Skip to content

gebalamariusz/cloud-audit

v2.2.1 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 22d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit aws aws-audit aws-security cis-benchmarks cli
+13 more
cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

auth

ReleasePort's take

Light signal
editorial:auto 13d

v2.2.1 tightens SES phishing severity escalation to require both out-of-sandbox behavior and ≥2 recent identity verifications, removing the previous single-domain mismatch heuristic.

Why it matters: Phishing detection now requires dual conditions for escalation, reducing false positives. Test in dev before upgrading if you rely on domain-mismatch-only heuristics; detection thresholds may need recalibration.

Summary

AI summary

Severity escalation logic for SES phishing setup requires both out‑of‑sandbox behavior and a burst of ≥2 recent identity verifications, removing the previous single‑domain mismatch rule.

Changes in this release

Feature Medium

High severity requires both out-of-sandbox and burst of >=2 recent identity verifications in same account scan.

High severity requires both out-of-sandbox and burst of >=2 recent identity verifications in same account scan.

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Low

Excluded `cloudgrappler` and `detention-dodger` from leaked-creds scanner UA signature list.

Excluded `cloudgrappler` and `detention-dodger` from leaked-creds scanner UA signature list.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Refactor Low

Updated module docstring with caveat about stock AWS SDK traffic appearing legitimate.

Updated module docstring with caveat about stock AWS SDK traffic appearing legitimate.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Refactor Low

Replaced fabricated TruffleHog blog URL with verified BleepingComputer/Kaspersky and official GitHub references.

Replaced fabricated TruffleHog blog URL with verified BleepingComputer/Kaspersky and official GitHub references.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Other Low

{fact_type":"bugfix","severity":"55","text":"Removed email identity without matching domain escalation heuristic."}

{fact_type":"bugfix","severity":"55","text":"Removed email identity without matching domain escalation heuristic."}

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

Changed

  • TF-001 (SES phishing setup) - severity escalation logic rewritten.
    HIGH now requires BOTH out-of-sandbox AND a burst of >=2 recent
    identity verifications in the same account scan. The previous
    "email identity without matching domain" escalation has been removed:
    it modeled the wrong attacker behaviour. Wiz's September 2025 research
    documented attackers "adding multiple domains as verified identities
    using the CreateEmailIdentity API"     in quick succession - a burst
    pattern, not a single typosquat email. The new logic matches what
    the source incident actually documented.

  • TF-004 (leaked-creds scanner UA) - removed cloudgrappler and
    detention-dodger from the user-agent signature list. Both are
    Permiso DEFENSIVE tools - their UA appearing in CloudTrail means a
    defender is running them against the account, not that the account
    is under attack. The detector now only matches OFFENSIVE scanner
    signatures (trufflehog, gitleaks, noseyparker, secretscanner).
    Module docstring updated with an explicit detection caveat: scanners
    using stock AWS SDK / boto3 / aws-cli default user-agents look
    identical to legitimate traffic and will not trigger this pattern.

  • TF-004 references - replaced a fabricated TruffleHog blog URL in
    the references list with the verified BleepingComputer / Kaspersky
    May 2026 SES abuse coverage and the official TruffleHog GitHub repo.

Tests

  • 742 -> 747 (+5 net). New regression tests:
    • test_email_no_matching_domain_does_not_escalate (TF-001) proves
      the removed typosquat heuristic does not return.
    • test_burst_out_of_sandbox_escalates_to_high and
      test_burst_in_sandbox_stays_medium cover the new escalation rule.
    • test_burst_only_counts_recent_identities verifies the burst
      counter respects the 14-day window.
    • test_cloudgrappler_ua_not_flagged and
      test_detention_dodger_ua_not_flagged (TF-004) prove defensive
      tools are now excluded.

Breaking Changes

  • Removed "email identity without matching domain" escalation condition in TF-001; new rule requires BOTH out‑of‑sandbox AND a burst of >=2 recent verified identities within the same account scan.
  • TF-004: Removed `cloudgrappler` and `detention-dodger` from leaked‑creds scanner UA signature list, limiting detection to offensive scanners (`trufflehog`, `gitleaks`, `noseyparker`, `secretscanner`).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

Sign up free

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Earlier breaking changes

  • v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.

Beta — feedback welcome: [email protected]