Running Cloudrail CLI

Analyze your IaC for security issues, highlighting only those that are a true risk to your cloud environment with Cloudrail. But first, the Cloudrail CLI container is meant to be used in conjunction with the Cloudrail Web UI. If you have not yet registered through the Web UI, please do so first.

Installing Cloudrail Command Line Tool

To install the cloudrail command line tool, please make sure you have python3 running on your machine. Then install to your user space using the following command:

python3 -m pip install cloudrail --user

Running Cloudrail Assessments

Cloudrail can be run as a Static Analysis tool or as a Static + Dynamic Analysis tool.

Static + Dynamic Analysis requires Cloudrail to onboard your cloud account. In the event that this is not available, you can start with the Static Analysis method:

Running A Static Analysis

To run a static analysis on .tf files, first navigate to the directory with the .tf files and run the following command.

cloudrail run

During this step, Cloudrail will provide an interaction to ask you a couple things, and give you results on your static terraform files.

Running A Static + Dynamic Analysis

A static + dynamic analysis combines a terraform plan file and a cloud account to give you a more detailed understanding of your infrastructure, and problems in a greater context. In order to run this, you must be in an environment where you can generate a terraform plan file, or have an existing terraform plan to use.

To run this with the cloudrail command line, use the following command:

cloudrail run -p plan.out --cloud-account-id [account-id]

If your Terraform plan files are only available through your CI/CD pipeline (e.g. a Jenkins server or a hosted CircleCI instance), then you will want to read our instructions for evaluating IaC from your pipeline. We recommend running an evaluation this way.

Command Line Additional Arguments

  • To specify the parent directory of all your Terraform files, use ‘-d’ as a flag for ‘cloudrail run’ like so:
cloudrail run -p plan.out -d .

  • To auto-approve the filtered plan that Cloudrail generated from your Terraform plan, use the ‘–auto-approve’ argument
cloudrail run -p plan.out --auto-approve --api-key <API_KEY_FROM_WEB_UI>

  • If you would like to first generate the filtered plan, then review it (with a script, for example), and then upload it, start with the generate-filtered-plan command, and the pass it to run:
cloudrail generate-filtered-plan --output-file filteredplan.json
cloudrail run --filtered-plan filteredplan.json --api-key <API_KEY_FROM_WEB_UI> 

Additional notes:

  • You can set an environment variable called CLOUDRAIL_API_KEY or pass a --api-key parameter, instead of using config save.

Testing Cloudrail’s Terraform Sanitization

Cloudrail filters your Terraform from sensitive information like keys and secrets.

Use our sample Terraform file maintained in our github repo to test the sanitization capability.

The following command allows you to validate the filtering capability before uploading the filtered Terraform for analysis:

cloudrail generate-filtered-plan --tf-plan plan.out


As part of Cloudrail’s analysis operations, Cloudrail’s CLI makes use of some data from Terraform files. We filter the file from sensitive information (e.g. IP addresses, credentials, etc) and upload it to the Cloudrail Service for analysis. After analysis, the file is removed from the Service (that is, it is not kept beyond the time of analysis).