title: CloudSlash - CLI Commands Reference description: Complete reference for the cloudslash CLI. All commands are also available via the cs shorthand alias: both names are interchangeable. The binary accepts con...
CLI Commands¶
Complete reference for the cloudslash CLI. All commands are also available via the cs shorthand alias: both names are interchangeable.
Global Execution Environment¶
The binary accepts configuration overrides via environment variables matching the CLOUDSLASH_* prefix. Environment variables supersede config.yaml values. CLI flags supersede environment variables.
| Variable | Purpose |
|---|---|
CLOUDSLASH_CONFIG_PATH |
Override default config path (~/.cloudslash/config.yaml) |
CLOUDSLASH_AI_MODEL |
Active AI model (e.g., gemini-2.5-flash) |
CLOUDSLASH_AI_KEY |
API key for the configured AI provider |
CLOUDSLASH_DAEMON_URL |
Override daemon HTTP endpoint (default: http://localhost:8080) |
CLOUDSLASH_TELEMETRY |
Set to 0 or false to disable all anonymous telemetry: no network call is made |
Command Glossary¶
scan¶
Executes the stateless shift-left infrastructure scanner. Constructs the full Devi graph, applies heuristics, evaluates CEL policies, runs formal verification, and renders findings in the specified output format. Supports Terraform plan diff scanning via --plan for true pre-merge analysis.
| Flag | Type | Definition |
|---|---|---|
--format |
ENUM | Output serialization: table, json, github-pr, sarif, github-actions. Default: table. |
--fail-on |
ENUM | Exit code gate threshold: critical, warning, none. Default: none. |
--timeout |
duration | Maximum scan execution window (e.g., 5m, 30s). Default: 10m. |
--output |
path | Write serialized output to filesystem path instead of stdout. |
--plan |
path | Path to Terraform plan JSON (terraform show -json tfplan.out). Restricts analysis to planned resource changes only. |
--region |
string | AWS region target (e.g., us-east-1). |
--rules |
path | Absolute path to the CEL expression .yaml injection. |
Signal Handling¶
SIGTERM/SIGINT: Await in-flight scanner completion; flush output buffer; exit.
Credential Fallback¶
When cloud provider credentials are absent, the scanner automatically degrades to mock static analysis mode. No explicit --mock flag is required for CI environments where secrets may not be configured.
Terraform Plan Scanning¶
When --plan is specified, the engine parses the JSON plan file to extract resource_changes[] and constructs a targeted graph containing only resources being created, modified, or destroyed. Heuristics, CEL policies, and formal verification execute against this scoped graph.
terraform plan -out=tfplan.out
terraform show -json tfplan.out > tfplan.json
cs scan --plan=tfplan.json --format=sarif --output=results.sarif --fail-on=critical
Exit Codes¶
| Code | Meaning |
|---|---|
0 |
All findings below --fail-on threshold |
1 |
Findings exceed threshold (CI gate failure) |
init¶
Interactive setup wizard. Detects cloud credentials, provisions the graph store, configures AI, and optionally starts the daemon.
| Flag | Type | Definition |
|---|---|---|
--non-interactive |
boolean | Skip all prompts; read from environment variables only. |
--skip-daemon |
boolean | Skip background daemon startup (useful for CI or containers). |
--skip-tui |
boolean | Don't launch the terminal dashboard after initialization. |
The wizard runs these steps:
- System diagnostics (preflight checks)
- Cloud credential scan (AWS, GCP, Azure, Kubernetes)
- Graph store and state backend provisioning
- AI provider detection (Ollama auto-detect)
- Daemon startup
- Slashfile generation (
.cloudslash.yaml) - Summary with next steps
daemon¶
Instantiates the continuous evaluation loop binding the Devi solver, Swarm AIMD orchestrator, and Web UI HTTP server.
