cloudlist
Cloudlist is a CLI tool for discovering and listing cloud assets across multiple providers (AWS, GCP, Azure, etc.) in a unified way. It's designed for security and DevOps teams to maintain a centralized inventory of cloud infrastructure with minimal configuration.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | projectdiscovery/cloudlist |
| Owner | projectdiscovery |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 1k |
| Forks | 128 |
| Open issues | 6 |
| Latest release | v1.4.0 (2026-02-09) |
| Last updated | 2026-06-29 |
| Source | https://github.com/projectdiscovery/cloudlist |
What cloudlist is
Written in Go, cloudlist aggregates assets from 20+ cloud providers via their native APIs, supports keyless authentication (AWS IRSA, GCP workload identity), and outputs in multiple formats (JSON, plain text). It can be used standalone or as a library and integrates with security pipelines via stdout.
Get the cloudlist source
Clone the repository and explore it locally.
git clone https://github.com/projectdiscovery/cloudlist.gitcd cloudlist# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Credentials for cloud providers must be securely injected; leverage keyless auth (IRSA, workload identity) where possible to reduce credential sprawl.
- Requires Go runtime or pre-compiled binary; integrate into CI/CD pipelines or scheduled containerized jobs (e.g., Kubernetes CronJob) for regular discovery runs.
- Output formatting and filtering happens client-side; plan for post-processing or piping to downstream tools for large multi-cloud estates.
- Configuration uses YAML; plan for templating or dynamic generation if you have many providers or dynamic cloud environments.
- Test provider-specific API access and rate limits before deploying at scale; some cloud APIs have per-request or quota limitations.
When to avoid it — and what to weigh
- You need real-time streaming or event-driven asset updates — Cloudlist is a CLI tool that runs on-demand; it does not provide webhooks, event streams, or real-time synchronization with cloud provider APIs.
- You require complex asset relationships and dependency mapping — Cloudlist lists assets but does not model or visualize application dependencies, networking relationships, or service topology.
- Your organization needs a fully managed SaaS solution — Cloudlist is open-source and self-hosted; you must manage credentials, execution, and operational overhead yourself.
- You need unified asset governance and cost allocation — Cloudlist discovers assets but does not provide cost tracking, usage analytics, or governance workflows for asset lifecycle management.
License & commercial use
Licensed under MIT (OSI-approved permissive license). Permits commercial use, modification, and redistribution with attribution.
MIT license permits commercial use without restriction. No proprietary backends, cloud lock-in, or per-seat licensing. Verify compliance with your org's open-source policy and internal security review process.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Cloudlist requires cloud provider credentials (keys, tokens, service accounts). Recommendations: use keyless authentication (AWS IRSA, GCP workload identity) where possible; store credentials in secure vaults; audit and minimize IAM permissions per provider; run in isolated CI/CD environments; review provider configs before committing to version control. No known CVEs or disclosure process documented; consider responsible disclosure before deployment in high-security environments.
Alternatives to consider
Dome9 / Check Point Cloudguard
SaaS-native multi-cloud asset discovery with governance, cost tracking, and managed credential handling; higher cost and external dependency.
Lacework or Wiz
Enterprise CSPM platforms with real-time asset inventory, risk scoring, and automated remediation; overkill for asset enumeration alone.
Custom scripts using AWS CLI, gcloud, az commands
Lower overhead for small estates or single-cloud; lacks unified output, filtering, and extensibility across providers.
Build on cloudlist with DEV.co software developers
Assess whether cloudlist fits your asset discovery workflow. Consider deployment environment, credential management, and downstream integration needs. Start with a pilot in a non-production cluster or CI/CD environment.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cloudlist FAQ
Does cloudlist store or cache discovered assets?
Can I filter assets by tags, labels, or custom attributes?
Does cloudlist support on-premises cloud platforms (e.g., OpenStack, Kubernetes)?
What are the API rate limits or performance implications?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cloudlist is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Cloudlist for Your Multi-Cloud Security
Assess whether cloudlist fits your asset discovery workflow. Consider deployment environment, credential management, and downstream integration needs. Start with a pilot in a non-production cluster or CI/CD environment.