Synopsis
cloudburn scan [path] [flags]
Description
Runs a static analysis scan against Terraform (.tf) and CloudFormation (.json, .yaml, .yml) files. CloudBurn auto-detects file types — you don't need to specify which IaC format you're using.
When no [path] is provided, CloudBurn scans the current working directory recursively.
Arguments
| Argument | Description |
|---|---|
[path] | Optional. Directory or file to scan. Defaults to the current working directory. |
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--config | string | auto-discovery | Path to a .cloudburn.yml config file. Overrides automatic config discovery. |
--enabled-rules | string | all rules | Comma-separated list of rule IDs to include. All other rules are skipped. |
--disabled-rules | string | none | Comma-separated list of rule IDs to exclude. |
--service | string | all services | Comma-separated list of services to scan (e.g. ebs,ec2). |
--exit-code | boolean | false | Exit with code 1 when findings exist. Useful for CI gates. |
--format | "table" or "json" | "table" | Output format. table for human-readable output; json for machine-readable. |
Exit codes
| Code | Meaning |
|---|---|
0 | Scan completed with no findings, or --exit-code was not passed |
1 | Findings exist and --exit-code was passed |
2 | Runtime error (path not found, config parse error, etc.) |
Examples
Scan the current directory:
cloudburn scan
Scan a specific path:
cloudburn scan ./infrastructure
Scan only EBS rules and fail CI on findings:
cloudburn scan --service ebs --exit-code
Output as JSON:
cloudburn --format json scan ./iac
Run only specific rules:
cloudburn scan --enabled-rules CLDBRN-AWS-EBS-1,CLDBRN-AWS-EC2-2
Use a non-default config file:
cloudburn scan --config ./configs/.cloudburn.yml
Example JSON output structure:
{
"providers": [
{
"name": "aws",
"rules": [
{
"id": "CLDBRN-AWS-EBS-1",
"service": "ebs",
"findings": [
{
"resourceId": "aws_ebs_volume.main",
"path": "modules/storage/main.tf",
"line": 12,
"message": "EBS volume is not using gp3; migrate from gp2 to save up to 20% on storage costs"
}
]
}
]
}
]
}
Rules
Rules evaluated by this scan are documented in Rules.
What's next
| Configuration | Set default flags in .cloudburn.yml |
| Exit Codes | Use exit codes in CI/CD pipelines |
| CI/CD Integration | Full GitHub Actions and GitLab CI examples |