Skip to content

title: CloudSlash - CLI Commands Reference description: Complete reference for the cloudslash CLI. All commands are also available via the cs shorthand alias: both names are interchangeable. The binary accepts con...


CLI Commands

Complete reference for the cloudslash CLI. All commands are also available via the cs shorthand alias: both names are interchangeable.

# These are identical:
cloudslash scan --format=sarif
cs scan --format=sarif

Global Execution Environment

The binary accepts configuration overrides via environment variables matching the CLOUDSLASH_* prefix. Environment variables supersede config.yaml values. CLI flags supersede environment variables.

Variable Purpose
CLOUDSLASH_CONFIG_PATH Override default config path (~/.cloudslash/config.yaml)
CLOUDSLASH_AI_MODEL Active AI model (e.g., gemini-2.5-flash)
CLOUDSLASH_AI_KEY API key for the configured AI provider
CLOUDSLASH_DAEMON_URL Override daemon HTTP endpoint (default: http://localhost:8080)
CLOUDSLASH_TELEMETRY Set to 0 or false to disable all anonymous telemetry: no network call is made

Command Glossary

scan

Executes the stateless shift-left infrastructure scanner. Constructs the full Devi graph, applies heuristics, evaluates CEL policies, runs formal verification, and renders findings in the specified output format. Supports Terraform plan diff scanning via --plan for true pre-merge analysis.

cs scan [flags]
Flag Type Definition
--format ENUM Output serialization: table, json, github-pr, sarif, github-actions. Default: table.
--fail-on ENUM Exit code gate threshold: critical, warning, none. Default: none.
--timeout duration Maximum scan execution window (e.g., 5m, 30s). Default: 10m.
--output path Write serialized output to filesystem path instead of stdout.
--plan path Path to Terraform plan JSON (terraform show -json tfplan.out). Restricts analysis to planned resource changes only.
--region string AWS region target (e.g., us-east-1).
--rules path Absolute path to the CEL expression .yaml injection.

Signal Handling

  • SIGTERM / SIGINT: Await in-flight scanner completion; flush output buffer; exit.

Credential Fallback

When cloud provider credentials are absent, the scanner automatically degrades to mock static analysis mode. No explicit --mock flag is required for CI environments where secrets may not be configured.

Terraform Plan Scanning

When --plan is specified, the engine parses the JSON plan file to extract resource_changes[] and constructs a targeted graph containing only resources being created, modified, or destroyed. Heuristics, CEL policies, and formal verification execute against this scoped graph.

terraform plan -out=tfplan.out
terraform show -json tfplan.out > tfplan.json
cs scan --plan=tfplan.json --format=sarif --output=results.sarif --fail-on=critical

Exit Codes

Code Meaning
0 All findings below --fail-on threshold
1 Findings exceed threshold (CI gate failure)

init

Interactive setup wizard. Detects cloud credentials, provisions the graph store, configures AI, and optionally starts the daemon.

cs init [flags]
Flag Type Definition
--non-interactive boolean Skip all prompts; read from environment variables only.
--skip-daemon boolean Skip background daemon startup (useful for CI or containers).
--skip-tui boolean Don't launch the terminal dashboard after initialization.

The wizard runs these steps:

  1. System diagnostics (preflight checks)
  2. Cloud credential scan (AWS, GCP, Azure, Kubernetes)
  3. Graph store and state backend provisioning
  4. AI provider detection (Ollama auto-detect)
  5. Daemon startup
  6. Slashfile generation (.cloudslash.yaml)
  7. Summary with next steps

daemon

Instantiates the continuous evaluation loop binding the Devi solver, Swarm AIMD orchestrator, and Web UI HTTP server.

cs daemon [flags]
Flag Type Definition
--mock boolean Bypass physical APIs; inject synthetically generated graph nodes for isolated evaluations.
--interval duration Cycle interval for heuristic calculation vectors (e.g., 5m).
--region string Cloud region target (e.g., us-east-1).
--all-profiles boolean Scan all AWS CLI profiles.
--rules string Absolute path to the CEL expression .yaml injection.
--history-url URL S3 URL for shared scan history (s3://bucket/key).
--slack-webhook URL Slack incoming webhook for notifications.
--otel-endpoint URL Target telemetry ingestion endpoint (e.g., http://jaeger:4318).
--json boolean Format stdout streams using structured serialized JSON.
--verbose boolean Enable debug/matrix mode logging.

