Cloudlist is a tool for listing Assets from multiple Cloud Providers.
1k
Stars
128
Forks
6
Open issues
30
Contributors
AI Analysis
Cloudlist is a multi-cloud asset enumeration tool designed for security teams to centralize and manage cloud resources across AWS, GCP, Azure, and 15+ other providers. It serves blue teams performing attack surface management by aggregating cloud assets with minimal configuration, supporting keyless authentication and multiple output formats. Best suited for cloud security engineers and infrastructure teams; not a general-purpose cloud management tool.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Multi-cloud asset enumeration tool for security teams building centralized asset inventories across AWS, GCP, Azure, and 15+ providers
Cloudlist is a Go-based CLI tool that discovers and lists cloud assets (VMs, load balancers, databases, storage) across multiple cloud providers in a single workflow. Built by ProjectDiscovery for blue teams and attack surface management, it supports 20+ providers with minimal configuration, keyless authentication (IAM roles), and pipeline integration. Adoption appears concentrated within security and DevOps teams using ProjectDiscovery's ecosystem; real-world production usage metrics are not publicly documented.
Created October 2020 as part of ProjectDiscovery's open-source security toolkit. Inspired by smogcloud and cloudmapper, it evolved to address fragmented multi-cloud asset discovery workflows where organizations need unified visibility without managing separate tool integrations for each provider.
Modest consistent growth: 1,036 stars and 128 forks over 5.5 years suggest steady adoption within a defined security operations niche. Only 2 stars in the 7 days prior to analysis date (2026-06-29) reflects typical open-source security tool trajectory—useful but not viral. Likely benefits from ProjectDiscovery's broader reputation rather than independent momentum.
Adoption not verified through public case studies or documented deployments. ProjectDiscovery brand recognition and ecosystem integration (interop with notify, pdtm, vulnx tools) suggests use within security consulting and DevOps workflows, but specifics are absent. Enterprise or large-scale usage patterns not publicly communicated.
Based on README, appears to be a modular provider-plugin architecture where each cloud provider (AWS, GCP, Azure, etc.) is implemented as an extensible provider module. Supports multiple authentication methods (API keys, service accounts, IAM roles). Output formats include JSON, YAML, and plain text for pipeline composition. Library mode available for embedding in other tools.
Not documented in README. No mention of test frameworks, coverage thresholds, or testing patterns.
Last push 2026-06-29 (6 days from analysis date), indicating active maintenance. README references external documentation on docs.projectdiscovery.io and detailed provider setup (GCP Asset API guide). Regular release badges and update mechanisms present. No evidence of abandonment; maintenance appears steady rather than intensive.
ADOPT IF: You manage multiple cloud providers (AWS, GCP, Azure, or 15+ others), operate a security program requiring quick asset inventory snapshots, and need lightweight CLI tooling that integrates with Unix pipelines. You are already comfortable with ProjectDiscovery's tool ecosystem. AVOID IF: You require enterprise-grade asset management with change tracking, compliance reporting, or real-time sync to a CMDB—use dedicated ITSAM platforms instead. You work exclusively with one cloud provider (use native cloud CLI tools). You need deep visibility into asset relationships and dependencies. MONITOR IF: You are evaluating it as part of broader attack surface management and want to assess multi-provider support maturity and authentication model fit for your organization's cloud posture.
Independent dimensions
Mainstream potential
4/10
Technical importance
6/10
Adoption evidence
3/10
- Adoption not verified at scale—no public case studies or enterprise customer references limit confidence in production reliability and support model.
- Provider coverage may lag cloud API changes—maintainers must keep 20+ provider integrations current; gaps or outdated permissions may cause silent failures.
- Authentication complexity—keyless auth (IRSA, workload identity) is powerful but misconfiguration risks exist; documentation quality across providers unclear.
- Dependency on ProjectDiscovery ecosystem—tight coupling with notify, pdtm, vulnx may limit utility if used standalone or in non-ProjectDiscovery toolchains.
- Output formats are simple (JSON, YAML, plaintext)—no built-in filtering, correlation, or visualization; downstream processing required for compliance or audit workflows.
Likely to remain a stable, incrementally maintained niche tool within the open-source security tooling space. Growth will be driven by ProjectDiscovery ecosystem adoption and word-of-mouth in DevSecOps circles rather than mainstream multi-cloud explosion. May attract more maintainers if multi-cloud asset discovery becomes table-stakes for security programs, but competition from vendor-specific solutions (AWS Config, GCP Cloud Asset Inventory) and consolidation into platforms like Wiz, Lacework, or CrowdStrike may limit upside.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Go
- License
- MIT
- Last updated
- 2w ago
- Created
- 69mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Recent releases
Similar repos
cloudquery/cloudquery
CloudQuery is a cloud asset inventory and data pipeline platform that syncs...
projectdiscovery/pdtm
pdtm is a Go-based package manager for ProjectDiscovery's open-source security...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1k | +2 | Go | 7/10 | 2w ago |
|
|
6.5k | — | Go | 8/10 | 6h ago |
|
|
1.6k | — | Go | 7/10 | 3w ago |
|
|
1.1k | — | Go | 7/10 | 8h ago |
|
|
9.9k | — | Go | 8/10 | 2w ago |
|
|
2.6k | — | Go | 8/10 | 1d ago |
6.2× more stars (6,449 vs 1,036). Cloudquery is a broader data integration/compliance framework; cloudlist is narrower and asset-enumeration focused. Cloudquery suits compliance auditing; cloudlist suits offensive/defensive security reconnaissance.
9.6× more stars. Go-cloud is a vendor-agnostic SDK for building cloud applications; cloudlist is an operational CLI tool. Different use cases: go-cloud for developers, cloudlist for security operators.
Cloudlist can ingest Terraform state as a provider. Terraform is imperative IAC; cloudlist is read-only discovery. Complementary rather than competitive for teams managing infrastructure-as-code.
Cloudlist abstracts away provider CLI differences and enables cross-provider queries with one tool. Trade-off: less provider-specific detail vs. operational simplicity. Likely used alongside, not instead of, native CLIs.
Cloudlist is asset discovery; CMDB platforms are asset management/governance. Cloudlist may feed data into CMDB systems but does not replace them.