@cloudgraph/cli v0.25.1
The GraphQL API for AWS and Azure - solve a host of complex security, compliance, and governance challenges 10x faster. Built and maintained with love by the team at ❤️ AutoCloud ❤️
🌐 Website
💰 Get paid to build CloudGraph providers
- Amazing companies using CloudGraph**
- Why CloudGraph
- How It Works
- Authentication and Permissions
- Install
- Quick Start
- Loading Previous Versions
- Supported Services
- Example Queries
- Query Tools
- Community
- Contribution Guidelines
- Deployment Options
- Hosted Version
- Debugging
- Common Errors
- Commands
Amazing companies using CloudGraph**
** usage does not imply endorsement
Why CloudGraph
Whether you're a cloud architect with 15 years of experience or someone who is just getting started on their cloud journey, there is no denying that staying on top of security, compliance, governance, FinOps, operations...etc., is challenging, time-consuming work. Even answering basic questions like, "What all is running in the us-east-1 region?", "Are my RDS clusters properly secured and compliant?", or "How much is this EKS/AKS/GKE cluster going to cost me this month?" requires both time and expertise, or expensive 3rd party software.
Not anymore
CloudGraph lets any cloud professional answer questions like, "What KMS keys do I have in us-west-2?", "How much am I paying for my environment?", and, "What resources in my production environment aren’t tagged correctly?" in the time it takes to put on the pants you should already be wearing for your next zoom meeting. Ask any question about your cloud environments, and get back answers instantly in a single place with a single standardized API, for all of your cloud providers. Here are some more examples:
How It Works
Note that CloudGraph requires READ ONLY permissions to run and as such can never mutate your actual cloud infrastructure. Additionally, none of your cloud environment information is ever sent to or shared with CloudGraph, AutoCloud, or any other third parties.
Under the hood, CloudGraph reaches out to your cloud provider(s), sucks up all of the configuration data, processes it, and stores a copy of this data for you in Dgraph. It then exposes an endpoint at http://localhost:8997 that allows you to write GraphQL Queries against your stored data. These queries not only allow you do to anything that you would do with say, the AWS SDK/CLI, but they also allow you to run much more powerful queries as well. CloudGraph ships with pre-packaged GraphQL query tools including GraphQL Playground and Altair but you can also feel free to use your own. It also includes a schema visualization tool called Voyager so you can understand relationships between entities.
Authentication and Permissions
CloudGraph currently supports AWS and Azure with GCP/K8s (and several others) coming soon. CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the auth guides and details for how to generate credentials for each provider (feel free to leave out AutoCloud specific configuration):
Install
System Requirements
- Node 14+
- Docker
Use this command to install and update CloudGraph to the latest version.
npm install -g @cloudgraph/cliQuick Start
You can get up and running with three simple commands:
cg init- This initializes CloudGraph's configuration. This command will ask you a series of questions about what providers you are using and how you would like CloudGraph configured.
cg launch- This command launches an instance of Dgraph, the graphdb CloudGraph uses to store data under the hood. Note that there are 2 ways to launch an instance. BOTH of these require Docker to be installed and running. The preferred solution is to use our
cg launchconvenience command.
Note that if you do not want to use this command, for example, if you want to launch the Dgraph container in interactive mode, you can use the docker command below.
docker run -it -p 8995:5080 -p 8996:6080 -p 8997:8080 -p 8998:9080 -p 8999:8000
--label cloudgraph-cli-dgraph-standalone -v ~/dgraph:/dgraph --name dgraph dgraph/standalone:v21.03.1cg scan- Scan for cloud infrastructure for all configured providers. This command will reach out and read all of the metadata on your cloud infrastructure. Note that it is completely normal to see warnings and errors while the
cg scancommand runs, these are usually caused by permissions issues. That said, if you encounter any problematic errors running CloudGraph you can prependCG_DEBUG=5to the beginning of your command as in,CG_DEBUG=5 cg scan. This will print out the verbose logs with more information and save the output tocg-debug.log. Please share your logs with us either by opening an issue on GitHub or let us know in our Slack Workspace.