Signal Handling

  • SIGTERM / SIGINT: Await in-flight Saga termination; drain HTTP connections; execute zero-exit.
  • SIGHUP: Trigger config.yaml hot-reload without graph suspension.

tui

Attaches the Terminal UI matrix to the active UNIX domain socket. Renders a Bloomberg-style quad-pane layout with real-time sparkline visualizations and engine-computed verdict distributions.

cs tui [flags]

Key Bindings

Key Action
1-4 Switch workspace (DEVI / Topology / s.a.u / Command)
Tab Cycle focus between quadrant panes
j / k Navigate down / up in lists
Enter Select node / execute topology action / execute s.a.u revert
Y Approve remediation for selected node
N Reject remediation for selected node
D Toggle zoom on remediation diff pane
R Quick-release node from s.a.u block (in s.a.u workspace)
z Zoom focused pane to fullscreen
Esc Exit zoom / close sub-view
Ctrl+F Open node search/filter bar
/ Open DEVI AI prompt bar
q Quarantine selected node
p Preview Terraform remediation plan
e Open Egress Calculator (in Topology workspace)
t Toggle s.a.u enforcement mode
m Open AI model picker (in Command workspace)
s Save config + hot-reload (in Command workspace)
f / F Force sync (trigger immediate Swarm reconciliation)
Ctrl+C Quit

config

Interactive configuration wizard. Walk through provider selection, API key entry, and model selection in a guided TUI flow.

cs config

The wizard steps:

  1. Provider selection: Choose from Ollama (local, free, private), OpenAI, Anthropic, Gemini, Groq, or a custom endpoint.
  2. API key entry: Provider-specific placeholder hints (e.g., sk-ant-... for Anthropic, AIza... for Gemini). Ollama skips this step.
  3. Model selection: Fetches the live model list from your provider. If the provider is unreachable (no API key yet), model selection is skipped: re-run cs config after setting your key.
  4. Summary: Shows the saved configuration.

Switching providers automatically clears stale settings from the previous provider (e.g., switching from Groq to Ollama removes the base_url).

Subcommands

cs config set ai.provider ollama     # Set a single value
cs config set ai.model llama3.2      # Set model directly
cs config view                       # Print the full active configuration
Subcommand Definition
set Set a config value: cs config set <key> <value> (e.g., cs config set ai.provider ollama).
view Print the current configuration. Running cs config with no arguments launches interactive setup.

doctor

Runs dynamic, adaptive system diagnostics. Discovers which cloud providers, AI backends, and plugins are relevant to your setup and only checks those.

cs doctor           # Diagnose issues
cs doctor --fix     # Auto-repair fixable issues
Flag Type Definition
--fix bool Auto-repair detected issues where possible.

Dynamic checks include:

  • Core: data directories, config file, BadgerDB graph store
  • Daemon: socket connectivity, stale socket detection, HTTP API latency, WebSocket
  • Cloud Providers: cross-references credentials with installed plugins. Validates credentials via real CLI calls (aws sts, gcloud auth, az account, kubectl cluster-info)
  • AI Backends: checks Ollama (health), OpenAI/Anthropic/Gemini (env vars), and config.yaml
  • Plugins: lists all discovered plugins with binary paths
  • History: s.a.u state, snapshots, trend data, scan freshness

--fix can create missing directories, remove stale sockets, start the daemon, create default config, and initialize storage.


