Skip to content

Commit eeefca7

Browse files
committed
feat: add clens AWS audit reusable workflow
1 parent 1ada629 commit eeefca7

3 files changed

Lines changed: 96 additions & 1 deletion

File tree

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@ Above example is just a simple example to call workflow from github shared workf
132132
| **Docker** | 4 | Build Push, Scanner, Scout, Smurf Helm |
133133
| **PR Automation** | 7 | Auto Assignee, Auto Merge, Checks, Claude Review, Gemini Review, Gitleaks, Lock, Stale |
134134
| **Security** | 5 | Checkov, Prowler, Powerpipe, TFSec |
135-
| **AWS** | 3 | Prowler, SSM Send Command, Remote SSH Command |
135+
| **AWS** | 4 | Clens Audit, Prowler, SSM Send Command, Remote SSH Command |
136136
| **CloudFormation** | 3 | Deploy, Deploy StackSet, Lint |
137137
| **Release** | 3 | Tag, Changelog, Changelog Internal |
138138
| **GCP** | 1 | Prowler |
@@ -145,6 +145,7 @@ Above example is just a simple example to call workflow from github shared workf
145145
## 🚀 Table of Contents
146146
147147
### AWS Workflows
148+
- [Clens AWS Audit Workflow](./docs/clens.md)
148149
- [AWS Prowler Workflow](./docs/aws-prowler.md)
149150
- [AWS Remote SSH Command Workflow](./docs/aws-remote-ssh-command.md)
150151
- [AWS SSM Send Command Workflow](./docs/aws-ssm-send-command.md)

WORKFLOW_CATALOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ Complete index of all available workflows organized by category and use case.
1010
| Deploy Infrastructure | [tf-workflow.yml](./.github/workflows/tf-workflow.yml) |
1111
| Build Docker Image | [docker-build-push.yml](./.github/workflows/docker-build-push.yml) |
1212
| Deploy Helm Chart | [helm-deploy.yml](./.github/workflows/helm-deploy.yml) |
13+
| AWS Cloud Audit | [clens.yml](./.github/workflows/clens.yml) |
1314
| Scan Security | [security-checkov.yml](./.github/workflows/security-checkov.yml) |
1415
| Validate PR | [pr-checks.yml](./.github/workflows/pr-checks.yml) |
1516
| Auto Assign PR | [pr-auto-assignee.yml](./.github/workflows/pr-auto-assignee.yml) |
@@ -89,6 +90,7 @@ Complete index of all available workflows organized by category and use case.
8990
#### AWS
9091
| Workflow | Description | Use Case |
9192
|----------|-------------|----------|
93+
| [clens.yml](./.github/workflows/clens.yml) | AWS cloud audit & security reports | Inventory, IAM, cost, security |
9294
| [aws-prowler.yml](./.github/workflows/aws-prowler.yml) | AWS security scanning | AWS compliance |
9395
| [aws-ssm-send-command.yml](./.github/workflows/aws-ssm-send-command.yml) | Execute commands via SSM | Remote execution |
9496
| [aws-remote-ssh-command.yml](./.github/workflows/aws-remote-ssh-command.yml) | Execute SSH commands | Remote management |

docs/clens.md

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
## [Clens AWS Audit Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/clens.yml)
2+
3+
`clens` is a lightweight Go CLI — *see your cloud clearly* — that runs AWS audit tools via the clens API and extracts results locally into `_report/` and `_logs/`.
4+
5+
### Usage
6+
7+
This workflow builds `clens` from source, runs the selected audit tool using your AWS credentials, and uploads the report as a GitHub Actions artifact. Optionally sends a Slack notification on completion.
8+
9+
### Available tools
10+
11+
| Tool | Description |
12+
|---|---|
13+
| `aws-inventory` | EC2, RDS, Lambda, and S3 inventory |
14+
| `iam-audit` | IAM users, roles, and policy review |
15+
| `cost-report` | Cost breakdown via Cost Explorer |
16+
| `security-audit` | Security group, public access, and encryption checks |
17+
| `unused-resources` | Identify unused EC2, EBS, and EIP resources |
18+
| `tag-compliance` | Tag coverage and policy compliance |
19+
| `service-quotas` | Current service quota utilisation |
20+
| `all` | Run all tools in one request |
21+
22+
### Example
23+
24+
```yaml
25+
name: AWS Audit
26+
27+
on:
28+
workflow_dispatch:
29+
schedule:
30+
- cron: '0 8 * * 1' # Every Monday at 08:00 UTC
31+
32+
jobs:
33+
audit:
34+
name: Run clens audit
35+
uses: clouddrove/github-shared-workflows/.github/workflows/clens.yml@master
36+
with:
37+
tool: aws-inventory # Required: tool name or 'all'
38+
api_host: 192.168.13.245 # Optional: clens API host (IP or hostname)
39+
retention_days: 7 # Optional: artifact retention (default: 7)
40+
enable_slack_notification: false
41+
secrets:
42+
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
43+
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
44+
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} # Optional
45+
API_TOKEN: ${{ secrets.API_TOKEN }} # Optional
46+
```
47+
48+
### Run all tools with Slack notification
49+
50+
```yaml
51+
jobs:
52+
full-audit:
53+
name: Full AWS audit
54+
uses: clouddrove/github-shared-workflows/.github/workflows/clens.yml@master
55+
with:
56+
tool: all
57+
api_host: 192.168.13.245
58+
retention_days: 14
59+
enable_slack_notification: true
60+
slack_message: 'Weekly AWS audit complete'
61+
slack_env: production
62+
secrets:
63+
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
64+
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
65+
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
66+
SLACK_USERNAME: ${{ secrets.SLACK_USERNAME }}
67+
```
68+
69+
### Inputs
70+
71+
| Input | Required | Default | Description |
72+
|---|---|---|---|
73+
| `tool` | ✅ | — | Tool to run (see table above). |
74+
| `api_host` | ❌ | `''` | Clens API host (IP or hostname, with optional port). |
75+
| `api_run_path` | ❌ | `/aws/run` | API run path override. |
76+
| `retention_days` | ❌ | `7` | Artifact retention period in days. |
77+
| `enable_slack_notification` | ❌ | `false` | Send a Slack notification on completion. |
78+
| `slack_message` | ❌ | `Clens AWS audit complete` | Slack message body. |
79+
| `slack_env` | ❌ | `''` | Environment label in the Slack notification. |
80+
81+
### Secrets
82+
83+
| Secret | Required | Description |
84+
|---|---|---|
85+
| `AWS_ACCESS_KEY_ID` | ✅ | AWS access key ID. |
86+
| `AWS_SECRET_ACCESS_KEY` | ✅ | AWS secret access key. |
87+
| `AWS_SESSION_TOKEN` | ❌ | AWS session token (for temporary credentials). |
88+
| `API_TOKEN` | ❌ | API auth token sent as `X-API-Key`. |
89+
| `SLACK_WEBHOOK` | ❌ | Slack webhook URL. |
90+
| `SLACK_USERNAME` | ❌ | Slack username for the notification. |
91+
92+
It uses Clouddrove Github-Shared-Workflow. [HERE](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/clens.yml)

0 commit comments

Comments
 (0)