum to >=3.1.6 (fixes CVE-2025-27516 sandbox breakout)

Full changelog

Security

  • Bump Jinja2 minimum to >=3.1.6 (fixes CVE-2025-27516 sandbox breakout)
  • Sanitize shell metacharacters in --export-fixes bash script output
  • Use shlex.quote() for user-controlled values in remediation CLI commands
  • Set restrictive file permissions (700) on generated remediation scripts
  • SHA-pin all GitHub Actions in CI and release workflows
  • Dockerfile: non-root user, pinned base image digest, --no-input flag

Checks

  • make_check() pattern for consistent check registration with metadata
  • ECS list_clusters / describe_services — pagination + batching (10/call limit)
  • GuardDuty list_detectors — pagination
  • NACL check extended to detect open TCP/UDP (not just protocol -1)
  • Security group findings deduplicated per rule (one finding lists all exposed ports)
  • CloudWatch root alarm: tries CloudTrail-named log groups first
  • CloudTrail: includeShadowTrails=True with ARN dedup
  • S3: error code check, bucket cache refactor, lifecycle remediation DRY
  • Pre-filter excluded checks before API calls (no wasted requests)

Reports

  • SARIF: uriBaseId fix, fullDescription, originalUriBaseIds
  • HTML: light mode, print CSS, ARIA labels, copyCode fix
  • Markdown: pipe escaping in table cells
  • ASCII severity icons (fixes UnicodeEncodeError on Windows cp1250)

Docs

  • Backfilled CHANGELOG for v0.3.0 through v0.5.2
  • Updated SECURITY.md supported versions to 0.5.x
  • .cloud-audit.example.yml config template

Stats

  • 173 tests passing (ruff clean, mypy strict clean)
  • 45 checks across 15 AWS service modules
  • 35 files changed, +919 -566 lines
pip install cloud-audit==0.6.0

Breaking Changes

  • Minimum Jinja2 version requirement increased to >=3.1.6

Security Fixes

  • CVE-2025-27516 — Bump Jinja2 minimum to >=3.1.6 (fixes sandbox breakout)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

Sign up free

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Earlier breaking changes

  • v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.

Beta — feedback welcome: [email protected]