| Flag | Type | Definition |
|---|---|---|
--mock |
boolean | Bypass physical APIs; inject synthetically generated graph nodes for isolated evaluations. |
--interval |
duration | Cycle interval for heuristic calculation vectors (e.g., 5m). |
--region |
string | Cloud region target (e.g., us-east-1). |
--all-profiles |
boolean | Scan all AWS CLI profiles. |
--rules |
string | Absolute path to the CEL expression .yaml injection. |
--history-url |
URL | S3 URL for shared scan history (s3://bucket/key). |
--slack-webhook |
URL | Slack incoming webhook for notifications. |
--otel-endpoint |
URL | Target telemetry ingestion endpoint (e.g., http://jaeger:4318). |
--json |
boolean | Format stdout streams using structured serialized JSON. |
--verbose |
boolean | Enable debug/matrix mode logging. |
Signal Handling¶
SIGTERM/SIGINT: Await in-flight Saga termination; drain HTTP connections; execute zero-exit.SIGHUP: Triggerconfig.yamlhot-reload without graph suspension.
tui¶
Attaches the Terminal UI matrix to the active UNIX domain socket. Renders a Bloomberg-style quad-pane layout with real-time sparkline visualizations and engine-computed verdict distributions.
Key Bindings¶
| Key | Action |
|---|---|
1-4 |
Switch workspace (DEVI / Topology / s.a.u / Command) |
Tab |
Cycle focus between quadrant panes |
j / k |
Navigate down / up in lists |
Enter |
Select node / execute topology action / execute s.a.u revert |
Y |
Approve remediation for selected node |
N |
Reject remediation for selected node |
D |
Toggle zoom on remediation diff pane |
R |
Quick-release node from s.a.u block (in s.a.u workspace) |
z |
Zoom focused pane to fullscreen |
Esc |
Exit zoom / close sub-view |
Ctrl+F |
Open node search/filter bar |
/ |
Open DEVI AI prompt bar |
q |
Quarantine selected node |
p |
Preview Terraform remediation plan |
e |
Open Egress Calculator (in Topology workspace) |
t |
Toggle s.a.u enforcement mode |
m |
Open AI model picker (in Command workspace) |
s |
Save config + hot-reload (in Command workspace) |
f / F |
Force sync (trigger immediate Swarm reconciliation) |
Ctrl+C |
Quit |
config¶
Interactive configuration wizard. Walk through provider selection, API key entry, and model selection in a guided TUI flow.
The wizard steps:
- Provider selection: Choose from Ollama (local, free, private), OpenAI, Anthropic, Gemini, Groq, or a custom endpoint.
- API key entry: Provider-specific placeholder hints (e.g.,
sk-ant-...for Anthropic,AIza...for Gemini). Ollama skips this step. - Model selection: Fetches the live model list from your provider. If the provider is unreachable (no API key yet), model selection is skipped: re-run
cs configafter setting your key. - Summary: Shows the saved configuration.
Switching providers automatically clears stale settings from the previous provider (e.g., switching from Groq to Ollama removes the base_url).
Subcommands¶
cs config set ai.provider ollama # Set a single value
cs config set ai.model llama3.2 # Set model directly
cs config view # Print the full active configuration
| Subcommand | Definition |
|---|---|
set |
Set a config value: cs config set <key> <value> (e.g., cs config set ai.provider ollama). |
view |
Print the current configuration. Running cs config with no arguments launches interactive setup. |
doctor¶
Runs dynamic, adaptive system diagnostics. Discovers which cloud providers, AI backends, and plugins are relevant to your setup and only checks those.
| Flag | Type | Definition |
|---|---|---|
--fix |
bool | Auto-repair detected issues where possible. |
Dynamic checks include:
- Core: data directories, config file, BadgerDB graph store
- Daemon: socket connectivity, stale socket detection, HTTP API latency, WebSocket
- Cloud Providers: cross-references credentials with installed plugins. Validates credentials via real CLI calls (
aws sts,gcloud auth,az account,kubectl cluster-info) - AI Backends: checks Ollama (health), OpenAI/Anthropic/Gemini (env vars), and config.yaml
- Plugins: lists all discovered plugins with binary paths
- History: s.a.u state, snapshots, trend data, scan freshness
--fix can create missing directories, remove stale sockets, start the daemon, create default config, and initialize storage.
status¶
Quick terminal glance at infrastructure state. Falls back to snapshot data when the daemon is offline.
