Configuration

CloudBurn reads configuration from a .cloudburn.yml (or .cloudburn.yaml) file. When you run any CloudBurn command, it walks up the directory tree toward the git root looking for a config file.

Generate a starter config

cloudburn config --init

This creates a .cloudburn.yml at your git root. See cloudburn config for details.

Full config schema

The config file has separate sections for iac (static scans) and discovery (live AWS scans). Both sections support the same keys.

iac:
  enabled-rules:
    - CLDBRN-AWS-EBS-1
  disabled-rules:
    - CLDBRN-AWS-EC2-2
  services:
    - ebs
    - ec2
  format: table

discovery:
  enabled-rules:
    - CLDBRN-AWS-EBS-1
  disabled-rules:
    - CLDBRN-AWS-S3-1
  services:
    - ebs
    - s3
  format: json

Config keys

Precedence

CLI flags always take priority over config file values, which take priority over built-in defaults:

CLI flags > config file > defaults

For example, passing --format json on the command line overrides a format: table in your config file.

Validation

CloudBurn validates your config at startup and exits with an error if:

• The same rule ID appears in both enabled-rules and disabled-rules
• A rule ID in enabled-rules or disabled-rules does not exist
• A rule ID does not support the scan mode it appears in (e.g. a discovery-only rule in the iac section)
• A service name in services is not valid for that scan mode
• format is set to a value other than table or json

CI environments

When the CI environment variable is set and truthy, CloudBurn skips implicit config file discovery and uses default values. This prevents unexpected config files in CI runners from affecting scan results. To use a config file in CI, pass it explicitly with --config.

What's next