That's it, you are all set to start querying! The query tool you selected during the cg init command will then be opened in your preferred browser to run queries, mutations, and visualizations on all of your cloud infrastructure!
Note that you may also use any GraphQL query tool you would like by connecting it to http://localhost:8997/graphql.
Stopping the Dgraph instance
To stop the Dgraph instance(stop the dgraph container) run:
cg teardownAdditionally if you wish to remove the container after stopping it, run:
cg teardown --delete-imageLoading Previous Versions
CloudGraph stores as many previous versions of your data as you configured in the cg init command. In order to load and query a previous version of your data simply run the cg load command and select the version of your data you wish to inspect like so:
Supported Services
AWS
For a list of currently supported AWS services please see the AWS Provider Repo
Example Queries
Link to full documentation: https://docs.cloudgraph.dev/overview.
To use CloudGraph, you will need to be familiar with GraphQL. This section contains a handful of example queries to get you up and running but is by no means exhaustive. If you can dream it up, you can query it! Note that you can find hundreds of additional example queries in the documentation.
Basic AWS Query Syntax Examples:
To explain how CloudGraph works consider the following query that you can run to get the ID and ARN of a single EC2 instance. Note that for the purposes of these examples we will just request the IDs and ARNs of AWS resources to keep things terse, but you can query whatever attributes you want:
query {
getawsEc2(
arn: "arn:aws:ec2:us-east-1:123445678997:instance/i-12345567889012234"
) {
id
arn
}
}This query will return a JSON payload that looks like this. All of the following examples will follow suit:
{
"data": {
"getawsEc2": {
"id": "i-12345567889012234",
"arn": "arn:aws:ec2:us-east-1:123445678997:instance/i-12345567889012234"
}
},
"extensions": {
"touched_uids": 4
}
}Get the ID and ARN of each EC2 in all the AWS accounts you have scanned:
query {
queryawsEc2 {
id
arn
}
}Get the ID and ARN of all EC2 instances in one of your AWS accounts by filtering the accountId:
query {
queryawsEc2(filter: { accountId: { eq: "123456" } }) {
id
arn
}
}Get the ID and ARN of each EC2 in "us-east-1" using a regex to search the ARN:
query {
queryawsEc2(filter: { arn: { regexp: "/.*us-east-1.*/" } }) {
id
arn
}
}Do the same thing but checking to see that the region is equal to "us-east-1" instead of using a regex:
query {
queryawsEc2(filter: { region: { eq: "us-east-1" } }) {
id
arn
}
}Do the same thing but checking to see that the region contains "us-east-1" in the name instead of using eq:
query {
queryawsEc2(filter: { region: { in: "us-east-1" } }) {
id
arn
}
}Get the ID and ARN of each M5 series EC2 instance in "us-east-1"
query {
queryawsEc2(
filter: { region: { eq: "us-east-1" }, instanceType: { regexp: "/^m5a*/" } }
) {
id
arn
}
}Do the same thing but skip the first found result (i.e. offset: 1) and then only return the first two results after that (i.e. first: 2) and order those results by AZ in ascending order (order: { asc: availabilityZone }) so that instance(s) in "us-east-1a" are returned at the top of the list.
query {
queryawsEc2(
filter: { region: { eq: "us-east-1" }, instanceType: { regexp: "/^m5a*/" } }
order: { asc: availabilityZone }
first: 2
offset: 1
) {
id
arn
}
}Do the same thing but also include the EBS Volume that is the boot disk for each EC2 instance:
query {
queryawsEc2(
filter: { region: { eq: "us-east-1" }, instanceType: { regexp: "/^m5a*/" } }
order: { asc: availabilityZone }
first: 2
offset: 1
) {
id
arn
ebs(filter: { isBootDisk: true }, first: 1) {
id
arn
isBootDisk
}
}
}Do the same thing, but also include the SGs and ALBs for each EC2. For the ALBs, get the EC2s that they are connected to along with the ID and ARN of each found EC2 instance (i.e. a circular query).
