CloudBurn reads configuration from a .cloudburn.yml (or .cloudburn.yaml) file. When you run any CloudBurn command, it walks up the directory tree toward the git root looking for a config file.
Generate a starter config
cloudburn init config
This creates a .cloudburn.yml at your git root. See cloudburn init config for details.
Full config schema
The config file has separate sections for iac (static scans) and discovery (live AWS scans). Both sections support the same keys.
iac:
enabled-rules:
- CLDBRN-AWS-EBS-1
disabled-rules:
- CLDBRN-AWS-EC2-2
services:
- ebs
- ec2
format: table
discovery:
enabled-rules:
- CLDBRN-AWS-EBS-1
disabled-rules:
- CLDBRN-AWS-S3-1
services:
- ebs
- s3
format: json
Config keys
| Key | Type | Default | Description |
|---|---|---|---|
enabled-rules | string[] | all rules | Only run these rule IDs. Specify exact rule IDs (e.g. CLDBRN-AWS-EBS-1). |
disabled-rules | string[] | none | Skip these rule IDs. |
services | string[] | all services | Only run rules for these services (e.g. ebs, ec2, s3). |
format | "table" or "json" | "table" | Default output format for this scan type. |
Precedence
CLI flags always take priority over config file values, which take priority over built-in defaults:
CLI flags > config file > defaults
For example, passing --format json on the command line overrides a format: table in your config file.
Validation
CloudBurn validates your config at startup and exits with an error if:
- The same rule ID appears in both
enabled-rulesanddisabled-rules - A rule ID in
enabled-rulesordisabled-rulesdoes not exist formatis set to a value other thantableorjson
What's next
| Quickstart: Scan IaC Files | Use your config in a real scan |
| cloudburn scan | All flags for the scan command |
| cloudburn rules list | Find valid rule IDs to use in your config |