Skip to content

Slashfile

The .cloudslash.yaml project file tells CloudSlash which providers to scan, which policies to enforce, and which resources to exempt. It is discovered like go.mod: by walking up from the current directory.


File Resolution

CloudSlash searches for .cloudslash.yaml starting from the current working directory, walking up parent directories until it finds one or reaches the filesystem root.

my-project/
├── infra/
│   └── terraform/          ← CWD: cs scan runs here
├── .cloudslash.yaml         ← Found! Used for this project
└── ...

Priority order (highest wins): 1. CLI flags (--region, --fail-on, etc.) 2. Environment variables (CLOUDSLASH_REGION, etc.) 3. Project Slashfile (.cloudslash.yaml in CWD or parent) 4. Global config (~/.cloudslash/config.yaml) 5. Built-in defaults

Schema

# .cloudslash.yaml
version: "1.0"

# ── Cloud Providers ──────────────────────────────────────────────────
providers:
  aws:
    enabled: true
    regions: ["us-east-1", "eu-west-1"]
  gcp:
    enabled: true
    project_id: "my-gcp-project"
  azure:
    enabled: false
    subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  linode:
    enabled: true
    # Token via env: LINODE_TOKEN

# ── Engine Configuration ─────────────────────────────────────────────
engine:
  mode: "scan"                    # "scan" | "daemon" | "ci"
  idle_threshold_hours: 48        # Flag resources idle for this long
  max_concurrency: 10             # Parallel scan workers
  fail_on: "critical"             # Exit non-zero on: "critical" | "warning" | "none"
  sandbox_verification: false     # Future: LocalStack dry-run

# ── AI (DEVI) ────────────────────────────────────────────────────────
ai:
  provider: "ollama"              # "ollama" | "openai" | "anthropic" | "gemini"
  model: "llama3.1"
  endpoint: "http://localhost:11434"
  # API keys via env vars: OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY

# ── Policy Packs ─────────────────────────────────────────────────────
policies:
  - source: "registry.cloudslash.dev/security/pci-dss"
    version: "~> 2.0"
    enforce: true
  - source: "./policies/custom-rules.cel.yaml"
  - source: "registry.cloudslash.dev/finops/aws-cost-killers"
    version: "1.2.0"
    enforce: false    # Warn only, don't block

# ── Exemptions ───────────────────────────────────────────────────────
exemptions:
  - id: "prod-database"
    resource_types: ["AWS::RDS::DBInstance"]
    tags:
      environment: "production"
      data_class: "critical"
    ignore_policies: ["cost-killers.idle-rds"]
    reason: "Critical production database: requires instant access for disaster recovery"
    approved_by: "@security-team"
    expires: "2027-01-01"

  - id: "staging-cluster"
    crns: ["crn:devi:aws:us-east-1:*"]
    ignore_policies: ["cost-killers.*"]
    reason: "US-East staging: cost policies disabled during load testing"
    approved_by: "@platform-team"
    expires: "2026-06-30"

# ── GitHub App ───────────────────────────────────────────────────────
github:
  app_id: 123456
  installation_id: 78901234
  private_key_path: "~/.cloudslash/github-app.pem"
  webhook_secret: "$CLOUDSLASH_GITHUB_WEBHOOK_SECRET"

# ── Notifications ────────────────────────────────────────────────────
notifications:
  slack:
    webhook_url: "https://hooks.slack.com/services/T.../B.../xxx"
    channel: "#infra-alerts"

# ── State Backend ────────────────────────────────────────────────────
backend:
  type: "local"           # "local" | "s3"
  # s3:
  #   bucket: "cloudslash-state"
  #   key: "production/app.cloudslash.state"
  #   region: "us-east-1"

Field Reference

version

Type Required Default
string No "1.0"

Schema version. Currently only "1.0" is supported.

providers

Map of cloud provider configurations. Each key is a provider name.

Field Type Description
enabled bool Whether to scan this provider
regions []string AWS regions to scan (first is default)
project_id string GCP project ID
subscription_id string Azure subscription ID
token string API token (prefer env vars instead)

engine

Field Type Default Description
mode string "scan" Operating mode
idle_threshold_hours int 48 Hours before a resource is flagged as idle
max_concurrency int 10 Parallel worker goroutines
fail_on string "none" CI gate threshold
sandbox_verification bool false Future: dry-run in LocalStack

ai

Field Type Default Description
provider string "ollama" LLM provider
model string "" Model name
endpoint string "http://localhost:11434" API endpoint (Ollama/custom)

Security: API keys are NEVER stored in the Slashfile. Use environment variables.

policies

Field Type Description
source string Local path or registry URL
version string Semver constraint (for registry packs)
enforce bool true = block, false = warn only

exemptions

Field Type Description
id string Unique identifier for this exemption
resource_types []string Resource types to match (e.g. AWS::EC2::Instance)
crns []string Exact CRNs or wildcard patterns (e.g. crn:devi:aws:us-east-1:*)
tags map ALL tags must match (AND logic)
ignore_policies []string Policy IDs to bypass. Supports * glob (e.g. cost-killers.*)
reason string Why this exemption exists
approved_by string Who approved it
expires string Expiry date (YYYY-MM-DD). Expired exemptions are ignored

github

Field Type Description
app_id int GitHub App ID
installation_id int Installation ID for your org/user
private_key_path string Path to the .pem private key
webhook_secret string Webhook secret. Supports $ENV_VAR references

notifications.slack

Field Type Description
webhook_url string Slack incoming webhook URL
channel string Channel to post to

backend

Field Type Default Description
type string "local" State storage: "local" or "s3"
s3.bucket string : S3 bucket for shared state
s3.key string : S3 object key prefix
s3.region string : S3 bucket region

Generate a Slashfile

cs init

The init wizard detects your cloud credentials and generates a .cloudslash.yaml in your current directory with sensible defaults.