Displays: waste node count, projected savings, guardrail failures, drift detected, s.a.u blocked nodes, and historical delta since last scan. No flags required.
plugin¶
Manage provider plugins: install from the registry, scaffold new plugins, list installed, and remove them. The cs registry command has been folded into cs plugin to give you a single surface for all plugin lifecycle operations.
cs plugin search [query] # Search the registry
cs plugin install <name> # Install a plugin or policy
cs plugin list # List installed plugins and policies
cs plugin uninstall <name> # Remove an installed plugin or policy
cs plugin create <name> # Scaffold a new plugin project
cs plugin publish --version=v1.0.0 # Publish a plugin to GitHub Releases
plugin search¶
Search the CloudSlash community registry for provider plugins and policy packs.
cs plugin search # Browse all packages
cs plugin search aws # Search by name or keyword
cs plugin search aws --type plugin # Plugins only
cs plugin search eks --type policy # Policies only
| Flag | Type | Definition |
|---|---|---|
--type |
string | Filter results: plugin or policy. |
plugin install¶
Install a plugin or policy from the registry, or directly from a GitHub release.
cs plugin install aws # Install by name from registry
cs plugin install drskyle/[email protected] # Install directly from GitHub Releases
Plugins install to ~/.cloudslash/plugins/. Policies install to ~/.cloudslash/policies/. The daemon auto-discovers installed plugins on next restart. Policies are evaluated on next scan.
plugin list¶
List all installed plugins and policies, with load status.
Output shows each package name, type (plugin / policy), and status (loaded if the daemon has it active, installed if present on disk but not yet active).
plugin uninstall¶
Remove an installed plugin or policy from disk.
cs plugin uninstall aws # Uninstall the aws plugin
cs plugin uninstall eks-idle # Uninstall a policy pack
After uninstalling a plugin, restart the daemon to remove it from the active scanner pool.
plugin create¶
Scaffold a new plugin project with the gRPC provider interface, Makefile, CQRS event-stream skeleton, and README.
Generates a complete project directory:
cloudslash-plugin-digitalocean/
├── main.go # Provider stub with Handshake + Scan + event stream
├── go.mod # Dependencies pre-configured
├── Makefile # build, test, install targets
└── README.md # Getting started + registry manifest template
After scaffolding, implement your scanners in main.go, then run make install to deploy the plugin to ~/.cloudslash/plugins/. The daemon will auto-discover it on next restart.
See Writing Custom Plugins for the full implementation guide.
plugin publish¶
Cross-compile a plugin for all supported platforms, generate SHA-256 checksums, create a GitHub Release with the binaries as assets, and print instructions for submitting to the community plugin index.
cs plugin publish --version=v1.0.0
cs plugin publish --version=v1.2.0 --skip-signing
cs plugin publish --version=v2.0.0 --github-token=ghp_xxx
| Flag | Type | Definition |
|---|---|---|
--version |
string | Semver release tag, e.g. v1.0.0 (required). Must start with v. |
--skip-signing |
boolean | Skip Cosign binary signing. |
--no-registry-pr |
boolean | Skip registry submission instructions. |
--github-token |
string | GitHub personal access token (falls back to GITHUB_TOKEN env). |
--platforms |
string | Comma-separated target platforms (default: linux/amd64,linux/arm64,darwin/amd64,darwin/arm64). |
Reads manifest.yaml from the current directory. Requires a clean origin git remote pointing to a GitHub repository. After the release is created, follow the printed steps to open a PR against DrSkyle/cloudslash-plugins to appear in cs plugin search.
diff¶
Compare infrastructure snapshots over time. Shows new waste, resolved waste, and cost delta between two scan points.