query {
queryawsEc2(
filter: { region: { eq: "us-east-1" }, instanceType: { regexp: "/^m5a*/" } }
order: { asc: availabilityZone }
first: 2
offset: 1
) {
id
arn
ebs(filter: { isBootDisk: true }, first: 1) {
id
arn
isBootDisk
}
securityGroups {
id
arn
}
alb {
id
arn
ec2Instance {
id
arn
}
}
}
}Get each VPC, the ALBs and Lambdas in that VPC, and then a bunch of nested sub-data as well. Also get each S3 Bucket in us-east-1. Also get the SQS queue with an ARN of arn:aws:sqs:us-east-1:8499274828484:autocloud.fifo and check the approximateNumberOfMessages. You get the idea, CloudGraph is extremely powerful.
query {
queryawsVpc {
id
arn
alb {
id
arn
ec2Instance {
id
arn
ebs(filter: { isBootDisk: true }) {
id
arn
}
}
}
lambda {
id
arn
kms {
id
arn
}
}
}
queryawsS3(filter: { region: { eq: "us-east-1" } }) {
id
arn
}
getawsSqs(arn: "arn:aws:sqs:us-east-1:8499274828484:autocloud.fifo") {
approximateNumberOfMessages
}
}AWS security, compliance, and governance examples:
Find all the unencrypted EBS Volumes:
query {
queryawsEbs(filter: { encrypted: false }) {
id
arn
availabilityZone
encrypted
}
}Find all the public S3 Buckets:
query {
queryawsS3(filter: { access: { eq: "Public" } }) {
id
arn
access
}
}Find all the S3 Buckets that are themselves public or that can have Objects that are public in them:
query {
queryawsS3(filter: { not: { access: { eq: "Private" } } }) {
id
arn
access
}
}Find all the KMS keys in "us-east-1":
query {
queryawsKms(filter: { arn: { regexp: "/.*us-east-1.*/" } }) {
id
arn
description
keyRotationEnabled
tags {
key
value
}
}
}Find all the burstable T series instances:
query {
queryawsEc2(filter: { instanceType: { regexp: "/^t.*/" } }) {
id
arn
availabilityZone
instanceType
}
}Find the default VPCs:
query {
queryawsVpc(filter: { defaultVpc: true }) {
id
arn
defaultVpc
state
}
}Find the public ALBs:
query {
queryawsAlb(filter: { scheme: { eq: "internet-facing" } }) {
id
arn
dnsName
createdAt
tags {
key
value
}
}
}Find all of the EC2s, Lambdas, and VPCs that have a Tag value of "Production":
query {
queryawsTag(filter: { value: { eq: "Production" } }) {
key
value
ec2Instance {
id
arn
}
lambda {
id
arn
}
vpc {
id
arn
}
}
}Do the same thing but look for both a key and a value:
query {
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
key
value
ec2Instance {
id
arn
}
lambda {
id
arn
}
vpc {
id
arn
}
}
}Do the same thing using getawsTag instead of queryawsTag. Note that when searching for tags using getawsTag your must specify both the key and value as the id like is done below with "Environment:Production":
query {
getawsTag(id: "Environment:Production") {
key
value
ec2Instance {
id
arn
}
lambda {
id
arn
}
vpc {
id
arn
}
}
}AWS FinOps examples:
Note that in order to successfully ingest FinOps related data you must have the Cost Explorer API enabled in your AWS Account. You can view how to do that here
Get the total cost of your AWS Account for the last 30 days, the total cost of your AWS Account month to date, a breakdown of each service and its cost for the last 30 days, and a breakdown of each service and its cost month to date as well as the monthly and month to date average costs:
query {
queryawsBilling {
totalCostLast30Days {
cost
currency
formattedCost
}
totalCostMonthToDate {
cost
currency
formattedCost
}
monthToDate {
name
cost
currency
formattedCost
}
last30Days {
name
cost
currency
formattedCost
}
monthToDateDailyAverage {
