Your First Scan¶
A scan builds the full graph, runs heuristics, evaluates policies, and produces a waste ledger. Here is what that looks like against a live account.
Cloud Credential Configuration¶
s.a.u needs access to your cloud provider control plane APIs. Set credentials using the standard provider chains.
AWS¶
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="wJaL..."
export AWS_REGION="us-east-1"
Alternatively, configure the named profile in ~/.aws/credentials:
Reference the profile via environment:
GCP¶
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export CLOUDSDK_CORE_PROJECT="infrastructure-prod-42"
Azure¶
export AZURE_CLIENT_ID="..."
export AZURE_CLIENT_SECRET="..."
export AZURE_TENANT_ID="..."
export AZURE_SUBSCRIPTION_ID="..."
Executing the Analysis¶
Plugin Required
Before scanning, install the provider plugin for your cloud. For example: cs registry install aws. See the Installation guide for details.
cs scan bootstraps the Swarm orchestrator, ingests all cloud APIs concurrently, constructs the Universal Graph, applies heuristics, evaluates CEL policies, and runs formal verification.
The output renders a table of every discovered waste node:
╔══════════════════════════════════════════════════════╗
║ CloudSlash Scan Results ║
╠══════════════════════════════════════════════════════╣
║ RESOURCE ID TYPE COST VERDICT ║
║ i-0abc123def456789 ec2:instance $347 DELETE ║
║ vol-0ghi789jkl012345 ebs:volume $24 FLAG ║
║ func-legacy-processor lambda $0 DELETE ║
║ rds-staging-analytics rds:instance $1200 RISK ║
╠══════════════════════════════════════════════════════╣
║ Total Waste: $1,571/mo │ 4 findings │ Gate: PASS ║
╚══════════════════════════════════════════════════════╝
Three verdicts appear most often in a first scan: FLAG means the engine detected waste but confidence is below the DELETE threshold: review it yourself. DELETE means the engine is confident this resource is waste and recommends destruction. BLOCK means s.a.u has quarantined the resource due to a policy violation with risk score ≥80: it cannot be auto-remediated until the violation is resolved.
Interpreting Verdicts¶
The engine assigns verdicts by evaluating the full graph topology and engine heuristics:
| Verdict | Engine | Meaning |
|---|---|---|
CRITICAL |
Oracle | Resource is reachable in production: requires immediate review |
BLOCK |
s.a.u | Quarantined due to policy violation (risk score ≥80) |
DELETE |
Devi | Confirmed waste: engine recommends destruction |
RISK |
Oracle | Elevated risk score (>30): lifecycle or stability concern |
FLAG |
Devi | Waste detected but below confidence threshold |
PURGED |
s.a.u | Previously remediated via the Saga pipeline |
Machine-Readable Output¶
For programmatic consumption, specify the output format via the --format flag:
# JSON for dashboards, scripts, and APIs
cs scan --format=json --region us-east-1
# SARIF 2.1.0 for GitHub Advanced Security
cs scan --format=sarif --output=results.sarif --region us-east-1
# GitHub PR markdown for automated comments
cs scan --format=github-pr --region us-east-1
# GitHub Actions inline annotations
cs scan --format=github-actions --region us-east-1
Applying the CI Gate¶
The --fail-on flag configures the exit code threshold for CI/CD pipeline gating:
# Exit 1 only on critical findings
cs scan --fail-on=critical --region us-east-1
# Strict mode: exit 1 on any warning
cs scan --fail-on=warning --rules policies.yaml --region us-east-1
| Exit Code | Meaning |
|---|---|
0 |
All findings below the --fail-on threshold |
1 |
Findings exceed the configured threshold |