projectdiscovery

projectdiscovery/cloudlist

Go MIT Security

Cloudlist is a tool for listing Assets from multiple Cloud Providers.

1k stars
128 forks
recent
GitHub +2 / week

1k

Stars

128

Forks

6

Open issues

30

Contributors

v1.4.0 09 Feb 2026

AI Analysis

Cloudlist is a multi-cloud asset enumeration tool designed for security teams to centralize and manage cloud resources across AWS, GCP, Azure, and 15+ other providers. It serves blue teams performing attack surface management by aggregating cloud assets with minimal configuration, supporting keyless authentication and multiple output formats. Best suited for cloud security engineers and infrastructure teams; not a general-purpose cloud management tool.

Security Security Tool Discovery value: 5/10
Documentation 8/10
Activity 9/10
Community 7/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

cloud-asset-enumeration multi-cloud-management security-tooling infrastructure-discovery devops-automation
Actively maintained Well documented MIT licensed Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
5d ago

Multi-cloud asset enumeration tool for security teams building centralized asset inventories across AWS, GCP, Azure, and 15+ providers

Cloudlist is a Go-based CLI tool that discovers and lists cloud assets (VMs, load balancers, databases, storage) across multiple cloud providers in a single workflow. Built by ProjectDiscovery for blue teams and attack surface management, it supports 20+ providers with minimal configuration, keyless authentication (IAM roles), and pipeline integration. Adoption appears concentrated within security and DevOps teams using ProjectDiscovery's ecosystem; real-world production usage metrics are not publicly documented.

Origin

Created October 2020 as part of ProjectDiscovery's open-source security toolkit. Inspired by smogcloud and cloudmapper, it evolved to address fragmented multi-cloud asset discovery workflows where organizations need unified visibility without managing separate tool integrations for each provider.

Growth

Modest consistent growth: 1,036 stars and 128 forks over 5.5 years suggest steady adoption within a defined security operations niche. Only 2 stars in the 7 days prior to analysis date (2026-06-29) reflects typical open-source security tool trajectory—useful but not viral. Likely benefits from ProjectDiscovery's broader reputation rather than independent momentum.

In production

Adoption not verified through public case studies or documented deployments. ProjectDiscovery brand recognition and ecosystem integration (interop with notify, pdtm, vulnx tools) suggests use within security consulting and DevOps workflows, but specifics are absent. Enterprise or large-scale usage patterns not publicly communicated.

Code analysis
Architecture

Based on README, appears to be a modular provider-plugin architecture where each cloud provider (AWS, GCP, Azure, etc.) is implemented as an extensible provider module. Supports multiple authentication methods (API keys, service accounts, IAM roles). Output formats include JSON, YAML, and plain text for pipeline composition. Library mode available for embedding in other tools.

Tests

Not documented in README. No mention of test frameworks, coverage thresholds, or testing patterns.

Maintenance

Last push 2026-06-29 (6 days from analysis date), indicating active maintenance. README references external documentation on docs.projectdiscovery.io and detailed provider setup (GCP Asset API guide). Regular release badges and update mechanisms present. No evidence of abandonment; maintenance appears steady rather than intensive.

Honest verdict

ADOPT IF: You manage multiple cloud providers (AWS, GCP, Azure, or 15+ others), operate a security program requiring quick asset inventory snapshots, and need lightweight CLI tooling that integrates with Unix pipelines. You are already comfortable with ProjectDiscovery's tool ecosystem. AVOID IF: You require enterprise-grade asset management with change tracking, compliance reporting, or real-time sync to a CMDB—use dedicated ITSAM platforms instead. You work exclusively with one cloud provider (use native cloud CLI tools). You need deep visibility into asset relationships and dependencies. MONITOR IF: You are evaluating it as part of broader attack surface management and want to assess multi-provider support maturity and authentication model fit for your organization's cloud posture.

Independent dimensions

Mainstream potential

4/10

Technical importance

6/10

Adoption evidence

3/10

Risks
  • Adoption not verified at scale—no public case studies or enterprise customer references limit confidence in production reliability and support model.
  • Provider coverage may lag cloud API changes—maintainers must keep 20+ provider integrations current; gaps or outdated permissions may cause silent failures.
  • Authentication complexity—keyless auth (IRSA, workload identity) is powerful but misconfiguration risks exist; documentation quality across providers unclear.
  • Dependency on ProjectDiscovery ecosystem—tight coupling with notify, pdtm, vulnx may limit utility if used standalone or in non-ProjectDiscovery toolchains.
  • Output formats are simple (JSON, YAML, plaintext)—no built-in filtering, correlation, or visualization; downstream processing required for compliance or audit workflows.
Prediction

Likely to remain a stable, incrementally maintained niche tool within the open-source security tooling space. Growth will be driven by ProjectDiscovery ecosystem adoption and word-of-mouth in DevSecOps circles rather than mainstream multi-cloud explosion. May attract more maintainers if multi-cloud asset discovery becomes table-stakes for security programs, but competition from vendor-specific solutions (AWS Config, GCP Cloud Asset Inventory) and consolidation into platforms like Wiz, Lacework, or CrowdStrike may limit upside.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Go
99.9%
Makefile
0.1%
Dockerfile
0.1%

Information

Language
Go
License
MIT
Last updated
2w ago
Created
69mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

cloudquery

cloudquery/cloudquery

CloudQuery is a cloud asset inventory and data pipeline platform that syncs...

6.5k Go DevOps
projectdiscovery

projectdiscovery/notify

Notify is a Go-based utility that ingests tool output or file data and...

1.6k Go DevOps
projectdiscovery

projectdiscovery/pdtm

pdtm is a Go-based package manager for ProjectDiscovery's open-source security...

1.1k Go Dev Tools
google

google/go-cloud

Go CDK is a cloud abstraction library that enables developers to write portable...

9.9k Go DevOps
projectdiscovery

projectdiscovery/vulnx

vulnx is a modern CLI tool for searching, filtering, and analyzing...

2.6k Go Security
vs. alternatives
cloudquery

6.2× more stars (6,449 vs 1,036). Cloudquery is a broader data integration/compliance framework; cloudlist is narrower and asset-enumeration focused. Cloudquery suits compliance auditing; cloudlist suits offensive/defensive security reconnaissance.

google/go-cloud

9.6× more stars. Go-cloud is a vendor-agnostic SDK for building cloud applications; cloudlist is an operational CLI tool. Different use cases: go-cloud for developers, cloudlist for security operators.

Terraform/state inspection

Cloudlist can ingest Terraform state as a provider. Terraform is imperative IAC; cloudlist is read-only discovery. Complementary rather than competitive for teams managing infrastructure-as-code.

Native cloud CLI tools (AWS CLI, gcloud, az CLI)

Cloudlist abstracts away provider CLI differences and enables cross-provider queries with one tool. Trade-off: less provider-specific detail vs. operational simplicity. Likely used alongside, not instead of, native CLIs.

CMDB/ITSAM platforms

Cloudlist is asset discovery; CMDB platforms are asset management/governance. Cloudlist may feed data into CMDB systems but does not replace them.