name
cost
currency
formattedCost
}
last30DaysDailyAverage {
name
cost
currency
formattedCost
}
}
}This query will return a JSON payload that looks like this:
{
"data": {
"queryawsBilling": [
{
"totalCostLast30Days": {
"cost": 7088.87,
"currency": "USD",
"formattedCost": "$7088.87"
},
"totalCostMonthToDate": {
"cost": 7089.28,
"currency": "USD",
"formattedCost": "$7089.28"
},
"monthToDate": [
{
"name": "Amazon Relational Database Service",
"cost": 548.68,
"currency": "USD",
"formattedCost": "$548.68"
},
{
"name": "Amazon Managed Streaming for Apache Kafka",
"cost": 67.49,
"currency": "USD",
"formattedCost": "$67.49"
},
{
"name": "Amazon OpenSearch Service",
"cost": 1155.04,
"currency": "USD",
"formattedCost": "$1155.04"
}
...More Services
],
"last30Days": [
{
"name": "AWS Step Functions",
"cost": 330.20,
"currency": "USD",
"formattedCost": "$330.20"
},
{
"name": "Amazon Elastic Container Service for Kubernetes",
"cost": 194.40,
"currency": "USD",
"formattedCost": "$194.40"
},
{
"name": "AmazonCloudWatch",
"cost": 310.54,
"currency": "USD",
"formattedCost": "$310.54"
}
...More Services
],
"monthToDateDailyAverage": [
{
"name": "Amazon Relational Database Service",
"cost": 54.86,
"currency": "USD",
"formattedCost": "$54.86"
},
{
"name": "Amazon Managed Streaming for Apache Kafka",
"cost": 6.74,
"currency": "USD",
"formattedCost": "$6.74"
},
{
"name": "Amazon OpenSearch Service",
"cost": 115.50,
"currency": "USD",
"formattedCost": "$115.50"
}
...More Services
],
"last30DaysDailyAverage": [
{
"name": "AWS Step Functions",
"cost": 33.01,
"currency": "USD",
"formattedCost": "$33.01"
},
{
"name": "Amazon Elastic Container Service for Kubernetes",
"cost": 19.44,
"currency": "USD",
"formattedCost": "$19.44"
},
{
"name": "AmazonCloudWatch",
"cost": 31.05,
"currency": "USD",
"formattedCost": "$31.05"
}
...More Services
],
}
]
},
"extensions": {
"touched_uids": 212
}
}Get each EC2 instance in your AWS account along with its daily cost:
query {
queryawsEc2 {
arn
dailyCost {
cost
currency
formattedCost
}
}
}This query will return a JSON payload that looks like this. All of the following examples will follow suit:
{
{
"data": {
"queryawsEc2": [
{
"arn": "arn:aws:ec2:us-east-1:12345678910:instance/i-0c8b3vhfgf8df923f",
"dailyCost": {
"cost": 2.06,
"currency": "USD",
"formattedCost": "$2.06"
}
},
{
"arn": "arn:aws:ec2:us-east-1:12345678910:instance/i-060b3dsfds7sdf62e3",
"dailyCost": {
"cost": 2.06,
"currency": "USD",
"formattedCost": "$2.06"
}
},
...More EC2 Instances
]
},
"extensions": {
"touched_uids": 28
}
}Get each NAT Gateway in your AWS account along with its daily cost:
query {
queryawsNatGateway {
arn
dailyCost {
cost
currency
formattedCost
}
}
}AWS CloudWatch example:
CloudGraph ingests your CloudWatch Metric data and stores it along with select AWS services, for example, you can do the following for EC2:
query {
queryawsEc2 {
arn
cloudWatchMetricData {
lastWeek {
cpuUtilizationAverage
networkInAverage
networkOutAverage
networkPacketsInAverage
networkPacketsOutAverage
statusCheckFailedSum
statusCheckFailedInstanceSum
statusCheckFailedSystemSum
diskReadOpsAverage
diskWriteOpsAverage
diskReadBytesAverage
diskWriteBytesAverage
}
lastMonth {
cpuUtilizationAverage
networkInAverage
networkOutAverage
networkPacketsInAverage
networkPacketsOutAverage
statusCheckFailedSum
statusCheckFailedInstanceSum
statusCheckFailedSystemSum
diskReadOpsAverage
diskWriteOpsAverage
