Slashfile
The .cloudslash.yaml project file tells CloudSlash which providers to scan, which policies to enforce, and which resources to exempt. It is discovered like go.mod: by walking up from the current directory.
File Resolution
CloudSlash searches for .cloudslash.yaml starting from the current working directory, walking up parent directories until it finds one or reaches the filesystem root.
my-project/
├── infra/
│ └── terraform/ ← CWD: cs scan runs here
├── .cloudslash.yaml ← Found! Used for this project
└── ...
Priority order (highest wins):
1. CLI flags (--region, --fail-on, etc.)
2. Environment variables (CLOUDSLASH_REGION, etc.)
3. Project Slashfile (.cloudslash.yaml in CWD or parent)
4. Global config (~/.cloudslash/config.yaml)
5. Built-in defaults
Schema
# .cloudslash.yaml
version: "1.0"
# ── Cloud Providers ──────────────────────────────────────────────────
providers:
aws:
enabled: true
regions: ["us-east-1", "eu-west-1"]
gcp:
enabled: true
project_id: "my-gcp-project"
azure:
enabled: false
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
linode:
enabled: true
# Token via env: LINODE_TOKEN
# ── Engine Configuration ─────────────────────────────────────────────
engine:
mode: "scan" # "scan" | "daemon" | "ci"
idle_threshold_hours: 48 # Flag resources idle for this long
max_concurrency: 10 # Parallel scan workers
fail_on: "critical" # Exit non-zero on: "critical" | "warning" | "none"
sandbox_verification: false # Future: LocalStack dry-run
# ── AI (DEVI) ────────────────────────────────────────────────────────
ai:
provider: "ollama" # "ollama" | "openai" | "anthropic" | "gemini"
model: "llama3.1"
endpoint: "http://localhost:11434"
# API keys via env vars: OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY
# ── Policy Packs ─────────────────────────────────────────────────────
policies:
- source: "registry.cloudslash.dev/security/pci-dss"
version: "~> 2.0"
enforce: true
- source: "./policies/custom-rules.cel.yaml"
- source: "registry.cloudslash.dev/finops/aws-cost-killers"
version: "1.2.0"
enforce: false # Warn only, don't block
# ── Exemptions ───────────────────────────────────────────────────────
exemptions:
- id: "prod-database"
resource_types: ["AWS::RDS::DBInstance"]
tags:
environment: "production"
data_class: "critical"
ignore_policies: ["cost-killers.idle-rds"]
reason: "Critical production database: requires instant access for disaster recovery"
approved_by: "@security-team"
expires: "2027-01-01"
- id: "staging-cluster"
crns: ["crn:devi:aws:us-east-1:*"]
ignore_policies: ["cost-killers.*"]
reason: "US-East staging: cost policies disabled during load testing"
approved_by: "@platform-team"
expires: "2026-06-30"
# ── GitHub App ───────────────────────────────────────────────────────
github:
app_id: 123456
installation_id: 78901234
private_key_path: "~/.cloudslash/github-app.pem"
webhook_secret: "$CLOUDSLASH_GITHUB_WEBHOOK_SECRET"
# ── Notifications ────────────────────────────────────────────────────
notifications:
slack:
webhook_url: "https://hooks.slack.com/services/T.../B.../xxx"
channel: "#infra-alerts"
# ── State Backend ────────────────────────────────────────────────────
backend:
type: "local" # "local" | "s3"
# s3:
# bucket: "cloudslash-state"
# key: "production/app.cloudslash.state"
# region: "us-east-1"
Field Reference
version
| Type |
Required |
Default |
| string |
No |
"1.0" |
Schema version. Currently only "1.0" is supported.
providers
Map of cloud provider configurations. Each key is a provider name.
| Field |
Type |
Description |
enabled |
bool |
Whether to scan this provider |
regions |
[]string |
AWS regions to scan (first is default) |
project_id |
string |
GCP project ID |
subscription_id |
string |
Azure subscription ID |
token |
string |
API token (prefer env vars instead) |
engine
| Field |
Type |
Default |
Description |
mode |
string |
"scan" |
Operating mode |
idle_threshold_hours |
int |
48 |
Hours before a resource is flagged as idle |
max_concurrency |
int |
10 |
Parallel worker goroutines |
fail_on |
string |
"none" |
CI gate threshold |
sandbox_verification |
bool |
false |
Future: dry-run in LocalStack |
ai
| Field |
Type |
Default |
Description |
provider |
string |
"ollama" |
LLM provider |
model |
string |
"" |
Model name |
endpoint |
string |
"http://localhost:11434" |
API endpoint (Ollama/custom) |
Security: API keys are NEVER stored in the Slashfile. Use environment variables.
policies
| Field |
Type |
Description |
source |
string |
Local path or registry URL |
version |
string |
Semver constraint (for registry packs) |
enforce |
bool |
true = block, false = warn only |
exemptions
| Field |
Type |
Description |
id |
string |
Unique identifier for this exemption |
resource_types |
[]string |
Resource types to match (e.g. AWS::EC2::Instance) |
crns |
[]string |
Exact CRNs or wildcard patterns (e.g. crn:devi:aws:us-east-1:*) |
tags |
map |
ALL tags must match (AND logic) |
ignore_policies |
[]string |
Policy IDs to bypass. Supports * glob (e.g. cost-killers.*) |
reason |
string |
Why this exemption exists |
approved_by |
string |
Who approved it |
expires |
string |
Expiry date (YYYY-MM-DD). Expired exemptions are ignored |
github
| Field |
Type |
Description |
app_id |
int |
GitHub App ID |
installation_id |
int |
Installation ID for your org/user |
private_key_path |
string |
Path to the .pem private key |
webhook_secret |
string |
Webhook secret. Supports $ENV_VAR references |
notifications.slack
| Field |
Type |
Description |
webhook_url |
string |
Slack incoming webhook URL |
channel |
string |
Channel to post to |
backend
| Field |
Type |
Default |
Description |
type |
string |
"local" |
State storage: "local" or "s3" |
s3.bucket |
string |
: |
S3 bucket for shared state |
s3.key |
string |
: |
S3 object key prefix |
s3.region |
string |
: |
S3 bucket region |
Generate a Slashfile
The init wizard detects your cloud credentials and generates a .cloudslash.yaml in your current directory with sensible defaults.