rename: matlock → cloudgov#3
Closed
stxkxs wants to merge 11 commits into
Closed
Conversation
- multi-cloud security and cost cli for aws, gcp, and azure - homebrew tap formula and goreleaser workflow - iam audit, cost anomaly, orphaned resource, and firewall rule scans - tls certificate expiry monitoring and resource tag coverage enforcement - bump go.opentelemetry.io/otel/sdk to v1.40.0 (cve fix)
- dns enumeration: a, aaaa, mx, ns, cname, txt, srv records - reverse dns lookups and ip geolocation - whois data extraction for domains and ip blocks - port scanning with service detection
…nd inventory - secrets scanning across cloud provider configurations - compliance mapping against cis benchmarks - configuration drift detection between environments - unified audit and inventory commands - bump golang.org/x/net to v0.51.0 and update all dependencies
- service quota utilization checks across all regions - baseline snapshots with point-in-time comparison and drift detection - html report generation with charts and findings summary
- patch google.golang.org/grpc to address remote dos vulnerability
- add /verify claude code skill for automated validation - gitignore personal configuration files
… bump deps for CVEs ─── Dependency Security Fixes ─── Bump otel/sdk v1.42.0 → v1.43.0 (CVE-2026-39883, CVE-2026-24051: PATH hijacking), go-jose/v4 v4.1.3 → v4.1.4 (CVE-2026-34986: JWE decryption panic), aws eventstream v1.7.7 → v1.7.8 (GHSA-xmrv-pmrh-hhx2: EventStream DoS). govulncheck reports zero vulnerabilities after these bumps. ─── Compliance Benchmarks ─── Add three new compliance benchmarks alongside the existing cis-aws-v3: cis-gcp-v2 — 17 controls: IAM, logging, networking, storage, Cloud SQL, Pub/Sub cis-azure-v2 — 18 controls: IAM, Defender, storage, databases, logging, networking, Key Vault, App Service soc2 — 18 controls mapping Trust Services Criteria (CC6, CC7, A1, C1, P6) to matlock findings. Process-level criteria (CC1-CC5, CC8-CC9) are marked NOT_EVALUATED with explanations. Refactored evaluateControl to dispatch by benchmark ID before control ID. Different benchmarks reuse the same control IDs with different semantics (e.g. CIS AWS 3.1 = CloudTrail, CIS GCP 3.1 = firewall rules) — the two-level dispatch prevents silent misrouting. Added evalCerts helper for certificate expiry evaluation used by CIS Azure 8.1 and SOC 2 A1.2. ─── Inventory Expansion ─── AWS: +4 resource types — rds:db, ecs:cluster, elb:loadbalancer, iam:role GCP: +3 resource types — cloudsql:instance, gke:cluster, cloudrun:service Azure: improved classification — Redis, AKS/managed clusters, Key Vault, Service Bus, Event Hub now map to correct ResourceKind values ─── Drift Detection Expansion ─── AWS: +3 types — aws_instance (instance_type, key_name), aws_db_instance (instance_class, engine_version, multi_az, deletion_protection), aws_lb (load_balancer_type, internal) GCP: +3 types — google_compute_instance (machine_type), google_sql_database_instance (database_version, tier), google_container_cluster (min_master_version, node_version) Azure: +2 types — azurerm_virtual_machine (vm_size, location), azurerm_key_vault (sku_name, location)
Phase 1 — coherence pass. Remove the probe OSINT command (out-of-scope for
cloud hygiene), sync CLAUDE.md and README to the actual 17-command surface,
wrap bare return-nil-err sites in internal/cloud/azure/ per the documented
fmt.Errorf("context: %w", err) convention.
Phase 2 — provider testability. Extract narrow per-domain SDK interfaces
across all 36 provider files (aws, gcp, azure). Production wires concrete
SDK clients; tests inject hand-written mocks per CLAUDE.md.
internal/cloud/aws: 0% → 84.9%
internal/cloud/gcp: 0% → 70.2%
internal/cloud/azure: 0% → 65.3%
internal/output: 1.2% → 76.5%
module total: ~30% → 58.3%
Adds tests for previously-untested internal/cloud, internal/config,
internal/cost, and output renderers. CI workflow gains -coverprofile,
a 50% coverage floor, and a separate golangci-lint job (pinned to v2.7.0
via golangci-lint-action@v7, configured for Go 1.25 semantics via
.golangci.yml; lint is non-blocking until a Go-1.26-built release ships).