diskReadBytesAverage
diskWriteBytesAverage
}
last6Hours {
cpuUtilizationAverage
networkInAverage
networkOutAverage
networkPacketsInAverage
networkPacketsOutAverage
statusCheckFailedSum
statusCheckFailedInstanceSum
statusCheckFailedSystemSum
diskReadOpsAverage
diskWriteOpsAverage
diskReadBytesAverage
diskWriteBytesAverage
}
last24Hours {
cpuUtilizationAverage
networkInAverage
networkOutAverage
networkPacketsInAverage
networkPacketsOutAverage
statusCheckFailedSum
statusCheckFailedInstanceSum
statusCheckFailedSystemSum
diskReadOpsAverage
diskWriteOpsAverage
diskReadBytesAverage
diskWriteBytesAverage
}
}
}
}Thinking in terms of a graph:
When you think, "in terms of a graph", you can do almost anything with CloudGraph. Say for example that you want to know what Lamba functions don't belong to a VPC (i.e. they don't leverage VPC networking). Because CloudGraph connects all resources that have relationships, such as VPC parents to their Lambda children, you are able to answer this question easily. Simply check to see what lambda functions the VPC is "connected" to, and compare that against the list of all lambda functions like so:
query {
queryawsVpc {
id
arn
lambda {
id
arn
}
}
queryawsLambda {
id
arn
}
}Limitations
Today, the biggest limitation with CloudGraph and our query abilities is we don't support nested filtering based on child attributes. So for example, as cool as it would be to do the following, it's just not possible yet:
query {
queryawsEc2(filter: { ebs: { isBootDisk: true } }) {
id
arn
ebs {
id
arn
}
}
}This is actually not a limitation of CloudGraph, but rather a feature that still needs to be implemented with Dgraph. You can view and comment on the discussion thread here
Query Tools
CloudGraph ships with 2 awesome query tools and a GraphQL schema explorer. Remember, you can use ANY GraphQL query tool if you would prefer another option, just connect it to your exposed /graphql endpoint!
GraphQL Playground
GraphQL playground has a fluid and engaging UX that is great for querying a GraphQL schema quickly and simply. It has built-in automatically generated documentation and auto-completion while you type. To access playground, either select it as your preferred query tool in the init command OR visit /playground in the server CG spins up.
Altair
Altair is another great GraphQL query tool that packs a ton of features for power users. Do things like autocomplete queries, dynamically add fragments, and export/import collections of queries. To access Altair, either select it as your preferred query tool in the init command OR visit /altair in the server CG spins up.
Voyager
GraphQL Voyager is an awesome way to explore the schema(s) for your CG providers. It gives you a great bidirectional chart containing all your types and queries. You can click entities or arrows to discover connections, search for something specific, and get a deeper understanding of your schema. To access voyager, visit /voyager in the server CG spins up.
Community
Comments, questions, or feedback? Please Join Our Slack Workspace we would love to hear from you.
Contribution Guidelines
If you're interested in contributing to CloudGraph please check out our Contribution Guidelines.
Deployment Options
You can either run CloudGraph locally, or you can deploy it to your cloud provider of choice. Terraform modules and guides for cloud deployments are coming soon!