cs diff # Compare last two snapshots
cs diff --from=2026-04-18 # Compare specific date to latest
cs diff --from=2026-04-18 --to=2026-04-25
cs diff --list # List available snapshots
| Flag | Type | Definition |
|---|---|---|
--from |
string | Starting snapshot date (YYYY-MM-DD) or file path. |
--to |
string | Ending snapshot (default: latest). |
--list |
bool | List all available snapshots with metadata. |
trend¶
Display infrastructure cost trends using data collected from each scan.
| Flag | Type | Definition |
|---|---|---|
--days |
int | Number of days to display (default: 30). |
Renders an ASCII sparkline chart in the terminal showing waste count movement over time, with summary statistics.
report¶
Generate executive infrastructure reports for management, finance, or compliance teams.
cs report # Markdown to stdout
cs report --format=html --output=report.html
cs report --format=json --output=report.json
| Flag | Type | Definition |
|---|---|---|
--format |
string | Output format: markdown, html, json. |
--output |
path | Write report to file instead of stdout. |
Report includes: executive summary, provider breakdown, top 10 waste items, policy compliance, drift summary, and cost trend charts. HTML output uses a dark theme matching the CloudSlash brand.
upgrade¶
Check for and install CloudSlash updates from GitHub Releases.
cs upgrade # Check and install with confirmation
cs upgrade --check # Check only, don't install
cs upgrade --force # Skip confirmation (for CI)
| Flag | Type | Definition |
|---|---|---|
--check |
bool | Only check for updates, don't install. |
--force |
bool | Skip confirmation prompt (for CI/CD). |
Downloads the correct binary for your OS/architecture, verifies it, and performs an atomic swap. Always asks for confirmation unless --force is specified.
codegen¶
Generate typed Go struct bindings from Terraform provider schemas. The Metagraph Compiler reads a provider schema JSON (produced by terraform providers schema -json), builds a symbol table, and emits deterministic Go source files using Jennifer. Output can be used as typed node definitions in the CloudSlash universal graph.
This is a plugin author tool: end users running cs scan do not need this command.
cs codegen --schema=aws_schema.json --output=./generated/
cs codegen --schema=gcp_schema.json --config=codegen.yaml --output=./gen/
| Flag | Type | Definition |
|---|---|---|
--schema |
path | Path to Terraform provider schema JSON (required). |
--config |
path | Path to codegen config YAML (optional, uses defaults if omitted). |
--output |
path | Output directory for generated Go source files. Default: ./generated. |
Workflow¶
# 1. Export the provider schema
terraform providers schema -json > aws_schema.json
# 2. Generate typed Go structs
cs codegen --schema=aws_schema.json --output=./gen/
# 3. Use generated types in your plugin
# Generated files include struct definitions, edge methods (getters),
# reference type resolvers, and trait injection.
The compiler supports:
- Recursive AST processing for nested
list(object(...))schema types - Semantic Overlay for heuristic edge injection from attribute naming conventions (
_id,_arn,_link) - Trait injection via
GetTraits()method generation for known resource types - Cycle detection to handle schemas with circular block references
policy¶
Policy development and validation tools for CEL-based rules.
cs policy validate rules.yaml # Parse + compile CEL expressions
cs policy test rules.yaml # Dry-run against last scan snapshot
cs policy lint rules.yaml # Check for common mistakes
validate: Checks YAML syntax, required fields (id, expression, severity), valid enum values for severity and enforcement, and balanced parentheses in CEL expressions.
test: Loads the latest graph snapshot and evaluates each rule against all nodes, showing how many nodes would be blocked, warned, or pass.
lint: Detects duplicate rule IDs, missing descriptions, very short expressions, unquoted string comparisons, and contradictory conditions.
history¶
Queries the persistent event audit trail stored in BadgerDB. Events survive daemon restarts and include scans, s.a.u quarantine decisions, approvals, rejections, policy changes, and pipeline movements. The command connects to the running daemon's REST API.
