This tutorial walks you through running your first CloudBurn scan against local Terraform or CloudFormation files.
Step 1: Install CloudBurn
If you haven't installed the CLI yet, see Installation.
npm install --global cloudburn
Step 2: Navigate to your IaC directory
Change into the directory that contains your Terraform (.tf) or CloudFormation (.json, .yaml, .yml) files:
cd ./infrastructure
Step 3: Run the scan
Run CloudBurn scan against the current directory:
cloudburn scan
Or point it at a specific path:
cloudburn scan ./path/to/iac
CloudBurn auto-detects file types — you don't need to specify whether you're using Terraform or CloudFormation.
Step 4: Read the output
By default, CloudBurn outputs a table of findings. Each row represents one finding:
┌──────────┬──────────────────┬─────────┬────────────────────────┬───────────────────────┬──────┬─────────────────────────────────────────────────┐
│ Provider │ RuleId │ Service │ ResourceId │ Path │ Line │ Message │
├──────────┼──────────────────┼─────────┼────────────────────────┼───────────────────────┼──────┼─────────────────────────────────────────────────┤
│ aws │ CLDBRN-AWS-EBS-1 │ ebs │ aws_ebs_volume.main │ modules/storage/main │ 12 │ EBS volume is not using gp3; migrate from gp2 │
│ │ │ │ │ .tf │ │ to save up to 20% on storage costs │
└──────────┴──────────────────┴─────────┴────────────────────────┴───────────────────────┴──────┴─────────────────────────────────────────────────┘
Column meanings:
| Column | Description |
|---|---|
| Provider | Cloud provider (aws) |
| RuleId | The rule that triggered (use this to look up details in Rules) |
| Service | AWS service category (e.g. ebs, ec2, s3) |
| ResourceId | The Terraform resource address or CloudFormation logical ID |
| Path | File path where the resource is defined |
| Line | Line number in the file |
| Message | What CloudBurn found and why it matters |
Step 5: Filter by service
To scan only specific AWS services:
cloudburn scan --service ebs
Multiple services:
cloudburn scan --service ebs,ec2
Step 6: Use JSON output
For machine-readable output — useful for scripts or CI pipelines:
cloudburn --format json scan ./iac
Pipe to jq to extract specific fields:
cloudburn --format json scan ./iac | jq '.providers[].rules[].findings'
Step 7: Use exit codes for CI
Pass --exit-code to make the command exit with code 1 when findings exist. This lets you fail CI builds:
cloudburn scan --exit-code
Exit codes:
| Code | Meaning |
|---|---|
0 | No findings, or --exit-code not passed |
1 | Findings exist and --exit-code was passed |
2 | Runtime error |
What's next
| Rules | Understand what each rule checks |
| CI/CD Integration | Run CloudBurn in GitHub Actions or GitLab CI |
| cloudburn scan | Full reference for scan flags |