Hosted Version
Interested in a fully managed SaaS/self hosted version of CloudGraph that has built in 3D visualization capabilities, automated scans, and hundreds of additional compliance checks? Check out AutoCloud for more details.
Debugging
If you encounter any errors running CloudGraph you can prepend CG_DEBUG=5 to the beginning of your command as in, CG_DEBUG=5 cg scan. This will print out the verbose logs with more information that you can then use to either open an issue on GitHub or let us know in our Slack Workspace.
Common Errors
There are some common errors you may see when running CloudGraph that are usually related to permisions or connection issues.
⚠️ unable to make some connections - This warning in the scan report appears when CG tries to make a connection between two resources and is unable to do so. If you see this using one of CG's offically supported providers, please create a new issue so we can solve it. The most common cause of this error is a bug in the underlying provider's resource connection logic.
🚫 unable to store data in Dgraph - This error in the scan report appears when CG tries to insert some cloud provider data into the graph DB and it fails. Any services with this error will be unable to be queried in the GraphQL query tool. This usually happens when CG is unable to grab required data (such as an arn) for a resource due to an error when calling the provider SDK, commonly due to a lack of authorization.
Provider {name}@${version} requires cli version {version} but cli version is ${version} - This warning means you have incompatible versions of CG and the provider you are trying to use. Try updating CG
npm install -g @cloudgraphdev/cliand the provider modulecg provider updateso both are at the latest version. You can also check the proivder'spacakge.jsonto see what versions of CG support it.Manager failed to install plugin for {provider} - This error occurs when CG's plugin manager can not find the provider module you want to use. The manager searches the public NPM registry for the provider module. For offically supported providers, just pass the provider name
CG init aws. For community supported providers, you must pass the namespace as wellCG init @{providerNamespace}/{provider}
Commands
cg help [COMMAND]cg init [PROVIDER]cg launch [PROVIDER]cg load [PROVIDER]cg policy [PROVIDER]cg policy:add [PROVIDER]cg policy:install [PROVIDER]cg policy:list [PROVIDER]cg policy:remove [PROVIDER]cg policy:update [PROVIDER]cg provider [PROVIDER]cg provider:add [PROVIDER]cg provider:install [PROVIDER]cg provider:list [PROVIDER]cg provider:remove [PROVIDER]cg provider:update [PROVIDER]cg scan [PROVIDER]cg serve [PROVIDER]cg teardown [PROVIDER]
cg help [COMMAND]
display help for cg
USAGE
$ cg help [COMMAND]
ARGUMENTS
COMMAND command to show help for
OPTIONS
--all see all commands in CLISee code: @oclif/plugin-help
cg init [PROVIDER]
Set initial configuration for providers
USAGE
$ cg init [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-r, --resources
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLES
$ cg init
$ cg init aws [Initialize AWS provider]
$ cg init aws -r [Specify resources to crawl]See code: src/commands/init.ts
cg launch [PROVIDER]
Launch an instance of Dgraph to store data
USAGE
$ cg launch [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLE
$ cg launchSee code: src/commands/launch.ts
cg load [PROVIDER]
Load a specific version of your CloudGraph data
USAGE
$ cg load [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLES
$ cg load [Load data for all providers configured]
$ cg load aws [Load data for AWS]See code: src/commands/load.ts
cg policy [PROVIDER]
Commands to manage policy pack modules, run $ cg policy for more info.