| Flag | Type | Definition |
|---|---|---|
--since |
string | Show events since duration (3d, 12h, 1w) or RFC3339 timestamp. Default: all. |
--type |
ENUM | Filter by event type: SCAN_COMPLETED, s.a.u_ACTION, APPROVAL, POLICY_CHANGE, etc. |
--crn |
string | Show full lifecycle timeline for a specific resource CRN. |
--limit |
int | Maximum number of events to return. Default: 50. |
--json |
bool | Output as JSON for programmatic consumption. |
Examples¶
# Last 50 events, table format
cs history
# Events from the last 3 days
cs history --since 3d
# Filter by s.a.u actions only
cs history --type s.a.u_ACTION
# Full timeline for a specific resource
cs history --crn aws:ec2:us-east-1:i-0abc123
# Machine-readable output for piping
cs history --json | jq '.[] | select(.status == "APPROVED")'
Data Persistence¶
Events are stored at ~/.cloudslash/data/eventstore/ using BadgerDB. This path is not in a cache or temp directory, so cleanup tools (CleanMyMac, Mole) will not remove it. Retention can be configured through the web dashboard Settings → Data Management or via the POST /api/v1/history/prune endpoint.
watch¶
Continuous scanning mode. Connects to the running daemon, triggers periodic re-scans, and streams diffs between cycles.
| Flag | Type | Definition |
|---|---|---|
--interval |
duration | Re-scan interval (e.g., 30s, 2m, 5m). Default: 5m. |
--provider |
string | Filter scans to a specific provider (aws, gcp, azure). |
--alert-on-change |
boolean | Only print output when infrastructure state changes. |
# Re-scan every 2 minutes, only show changes
cs watch --interval 2m --alert-on-change
# Watch AWS resources only
cs watch --provider aws
Ctrl+C gracefully stops the watch loop.
revert¶
Undo a previous remediation using s.a.u CRDT snapshots. The revert process calls the provider plugin's Remediate RPC with the inverse action.
| Flag | Type | Definition |
|---|---|---|
--list |
boolean | List all revertible remediations. |
# List all revertible actions
cs revert --list
# Revert a specific remediation by ID
cs revert rem_2026050301
# Revert by resource CRN
cs revert crn:devi:aws:us-east-1:ec2:i-0abc123
If the daemon is not running, --list falls back to the local ledger file at ~/.cloudslash/history/ledger.json.
uninstall¶
Remove CloudSlash from the system. Kills the running daemon, deletes data directories, and prints instructions to remove the binary.
| Flag | Type | Definition |
|---|---|---|
--force |
boolean | Skip confirmation prompt. |
--keep-config |
boolean | Preserve config.yaml and .cloudslash.yaml Slashfile. |
Removes:
~/.cloudslash/devi-graph/: BadgerDB graph database~/.cloudslash/plugins/: installed plugins~/.cloudslash/policies/: policy packs~/.cloudslash/snapshots/: infrastructure snapshots~/.cloudslash/history/: s.a.u remediation history.cloudslash.yaml: project Slashfile (unless--keep-config)~/.cloudslash/config.yaml: configuration (unless--keep-config)
# Keep config, remove everything else
cs uninstall --keep-config
# Non-interactive (for automation)
cs uninstall --force
login¶
Authenticate with CloudSlash Horizon SaaS using a browser-based OAuth flow. Opens the browser to https://app.cloudslash.dev/cli-auth for authentication. On success, a JWT session token is stored locally and valid for 24 hours with automatic renewal.
Run cs login before using any Horizon command (sync, remediate, audit). Requires a CloudSlash Horizon account.
logout¶
Remove the locally stored Horizon authentication token.