Hygiene also bundled in:
- fix(gcp): cost-test mock anchors on >= 'DATE' to avoid date-overlap
ambiguity under Go's randomized map iteration
- chore: clear all open dependabot alerts — grpc CVE-2026-33186 CRITICAL,
jose v4 CVE-2026-34986 HIGH, otel/sdk CVE-2026-39883 + -24051 HIGH,
plus three aws-sdk-go-v2 MEDIUM patches
- chore: relicense from MIT to Apache 2.0 — NOTICE file added per § 4(d)
No production behavior changes beyond probe removal, error wrapping, and
the license switch.
… audit Four independent additions completing Phase 3 of the maintenance plan. * matlock audit --sink: Slack, PagerDuty, and generic webhook notifications delivered after each audit run. Best-effort (one bad sink doesn't block the others); PagerDuty only fires when the digest contains at least one critical or high finding, to avoid alert fatigue. * matlock k8s rbac: new Kubernetes domain. Scans cluster-scoped ClusterRoles and ClusterRoleBindings for wildcard verbs/resources, dangerous verbs on wildcard resources, and bindings to broad subject groups (system:authenticated, system:masters). Built on k8s.io/client-go (new dep); skips built-in default ClusterRoles so output focuses on user-introduced risk. * matlock network audit --fix + matlock remediate: emit shell remediation scripts per provider, either inline during a scan or from a saved JSON report. Mirrors and extends the existing storage audit --fix. Unlocks the offline "scan -> review -> apply" workflow CI pipelines want. * matlock lambda audit: scan AWS Lambda resource-based policies for Principal:"*" (public invoke), cross-account principals, service principals without aws:SourceAccount condition (confused-deputy risk), and wildcard actions. Complements the identity-based IAM scan with resource-based policy analysis. Adds k8s.io/client-go, k8s.io/api, and k8s.io/apimachinery at v0.36.1 to support the Kubernetes domain.
The brews block in .goreleaser.yaml still said "MIT" after the relicense went in. goreleaser generates the homebrew formula's license field from this, so without the fix our v1.0.0 tap formula would have shipped with a stale license string. Verified locally via: goreleaser release --snapshot --clean --skip=publish which produced dist/homebrew/Formula/matlock.rb with license "Apache-2.0".
The tool's name no longer obscures what it does. "matlock" was a detective reference; the actual coverage — IAM, cost, orphans, storage, network, certs, tags, secrets, compliance, drift, inventory, quotas, RBAC, remediation across AWS/GCP/Azure/k8s — is cloud governance. The new name signals the category and reads cleanly with every subcommand (`cloudgov iam scan`, `cloudgov cost diff`, `cloudgov audit`). The repo was transferred from `stxkxs/matlock` to `nanohype/cloudgov` so it sits alongside the rest of the nanohype org repos. GitHub serves the old URL via redirect. ─── Module + binary ─── - go.mod: module path → github.com/nanohype/cloudgov - All 178 Go files: imports rewritten under the new module path - cmd/root.go: cobra Use → "cloudgov", help text updated - Taskfile.yml: BINARY var + LDFLAGS module paths - .goreleaser.yaml: project_name, id, binary, ldflag paths, archives, brews block (owner nanohype, name cloudgov, system test target) - .gitignore: build artifact name → cloudgov ─── User-visible identifiers ─── - internal/config: config file `.cloudgov.yaml`, env prefix CLOUDGOV_*, baseline storage path `~/.cloudgov/baselines/` - internal/output/sarif: SARIF tool Name + InformationURI - internal/output/sinks/webhook: User-Agent header → "cloudgov-sink" - internal/output/sinks/pagerduty: dedup key prefix + group field - internal/report: all report Title strings → "CloudGov X Report" ─── Docs ─── - README.md: title, install commands (brew/go install/curl), all `cloudgov <cmd>` examples, release URLs, ~/.cloudgov baseline path - CLAUDE.md, CONTRIBUTING.md: module path + import examples - LICENSE, NOTICE: copyright holder → nanohype ─── Tests ─── - internal/output/sinks/sinks_test.go: Source string assertions - internal/report/report_test.go: title assertions - Full suite passes under the new module path
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
matlocktocloudgovto match what the tool actually does (cloud governance across IAM, cost, compliance, drift, inventory, posture).stxkxs/matlocktonanohype/cloudgov; GitHub serves the old URL via redirect.Test plan
go mod tidycleango build ./...go test ./...— all packages pass under new module path./cloudgov --helpshows the new binary name and all subcommands./cloudgov audit --help,./cloudgov iam scan --helpworkrg -i 'matlock|stxkxs'returns zero hits outside.git/Follow-ups
nanohype/homebrew-tap) formula rewritten in a separate PR./Users/bs/codes/matlock→/Users/bs/codes/nanohype/cloudgov) happens after merge.