Skip to content

Your First Scan

A scan builds the full graph, runs heuristics, evaluates policies, and produces a waste ledger. Here is what that looks like against a live account.


Cloud Credential Configuration

s.a.u needs access to your cloud provider control plane APIs. Set credentials using the standard provider chains.

AWS

export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="wJaL..."
export AWS_REGION="us-east-1"

Alternatively, configure the named profile in ~/.aws/credentials:

[production]
aws_access_key_id = AKIA...
aws_secret_access_key = wJaL...
region = us-east-1

Reference the profile via environment:

export AWS_PROFILE=production

GCP

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export CLOUDSDK_CORE_PROJECT="infrastructure-prod-42"

Azure

export AZURE_CLIENT_ID="..."
export AZURE_CLIENT_SECRET="..."
export AZURE_TENANT_ID="..."
export AZURE_SUBSCRIPTION_ID="..."

Executing the Analysis

Plugin Required

Before scanning, install the provider plugin for your cloud. For example: cs registry install aws. See the Installation guide for details.

cs scan bootstraps the Swarm orchestrator, ingests all cloud APIs concurrently, constructs the Universal Graph, applies heuristics, evaluates CEL policies, and runs formal verification.

cs scan --region us-east-1

The output renders a table of every discovered waste node:

╔══════════════════════════════════════════════════════╗
║                  CloudSlash Scan Results             ║
╠══════════════════════════════════════════════════════╣
║  RESOURCE ID              TYPE           COST   VERDICT  ║
║  i-0abc123def456789       ec2:instance   $347   DELETE   ║
║  vol-0ghi789jkl012345     ebs:volume     $24    FLAG     ║
║  func-legacy-processor    lambda         $0     DELETE   ║
║  rds-staging-analytics    rds:instance   $1200  RISK     ║
╠══════════════════════════════════════════════════════╣
║  Total Waste: $1,571/mo  │  4 findings  │  Gate: PASS    ║
╚══════════════════════════════════════════════════════╝

Three verdicts appear most often in a first scan: FLAG means the engine detected waste but confidence is below the DELETE threshold: review it yourself. DELETE means the engine is confident this resource is waste and recommends destruction. BLOCK means s.a.u has quarantined the resource due to a policy violation with risk score ≥80: it cannot be auto-remediated until the violation is resolved.

Interpreting Verdicts

The engine assigns verdicts by evaluating the full graph topology and engine heuristics:

Verdict Engine Meaning
CRITICAL Oracle Resource is reachable in production: requires immediate review
BLOCK s.a.u Quarantined due to policy violation (risk score ≥80)
DELETE Devi Confirmed waste: engine recommends destruction
RISK Oracle Elevated risk score (>30): lifecycle or stability concern
FLAG Devi Waste detected but below confidence threshold
PURGED s.a.u Previously remediated via the Saga pipeline

Machine-Readable Output

For programmatic consumption, specify the output format via the --format flag:

# JSON for dashboards, scripts, and APIs
cs scan --format=json --region us-east-1

# SARIF 2.1.0 for GitHub Advanced Security
cs scan --format=sarif --output=results.sarif --region us-east-1

# GitHub PR markdown for automated comments
cs scan --format=github-pr --region us-east-1

# GitHub Actions inline annotations
cs scan --format=github-actions --region us-east-1

Applying the CI Gate

The --fail-on flag configures the exit code threshold for CI/CD pipeline gating:

# Exit 1 only on critical findings
cs scan --fail-on=critical --region us-east-1

# Strict mode: exit 1 on any warning
cs scan --fail-on=warning --rules policies.yaml --region us-east-1
Exit Code Meaning
0 All findings below the --fail-on threshold
1 Findings exceed the configured threshold