USAGE
$ cg policy [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentialsSee code: src/commands/policy/index.ts
cg policy:add [PROVIDER]
Add new policy packs
USAGE
$ cg policy add [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLES
$ cg policy add aws-cis-1.2.0
$ cg policy add aws-cis-1.2.0@0.12.0See code: src/commands/policy/add.ts
cg policy:install [PROVIDER]
Install policy packs based on the lock file
USAGE
$ cg policy install [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLE
$ cg policy installSee code: src/commands/policy/install.ts
cg policy:list [PROVIDER]
List currently installed policy packs and versions
USAGE
$ cg policy list [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg policy ls
EXAMPLES
$ cg policy list
$ cg policy list awsSee code: src/commands/policy/list.ts
cg policy:remove [PROVIDER]
Remove currently installed policy pack
USAGE
$ cg policy remove [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-save Set to not alter lock file, just delete plugin
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg policy rm
$ cg policy del
EXAMPLES
$ cg policy delete
$ cg policy delete aws-cis-1.2.0
$ cg policy delete aws-cis-1.2.0 --no-saveSee code: src/commands/policy/remove.ts
cg policy:update [PROVIDER]
Update currently installed policy packs
USAGE
$ cg policy update [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLES
$ cg policy update
$ cg policy update aws-cis-1.2.0
$cg policy update aws-cis-1.2.0@0.12.0See code: src/commands/policy/update.ts
cg provider [PROVIDER]
Commands to manage provider modules, run $ cg provider for more info.
USAGE
$ cg provider [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentialsSee code: src/commands/provider/index.ts
cg provider:add [PROVIDER]
Add new providers
USAGE
$ cg provider add [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg add
EXAMPLES
$ cg provider add aws
$ cg provider add aws@0.12.0See code: src/commands/provider/add.ts
cg provider:install [PROVIDER]
Install providers based on the lock file
USAGE
$ cg provider install [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg install
EXAMPLE
$ cg provider installSee code: src/commands/provider/install.ts
cg provider:list [PROVIDER]
List currently installed providers and versions
USAGE
$ cg provider list [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg provider ls
$ cg list
$ cg ls
EXAMPLES
$ cg provider list
$ cg provider list awsSee code: src/commands/provider/list.ts
cg provider:remove [PROVIDER]
Remove currently installed provider
USAGE
$ cg provider remove [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-save Set to not alter lock file, just delete plugin
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg remove
$ cg rm
$ cg del
$ cg provider rm
$ cg provider del
EXAMPLES
$ cg provider delete
$ cg provider delete aws
$ cg provider delete aws --no-saveSee code: src/commands/provider/remove.ts
cg provider:update [PROVIDER]
Update currently installed providers
USAGE
$ cg provider update [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
ALIASES
$ cg update
EXAMPLES
$ cg provider update
$ cg provider update aws
$cg provider update aws@0.12.0See code: src/commands/provider/update.ts
cg scan [PROVIDER]
Scan one or multiple providers data to be queried through Dgraph
USAGE
$ cg scan [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLES
$ cg scan
$ cg scan aws
$ cg scan aws --dgraph http://localhost:1000 [Save data in dgraph running on port 1000]
$ cg scan aws --no-serve [Do not start the query engine]See code: src/commands/scan.ts
cg serve [PROVIDER]
Serve a GraphQL query tool to query your CloudGraph data.
USAGE
$ cg serve [PROVIDER]
OPTIONS
-P, --policies=policies Policy Packs to execute during scan
-d, --dgraph=dgraph Set where dgraph is running (default localhost:8997)
-l, --version-limit=version-limit Limit the amount of version folders stored on the filesystem (default 10)
-p, --port=port Set port to serve query engine
-q, --query-engine=playground|altair Query engine to launch
-s, --storage=dgraph Select a storage engine to use. Currently only supports Dgraph
--dev Turn on developer mode
--directory=directory Set the folder where CloudGraph will store data. (default cg)
--no-serve Set to not serve a query engine
--use-roles Set to true to use roleARNs instead of profiles for AWS credentials
EXAMPLE
$ cg serveSee code: src/commands/serve.ts
cg teardown [PROVIDER]
Stops the Dgraph Docker container.
USAGE
$ cg teardown [PROVIDER]
OPTIONS
--delete-image Remove dgraph docker image after stopping it
EXAMPLES
$ cg teardown
$ cg teardown --delete-imageSee code: src/commands/teardown.ts
1 year ago
1 year ago
1 year ago
1 year ago
1 year ago
1 year ago
1 year ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago