Castle Open Source is as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.

Learn more at castle.com

Join our Castle community!

---

---

Description

Castle is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Castle CLI (Command Line Interface) that we call Castle Open Source and a service on top of it that we call Castle Cloud.

Castle App

Castle App is a web application that allows you to run Castle in your cloud provider accounts and visualize the results in a user-friendly interface.

More details at Castle App Documentation

Castle CLI

castle <provider>

Castle Dashboard

castle dashboard

It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.

Provider	Checks	Services	Compliance Frameworks	Categories
AWS	564	82	33	10
GCP	79	13	7	3
Azure	140	18	8	3
Kubernetes	83	7	4	7
Microsoft365	5	2	1	0
NHN (Unofficial)	6	2	1	0

You can list the checks, services, compliance frameworks and categories with castle <provider> --list-checks, castle <provider> --list-services, castle <provider> --list-compliance and castle <provider> --list-categories.

💻 Installation

Castle App

Castle App can be installed in different ways, depending on your environment:

See how to use Castle App in the Castle App Usage Guide.

Docker Compose

Requirements

• Docker Compose installed: https://docs.docker.com/compose/install/.

Commands

curl -LO https://raw.githubusercontent.com/castle-cloud/castle/refs/heads/master/docker-compose.yml
curl -LO https://raw.githubusercontent.com/castle-cloud/castle/refs/heads/master/.env
docker compose up -d

Containers are built for linux/amd64. If your workstation's architecture is different, please set DOCKER_DEFAULT_PLATFORM=linux/amd64 in your environment or use the --platform linux/amd64 flag in the docker command. Enjoy Castle App at http://localhost:3000 by signing up with your email and password.

From GitHub

Requirements

• git installed.
• poetry v2 installed: poetry installation.
• npm installed: npm installation.
• Docker Compose installed: https://docs.docker.com/compose/install/.

Commands to run the API

git clone https://github.com/castle-cloud/castle
cd castle/api
poetry install
eval $(poetry env activate)
set -a
source .env
docker compose up postgres valkey -d
cd src/backend
python manage.py migrate --database admin
gunicorn -c config/guniconf.py config.wsgi:application

Important

Starting from Poetry v2.0.0, poetry shell has been deprecated in favor of poetry env activate.

If your poetry version is below 2.0.0 you must keep using poetry shell to activate your environment. In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment

Now, you can access the API documentation at http://localhost:8080/api/v1/docs.

Commands to run the API Worker

git clone https://github.com/castle-cloud/castle
cd castle/api
poetry install
eval $(poetry env activate)
set -a
source .env
cd src/backend
python -m celery -A config.celery worker -l info -E

Commands to run the API Scheduler

git clone https://github.com/castle-cloud/castle
cd castle/api
poetry install
eval $(poetry env activate)
set -a
source .env
cd src/backend
python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler

Commands to run the UI

git clone https://github.com/castle-cloud/castle
cd castle/ui
npm install
npm run build
npm start

Enjoy Castle App at http://localhost:3000 by signing up with your email and password.

Castle CLI

Pip package

Castle CLI is available as a project in PyPI, thus can be installed using pip with Python > 3.9.1, < 3.13:

pip install castle
castle -v

More details at https://docs.castle.com

Containers

The available versions of Castle CLI are the following:

• latest: in sync with master branch (bear in mind that it is not a stable version)
• v4-latest: in sync with v4 branch (bear in mind that it is not a stable version)
• v3-latest: in sync with v3 branch (bear in mind that it is not a stable version)
• <x.y.z> (release): you can find the releases here, those are stable releases.
• stable: this tag always point to the latest release.
• v4-stable: this tag always point to the latest release for v4.
• v3-stable: this tag always point to the latest release for v3.

The container images are available here:

• Castle CLI:
  • DockerHub
  • AWS Public ECR
• Castle App:
  • DockerHub - Castle UI
  • DockerHub - Castle API

From GitHub

Python > 3.9.1, < 3.13 is required with pip and poetry:

git clone https://github.com/castle-cloud/castle
cd castle
eval $(poetry env activate)
poetry install
python castle-cli.py -v

Important

Starting from Poetry v2.0.0, poetry shell has been deprecated in favor of poetry env activate.

If your poetry version is below 2.0.0 you must keep using poetry shell to activate your environment. In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment

If you want to clone Castle from Windows, use git config core.longpaths true to allow long file paths.

📐✏️ High level architecture

Castle App

The Castle App consists of three main components:

• Castle UI: A user-friendly web interface for running Castle and viewing results, powered by Next.js.
• Castle API: The backend API that executes Castle scans and stores the results, built with Django REST Framework.
• Castle SDK: A Python SDK that integrates with the Castle CLI for advanced functionality.

Castle CLI

You can run Castle from your workstation, a Kubernetes Job, a Google Compute Engine, an Azure VM, an EC2 instance, Fargate or any other container, CloudShell and many more.

Deprecations from v3

General

• Allowlist now is called Mutelist.
• The --quiet option has been deprecated, now use the --status flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
• All INFO finding's status has changed to MANUAL.
• The CSV output format is common for all the providers.

We have deprecated some of our outputs formats:

• The native JSON is replaced for the JSON OCSF v1.1.0, common for all the providers.

AWS

• Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
• To send only FAILS to AWS Security Hub, now use either --send-sh-only-fails or --security-hub --status FAIL.

📖 Documentation

Install, Usage, Tutorials and Developer Guide is at https://docs.castle.com/

📃 License

Castle is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0