status

Quick terminal glance at infrastructure state. Falls back to snapshot data when the daemon is offline.

cs status

Displays: waste node count, projected savings, guardrail failures, drift detected, s.a.u blocked nodes, and historical delta since last scan. No flags required.


plugin

Manage provider plugins: install from the registry, scaffold new plugins, list installed, and remove them. The cs registry command has been folded into cs plugin to give you a single surface for all plugin lifecycle operations.

cs plugin search [query]        # Search the registry
cs plugin install <name>        # Install a plugin or policy
cs plugin list                  # List installed plugins and policies
cs plugin uninstall <name>      # Remove an installed plugin or policy
cs plugin create <name>         # Scaffold a new plugin project
cs plugin publish --version=v1.0.0  # Publish a plugin to GitHub Releases

Search the CloudSlash community registry for provider plugins and policy packs.

cs plugin search                  # Browse all packages
cs plugin search aws              # Search by name or keyword
cs plugin search aws --type plugin  # Plugins only
cs plugin search eks --type policy  # Policies only
Flag Type Definition
--type string Filter results: plugin or policy.

plugin install

Install a plugin or policy from the registry, or directly from a GitHub release.

cs plugin install aws                        # Install by name from registry
cs plugin install drskyle/gcp-scanner@v1.2.0 # Install directly from GitHub Releases

Plugins install to ~/.cloudslash/plugins/. Policies install to ~/.cloudslash/policies/. The daemon auto-discovers installed plugins on next restart. Policies are evaluated on next scan.

plugin list

List all installed plugins and policies, with load status.

cs plugin list

Output shows each package name, type (plugin / policy), and status (loaded if the daemon has it active, installed if present on disk but not yet active).

plugin uninstall

Remove an installed plugin or policy from disk.

cs plugin uninstall aws       # Uninstall the aws plugin
cs plugin uninstall eks-idle  # Uninstall a policy pack

After uninstalling a plugin, restart the daemon to remove it from the active scanner pool.

plugin create

Scaffold a new plugin project with the gRPC provider interface, Makefile, CQRS event-stream skeleton, and README.

cs plugin create digitalocean

Generates a complete project directory:

cloudslash-plugin-digitalocean/
├── main.go          # Provider stub with Handshake + Scan + event stream
├── go.mod           # Dependencies pre-configured
├── Makefile         # build, test, install targets
└── README.md        # Getting started + registry manifest template

After scaffolding, implement your scanners in main.go, then run make install to deploy the plugin to ~/.cloudslash/plugins/. The daemon will auto-discover it on next restart.

See Writing Custom Plugins for the full implementation guide.

plugin publish

Cross-compile a plugin for all supported platforms, generate SHA-256 checksums, create a GitHub Release with the binaries as assets, and print instructions for submitting to the community plugin index.

cs plugin publish --version=v1.0.0
cs plugin publish --version=v1.2.0 --skip-signing
cs plugin publish --version=v2.0.0 --github-token=ghp_xxx
Flag Type Definition
--version string Semver release tag, e.g. v1.0.0 (required). Must start with v.
--skip-signing boolean Skip Cosign binary signing.
--no-registry-pr boolean Skip registry submission instructions.
--github-token string GitHub personal access token (falls back to GITHUB_TOKEN env).
--platforms string Comma-separated target platforms (default: linux/amd64,linux/arm64,darwin/amd64,darwin/arm64).

Reads manifest.yaml from the current directory. Requires a clean origin git remote pointing to a GitHub repository. After the release is created, follow the printed steps to open a PR against DrSkyle/cloudslash-plugins to appear in cs plugin search.


diff

Compare infrastructure snapshots over time. Shows new waste, resolved waste, and cost delta between two scan points.

cs diff                           # Compare last two snapshots
cs diff --from=2026-04-18         # Compare specific date to latest
cs diff --from=2026-04-18 --to=2026-04-25
cs diff --list                    # List available snapshots
Flag Type Definition
--from string Starting snapshot date (YYYY-MM-DD) or file path.
--to string Ending snapshot (default: latest).
--list bool List all available snapshots with metadata.

trend

Display infrastructure cost trends using data collected from each scan.

cs trend              # Show last 30 days
cs trend --days=90    # Show 90 day view
Flag Type Definition
--days int Number of days to display (default: 30).

