DEV.co
Open-Source DevOps · projectdiscovery

cloudlist

Cloudlist is a CLI tool for discovering and listing cloud assets across multiple providers (AWS, GCP, Azure, etc.) in a unified way. It's designed for security and DevOps teams to maintain a centralized inventory of cloud infrastructure with minimal configuration.

Source: GitHub — github.com/projectdiscovery/cloudlist
1k
GitHub stars
128
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryprojectdiscovery/cloudlist
Ownerprojectdiscovery
Primary languageGo
LicenseMIT — OSI-approved
Stars1k
Forks128
Open issues6
Latest releasev1.4.0 (2026-02-09)
Last updated2026-06-29
Sourcehttps://github.com/projectdiscovery/cloudlist

What cloudlist is

Written in Go, cloudlist aggregates assets from 20+ cloud providers via their native APIs, supports keyless authentication (AWS IRSA, GCP workload identity), and outputs in multiple formats (JSON, plain text). It can be used standalone or as a library and integrates with security pipelines via stdout.

Quickstart

Get the cloudlist source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/projectdiscovery/cloudlist.gitcd cloudlist# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-cloud asset inventory for blue teams

Centralize discovery of compute, storage, networking, and serverless resources across AWS, GCP, Azure, and other providers without building custom integrations for each.

Attack surface management and continuous monitoring

Feed cloudlist output into security scanning pipelines to identify exposed or misconfigured cloud assets across your entire multi-cloud estate.

Infrastructure-as-Code compliance and auditing

Compare discovered assets against declared infrastructure (Terraform, Consul) to detect drift and unauthorized resources.

Implementation considerations

  • Credentials for cloud providers must be securely injected; leverage keyless auth (IRSA, workload identity) where possible to reduce credential sprawl.
  • Requires Go runtime or pre-compiled binary; integrate into CI/CD pipelines or scheduled containerized jobs (e.g., Kubernetes CronJob) for regular discovery runs.
  • Output formatting and filtering happens client-side; plan for post-processing or piping to downstream tools for large multi-cloud estates.
  • Configuration uses YAML; plan for templating or dynamic generation if you have many providers or dynamic cloud environments.
  • Test provider-specific API access and rate limits before deploying at scale; some cloud APIs have per-request or quota limitations.

When to avoid it — and what to weigh

  • You need real-time streaming or event-driven asset updates — Cloudlist is a CLI tool that runs on-demand; it does not provide webhooks, event streams, or real-time synchronization with cloud provider APIs.
  • You require complex asset relationships and dependency mapping — Cloudlist lists assets but does not model or visualize application dependencies, networking relationships, or service topology.
  • Your organization needs a fully managed SaaS solution — Cloudlist is open-source and self-hosted; you must manage credentials, execution, and operational overhead yourself.
  • You need unified asset governance and cost allocation — Cloudlist discovers assets but does not provide cost tracking, usage analytics, or governance workflows for asset lifecycle management.

License & commercial use

Licensed under MIT (OSI-approved permissive license). Permits commercial use, modification, and redistribution with attribution.

MIT license permits commercial use without restriction. No proprietary backends, cloud lock-in, or per-seat licensing. Verify compliance with your org's open-source policy and internal security review process.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Cloudlist requires cloud provider credentials (keys, tokens, service accounts). Recommendations: use keyless authentication (AWS IRSA, GCP workload identity) where possible; store credentials in secure vaults; audit and minimize IAM permissions per provider; run in isolated CI/CD environments; review provider configs before committing to version control. No known CVEs or disclosure process documented; consider responsible disclosure before deployment in high-security environments.

Alternatives to consider

Dome9 / Check Point Cloudguard

SaaS-native multi-cloud asset discovery with governance, cost tracking, and managed credential handling; higher cost and external dependency.

Lacework or Wiz

Enterprise CSPM platforms with real-time asset inventory, risk scoring, and automated remediation; overkill for asset enumeration alone.

Custom scripts using AWS CLI, gcloud, az commands

Lower overhead for small estates or single-cloud; lacks unified output, filtering, and extensibility across providers.

Software development agency

Build on cloudlist with DEV.co software developers

Assess whether cloudlist fits your asset discovery workflow. Consider deployment environment, credential management, and downstream integration needs. Start with a pilot in a non-production cluster or CI/CD environment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cloudlist FAQ

Does cloudlist store or cache discovered assets?
No. Cloudlist queries live APIs on each run and outputs results to stdout or file. It does not persist a database or cache.
Can I filter assets by tags, labels, or custom attributes?
Basic filtering by provider, service, and IP/hostname is built-in. Advanced filtering (tags, labels, regex) requires post-processing output via grep, jq, or custom scripts.
Does cloudlist support on-premises cloud platforms (e.g., OpenStack, Kubernetes)?
Yes; cloudlist includes providers for Kubernetes, OpenStack, Consul, and Nomad. Requires API access and appropriate credentials.
What are the API rate limits or performance implications?
Unknown from source data. Cloud provider APIs have variable rate limits; test against your environment. Cloudlist performs sequential API calls; parallelization not documented.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cloudlist is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Cloudlist for Your Multi-Cloud Security

Assess whether cloudlist fits your asset discovery workflow. Consider deployment environment, credential management, and downstream integration needs. Start with a pilot in a non-production cluster or CI/CD environment.