Clears the session token file. Your Horizon session on the server remains valid until it naturally expires; this only prevents the CLI from using the old token without re-authenticating.
sync¶
Push the most recent local scan snapshot to CloudSlash Horizon. Reads ~/.cloudslash/state/latest.json (written by cs scan) and uploads it to the Horizon SaaS API so the dashboard reflects your current infrastructure state.
| Flag | Type | Definition |
|---|---|---|
--dry-run |
boolean | Print the payload that would be sent without actually sending it. |
--api-url |
string | Horizon API base URL (default: https://api.cloudslash.dev). |
Requires an active session — run cs login first. Run cs scan to generate fresh data before syncing.
remediate¶
Execute a Horizon-generated remediation plan locally via the SAU engine. Plans can be fetched from Horizon by ID or loaded from a local JSON file. The plan includes one or more cloud resource actions (delete / resize / stop) that CloudSlash will execute in sequence and record in the audit log.
| Flag | Type | Definition |
|---|---|---|
--plan-id |
string | Fetch plan from Horizon by ID (requires login). |
--file |
path | Load plan from a local JSON file instead. |
--api-url |
string | Horizon API base URL (default: https://api.cloudslash.dev). |
--dry-run |
boolean | Show blast radius but do not execute. |
--force |
boolean | Skip confirmation prompt. |
Exactly one of --plan-id or --file must be set. The plan is signed with a base64 SHA256 HMAC to prevent tampering in transit.
cs remediate --plan-id=plan_abc123
cs remediate --file=./plan.json --dry-run
cs remediate --plan-id=plan_abc123 --force
approve¶
Approve a pending SAU remediation request from the terminal. Mirrors the Slack button — same effect, different surface. Quorum must still be reached for the remediation to proceed. A single rejection from anyone cancels the request regardless of how many approved.
| Flag | Type | Definition |
|---|---|---|
--reason |
string | Optional reason to attach to the approval. |
reject¶
Reject (veto) a pending SAU remediation request. A single rejection cancels the entire request regardless of how many approvals were already received.
| Flag | Type | Definition |
|---|---|---|
--reason |
string | Reason for rejection (recommended for audit trail). |
pending¶
List all pending remediation approval requests so engineers know what needs a decision. Shows request ID, resource CRN, action, quorum status, and the approve/reject commands for each pending request.
chargeback¶
Generate a Finance-ready XLSX chargeback report from the last scan. Builds a three-sheet Excel workbook suitable for opening directly in Excel/Sheets — no cloud access required.
| Flag | Type | Definition |
|---|---|---|
--period |
string | Billing period (YYYY-MM). Defaults to current month. |
--output |
path | Output file path. Defaults to chargeback-YYYY-MM.xlsx in current dir. |
Sheets:
- Executive Summary — one row per team: total spend, waste, waste%, attribution coverage
- Resource Detail — one row per resource with owner, cost, waste flag
- Unattributed — resources with no owner for Finance follow-up
Requires an org-map.yaml at ~/.cloudslash/org-map.yaml for team attribution. Without it, all resources land in the Unattributed sheet.
cs chargeback # writes chargeback-YYYY-MM.xlsx
cs chargeback --period 2026-05 # specific billing period
cs chargeback --output ~/reports/q2.xlsx # custom output path
audit¶
M&A due-diligence cloud infrastructure audit. Produces a structured JSON report suitable for a deal dataroom, giving the acquiring company's CFO, CTO, and FinOps team a rapid, structured view of the target's infrastructure.
| Flag | Type | Definition |
|---|---|---|
--target |
string | Name of the company/entity being audited (required). |
--output |
string | Write JSON report to file (default: stdout). |
--period-months |
int | Months of billing history analysed (default: 3). |
Report includes: total cloud spend & annualised waste opportunity, attribution coverage (how many resources have a known owner), top-20 priority remediation actions ranked by annual savings, and a plain-English executive summary for the deal memo.
cloudslash audit --target "Acme Corp"
cloudslash audit --target "Acme Corp" --period-months 6 --output acme-audit.json
Remediation Workflow
Interactive remediation (approve, reject, undo) is handled through three interfaces: all backed by the same daemon APIs:
- TUI: Press
Yto approve,Nto reject,Rto release from s.a.u block - Web UI: Drag nodes through the Kanban pipeline stages
- API:
POST /api/v1/remediation/approve,/reject,/move
For CI/CD gating, use cs scan --fail-on=critical.
IAM Permissions
Minimum IAM policies for each cloud provider are documented in the Cloud Providers reference page.