Renders an ASCII sparkline chart in the terminal showing waste count movement over time, with summary statistics.


report

Generate executive infrastructure reports for management, finance, or compliance teams.

cs report                             # Markdown to stdout
cs report --format=html --output=report.html
cs report --format=json --output=report.json
Flag Type Definition
--format string Output format: markdown, html, json.
--output path Write report to file instead of stdout.

Report includes: executive summary, provider breakdown, top 10 waste items, policy compliance, drift summary, and cost trend charts. HTML output uses a dark theme matching the CloudSlash brand.


upgrade

Check for and install CloudSlash updates from GitHub Releases.

cs upgrade            # Check and install with confirmation
cs upgrade --check    # Check only, don't install
cs upgrade --force    # Skip confirmation (for CI)
Flag Type Definition
--check bool Only check for updates, don't install.
--force bool Skip confirmation prompt (for CI/CD).

Downloads the correct binary for your OS/architecture, verifies it, and performs an atomic swap. Always asks for confirmation unless --force is specified.


codegen

Generate typed Go struct bindings from Terraform provider schemas. The Metagraph Compiler reads a provider schema JSON (produced by terraform providers schema -json), builds a symbol table, and emits deterministic Go source files using Jennifer. Output can be used as typed node definitions in the CloudSlash universal graph.

This is a plugin author tool: end users running cs scan do not need this command.

cs codegen --schema=aws_schema.json --output=./generated/
cs codegen --schema=gcp_schema.json --config=codegen.yaml --output=./gen/
Flag Type Definition
--schema path Path to Terraform provider schema JSON (required).
--config path Path to codegen config YAML (optional, uses defaults if omitted).
--output path Output directory for generated Go source files. Default: ./generated.

Workflow

# 1. Export the provider schema
terraform providers schema -json > aws_schema.json

# 2. Generate typed Go structs
cs codegen --schema=aws_schema.json --output=./gen/

# 3. Use generated types in your plugin
# Generated files include struct definitions, edge methods (getters),
# reference type resolvers, and trait injection.

The compiler supports:

  • Recursive AST processing for nested list(object(...)) schema types
  • Semantic Overlay for heuristic edge injection from attribute naming conventions (_id, _arn, _link)
  • Trait injection via GetTraits() method generation for known resource types
  • Cycle detection to handle schemas with circular block references

policy

Policy development and validation tools for CEL-based rules.

cs policy validate rules.yaml    # Parse + compile CEL expressions
cs policy test rules.yaml        # Dry-run against last scan snapshot
cs policy lint rules.yaml        # Check for common mistakes

validate: Checks YAML syntax, required fields (id, expression, severity), valid enum values for severity and enforcement, and balanced parentheses in CEL expressions.

test: Loads the latest graph snapshot and evaluates each rule against all nodes, showing how many nodes would be blocked, warned, or pass.

lint: Detects duplicate rule IDs, missing descriptions, very short expressions, unquoted string comparisons, and contradictory conditions.


history

Queries the persistent event audit trail stored in BadgerDB. Events survive daemon restarts and include scans, s.a.u quarantine decisions, approvals, rejections, policy changes, and pipeline movements. The command connects to the running daemon's REST API.

cs history [flags]
Flag Type Definition
--since string Show events since duration (3d, 12h, 1w) or RFC3339 timestamp. Default: all.
--type ENUM Filter by event type: SCAN_COMPLETED, s.a.u_ACTION, APPROVAL, POLICY_CHANGE, etc.
--crn string Show full lifecycle timeline for a specific resource CRN.
--limit int Maximum number of events to return. Default: 50.
--json bool Output as JSON for programmatic consumption.

