You're viewing a demo portfolio

Join the waitlist
PRSM

audit_iac_attack_paths

Active

Tool of io.github.Baneado98/cloud-pathfinder

declared in 0.1.0

Find real ATTACK PATHS in Infrastructure-as-Code (Terraform, CloudFormation, Kubernetes) — not a linter. Give it your IaC files (a map of filename→content, or a single `source` blob) and it parses them into a resource graph, resolves cross-resource relationships, and searches for chains from the public INTERNET to your crown jewels (data stores, secrets, admin). It returns a BREACHABLE / EXPOSED / HARDENED verdict and the concrete multi-hop routes an attacker would walk — e.g. 'open security group (SSH 0.0.0.0/0) → EC2 instance-profile role → iam:PassRole privilege escalation to admin → S3 exfiltration'. Understands AWS managed-policy permissions, 20+ IAM privilege-escalation primitives, public security groups / RDS, and Kubernetes LoadBalancer/NodePort exposure + privileged pods + cluster-admin ServiceAccounts. Use it before applying IaC or in a PR to catch breach paths a per-resource linter misses. Heuristic static analysis of declared IaC.

Parameters schema

{
  "type": "object",
  "properties": {
    "deep": {
      "type": "boolean",
      "description": "When true, runs the PREMIUM deep audit: full attack chains with per-hop evidence (file:line), privilege-escalation reachability and remediation. Requires an API key (set CLOUD_PATHFINDER_KEY in your MCP env); without one you'll get unlock instructions. The free verdict + counts need no key."
    },
    "files": {
      "type": "object",
      "description": "Map of filename → file content. Mix Terraform (.tf/.tf.json), CloudFormation (.yaml/.json) and Kubernetes (.yaml) freely; formats are auto-detected. Cross-file references are resolved.",
      "additionalProperties": {
        "type": "string"
      }
    },
    "source": {
      "type": "string",
      "description": "Optional: a single IaC blob to analyze when you don't have separate files. Format auto-detected."
    },
    "filename": {
      "type": "string",
      "description": "Optional filename hint for `source` (helps format detection, e.g. main.tf)."
    }
  }
}

What this tool wraps· 1 endpoint

min confidence0.700.50

Parent server

io.github.Baneado98/cloud-pathfinder

https://github.com/Baneado98/cloud-pathfinder

2/7 registries
View full server →
audit_iac_attack_paths — io.github.Baneado98/cloud-pathfinder — PRSM MCP