Examples

# Last 50 events, table format
cs history

# Events from the last 3 days
cs history --since 3d

# Filter by s.a.u actions only
cs history --type s.a.u_ACTION

# Full timeline for a specific resource
cs history --crn aws:ec2:us-east-1:i-0abc123

# Machine-readable output for piping
cs history --json | jq '.[] | select(.status == "APPROVED")'

Data Persistence

Events are stored at ~/.cloudslash/data/eventstore/ using BadgerDB. This path is not in a cache or temp directory, so cleanup tools (CleanMyMac, Mole) will not remove it. Retention can be configured through the web dashboard Settings → Data Management or via the POST /api/v1/history/prune endpoint.


watch

Continuous scanning mode. Connects to the running daemon, triggers periodic re-scans, and streams diffs between cycles.

cs watch [flags]
Flag Type Definition
--interval duration Re-scan interval (e.g., 30s, 2m, 5m). Default: 5m.
--provider string Filter scans to a specific provider (aws, gcp, azure).
--alert-on-change boolean Only print output when infrastructure state changes.
# Re-scan every 2 minutes, only show changes
cs watch --interval 2m --alert-on-change

# Watch AWS resources only
cs watch --provider aws

Ctrl+C gracefully stops the watch loop.


revert

Undo a previous remediation using s.a.u CRDT snapshots. The revert process calls the provider plugin's Remediate RPC with the inverse action.

cs revert [remediation-id] [flags]
Flag Type Definition
--list boolean List all revertible remediations.
# List all revertible actions
cs revert --list

# Revert a specific remediation by ID
cs revert rem_2026050301

# Revert by resource CRN
cs revert crn:devi:aws:us-east-1:ec2:i-0abc123

If the daemon is not running, --list falls back to the local ledger file at ~/.cloudslash/history/ledger.json.


uninstall

Remove CloudSlash from the system. Kills the running daemon, deletes data directories, and prints instructions to remove the binary.

cs uninstall [flags]
Flag Type Definition
--force boolean Skip confirmation prompt.
--keep-config boolean Preserve config.yaml and .cloudslash.yaml Slashfile.

Removes:

  • ~/.cloudslash/devi-graph/: BadgerDB graph database
  • ~/.cloudslash/plugins/: installed plugins
  • ~/.cloudslash/policies/: policy packs
  • ~/.cloudslash/snapshots/: infrastructure snapshots
  • ~/.cloudslash/history/: s.a.u remediation history
  • .cloudslash.yaml: project Slashfile (unless --keep-config)
  • ~/.cloudslash/config.yaml: configuration (unless --keep-config)
# Keep config, remove everything else
cs uninstall --keep-config

# Non-interactive (for automation)
cs uninstall --force

login

Authenticate with CloudSlash Horizon SaaS using a browser-based OAuth flow. Opens the browser to https://app.cloudslash.dev/cli-auth for authentication. On success, a JWT session token is stored locally and valid for 24 hours with automatic renewal.

cs login

Run cs login before using any Horizon command (sync, remediate, audit). Requires a CloudSlash Horizon account.


logout

Remove the locally stored Horizon authentication token.

cs logout

Clears the session token file. Your Horizon session on the server remains valid until it naturally expires; this only prevents the CLI from using the old token without re-authenticating.


sync

Push the most recent local scan snapshot to CloudSlash Horizon. Reads ~/.cloudslash/state/latest.json (written by cs scan) and uploads it to the Horizon SaaS API so the dashboard reflects your current infrastructure state.

cs sync [flags]
Flag Type Definition
--dry-run boolean Print the payload that would be sent without actually sending it.
--api-url string Horizon API base URL (default: https://api.cloudslash.dev).

Requires an active session — run cs login first. Run cs scan to generate fresh data before syncing.

cs scan
cs login
cs sync

remediate

Execute a Horizon-generated remediation plan locally via the SAU engine. Plans can be fetched from Horizon by ID or loaded from a local JSON file. The plan includes one or more cloud resource actions (delete / resize / stop) that CloudSlash will execute in sequence and record in the audit log.

cs remediate [flags]
Flag Type Definition
--plan-id string Fetch plan from Horizon by ID (requires login).
--file path Load plan from a local JSON file instead.
--api-url string Horizon API base URL (default: https://api.cloudslash.dev).
--dry-run boolean Show blast radius but do not execute.
--force boolean Skip confirmation prompt.

Exactly one of --plan-id or --file must be set. The plan is signed with a base64 SHA256 HMAC to prevent tampering in transit.

cs remediate --plan-id=plan_abc123
cs remediate --file=./plan.json --dry-run
cs remediate --plan-id=plan_abc123 --force

approve

Approve a pending SAU remediation request from the terminal. Mirrors the Slack button — same effect, different surface. Quorum must still be reached for the remediation to proceed. A single rejection from anyone cancels the request regardless of how many approved.

cs approve <request-id> [flags]
Flag Type Definition
--reason string Optional reason to attach to the approval.
cs approve req_a3f72c91
cs approve req_a3f72c91 --reason "reviewed — safe to delete"

reject

Reject (veto) a pending SAU remediation request. A single rejection cancels the entire request regardless of how many approvals were already received.

cs reject <request-id> [flags]
Flag Type Definition
--reason string Reason for rejection (recommended for audit trail).
cs reject req_a3f72c91 --reason "this is a production database"

pending

List all pending remediation approval requests so engineers know what needs a decision. Shows request ID, resource CRN, action, quorum status, and the approve/reject commands for each pending request.

cs pending

chargeback

Generate a Finance-ready XLSX chargeback report from the last scan. Builds a three-sheet Excel workbook suitable for opening directly in Excel/Sheets — no cloud access required.

cs chargeback [flags]
Flag Type Definition
--period string Billing period (YYYY-MM). Defaults to current month.
--output path Output file path. Defaults to chargeback-YYYY-MM.xlsx in current dir.

Sheets:

  • Executive Summary — one row per team: total spend, waste, waste%, attribution coverage
  • Resource Detail — one row per resource with owner, cost, waste flag
  • Unattributed — resources with no owner for Finance follow-up

Requires an org-map.yaml at ~/.cloudslash/org-map.yaml for team attribution. Without it, all resources land in the Unattributed sheet.

cs chargeback                            # writes chargeback-YYYY-MM.xlsx
cs chargeback --period 2026-05           # specific billing period
cs chargeback --output ~/reports/q2.xlsx # custom output path

audit

M&A due-diligence cloud infrastructure audit. Produces a structured JSON report suitable for a deal dataroom, giving the acquiring company's CFO, CTO, and FinOps team a rapid, structured view of the target's infrastructure.

cs audit [flags]
Flag Type Definition
--target string Name of the company/entity being audited (required).
--output string Write JSON report to file (default: stdout).
--period-months int Months of billing history analysed (default: 3).

Report includes: total cloud spend & annualised waste opportunity, attribution coverage (how many resources have a known owner), top-20 priority remediation actions ranked by annual savings, and a plain-English executive summary for the deal memo.

cloudslash audit --target "Acme Corp"
cloudslash audit --target "Acme Corp" --period-months 6 --output acme-audit.json

Remediation Workflow

Interactive remediation (approve, reject, undo) is handled through three interfaces: all backed by the same daemon APIs:

  • TUI: Press Y to approve, N to reject, R to release from s.a.u block
  • Web UI: Drag nodes through the Kanban pipeline stages
  • API: POST /api/v1/remediation/approve, /reject, /move

For CI/CD gating, use cs scan --fail-on=critical.

IAM Permissions

Minimum IAM policies for each cloud provider are documented in the Cloud Providers reference page.