Cleancloud
Shift-left cloud hygiene for AWS & Azure - deterministic waste detection with no agents, no telemetry, safe for regulated environments.
Install / Use
/learn @cleancloud-io/CleancloudREADME
CleanCloud
Languages / Langues : 🇬🇧 English | 🇫🇷 Français
Docs: AWS Setup · AWS Permissions & Commands · AWS Multi-Account · Azure Setup · GCP Setup · CI/CD Guide · Detection Rules · Example Outputs · Docker Hub · GitHub Action
CleanCloud is the Cloud Hygiene Engine — the missing layer between cost visibility and cleanup.
Supports: AWS · Azure · GCP
Cloud waste hit 29% of spend in 2026 — the first rise in five years (Flexera). Most teams already have cost dashboards. Dashboards show spend trends; they don't tell engineers what to clean up. SaaS FinOps platforms require vendor access to your cloud account — a non-starter for regulated industries. And as cloud environments scale across accounts and subscriptions, unused resources are no longer exceptions — they are continuous drift. Platform teams need a deterministic, enforceable process to turn that drift into a list of exactly what to act on.
That's CleanCloud. Scan your AWS, Azure, and GCP environments, get specific actionable findings with per-resource cost estimates, and enforce waste thresholds on a schedule — no agents, no SaaS, no data leaving your environment.
| | AWS/Azure/GCP native cost tools | FinOps SaaS platforms | CleanCloud | |---|:---:|:---:|:---:| | Shows cost trends | ✅ | ✅ | — | | Names exactly which resources to clean up | ❌ | partial | ✅ | | Deterministic cost estimate per resource | ❌ | ❌ | ✅ | | Read-only, no agents | ✅ | ❌ | ✅ | | Runs in air-gapped / regulated environments | ❌ | ❌ | ✅ | | No SaaS account or vendor access required | ❌ | ❌ | ✅ | | Multi-account / multi-subscription / multi-project | ❌ | ✅ | ✅ | | CI/CD and scheduled enforcement (exit codes) | ❌ | ❌ | ✅ |
- 30 curated, high-signal detection rules: orphaned volumes, idle databases, stopped instances, unused registries, and more — designed to avoid false positives in IaC environments, each with a deterministic cost estimate
- Governance enforcement (opt-in):
--fail-on-confidence HIGHor--fail-on-cost 100— enforce waste thresholds on a schedule, owned by platform or FinOps teams - Multi-account scanning (AWS): scan entire AWS Organizations in one run — config file, inline IDs, or auto-discovery via
--org - Multi-subscription scanning (Azure): scan all Azure subscriptions in parallel — auto-discovery via Management Group, per-subscription cost breakdown included
- Multi-project scanning (GCP): scan all accessible GCP projects in parallel — auto-discovery via Application Default Credentials, per-project cost breakdown included
- Safe for regulated environments: read-only, no agents, no telemetry, no SaaS — runs entirely inside your own infrastructure. Suitable for financial services, healthcare, and government accounts where third-party SaaS access is restricted
- Ecosystem-ready output: JSON for Slack alerts, cost dashboards, and ticketing automation — CSV for spreadsheet workflows — markdown to paste directly into GitHub PRs, Jira, or Confluence
- No agents. No telemetry. No SaaS. Data never leaves your environment
What CleanCloud does NOT do
| | | |---|---| | ❌ Delete resources | ❌ Modify or create tags | | ❌ Write to any cloud API | ❌ Store or log credentials | | ❌ Send telemetry or usage data | ❌ Require a SaaS account or agent |
All operations are read-only. Safe for production accounts, air-gapped environments, and security-reviewed pipelines.
Who uses it:
- Platform and FinOps teams — run weekly hygiene scans across your AWS Org or Azure tenant, enforce waste thresholds, catch drift before it compounds
- Regulated industries — financial services, healthcare, and government teams that cannot send cloud account data to a SaaS vendor
- Mid-market engineering teams — too large to ignore cloud waste, too lean for enterprise FinOps platforms. Native cost tools show bills; CleanCloud shows you what to fix
- Cloud consultants and MSPs — run a read-only audit against a client account in minutes, export findings to markdown or JSON
Use cases:
- One-time cloud waste audit — run in CloudShell, see findings in 60 seconds
- Scheduled hygiene governance — weekly job that catches new waste and enforces thresholds across all accounts
- Pre-review reports — export findings to markdown before a quarterly cost review or board meeting
Found 6 hygiene issues:
1. [AWS] Unattached EBS Volume — $40/month
2. [AWS] Idle NAT Gateway — $32.40/month
3. [AWS] Unattached Elastic IP — $0/month
...
Estimated monthly waste: ~$147
Regions scanned: us-east-1, us-west-2, eu-west-1
As featured in
- Korben 🇫🇷 — Major French tech publication
- Last Week in AWS #457 — Corey Quinn's weekly AWS newsletter
What users say
"Solid discovery tool that bubbles up potential savings. Easy to install and use!" — Reddit user
Get Started
Commands
| Command | What it does |
|---|---|
| cleancloud demo | Show sample findings — no credentials needed |
| cleancloud scan | Scan your cloud environment and report findings |
| cleancloud doctor | Check that credentials and permissions are correctly configured |
| cleancloud --version | Show installed version |
| cleancloud --help | List all flags |
Via pipx (recommended for local use):
pipx install cleancloud
pipx ensurepath # adds cleancloud to PATH — restart your shell after this
cleancloud demo # see sample findings without any cloud credentials
Via Docker (no Python required — runs anywhere: CI/CD, scheduled jobs, servers):
docker pull getcleancloud/cleancloud
docker run --rm getcleancloud/cleancloud demo
# With AWS credentials (Docker doesn't inherit local ~/.aws automatically)
docker run --rm \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN \
-e AWS_REGION=us-east-1 \
getcleancloud/cleancloud scan --provider aws --all-regions
In CI/CD,
aws-actions/configure-aws-credentialssetsAWS_*env vars on the runner — pass them with-e VAR_NAMEand they forward into the container automatically. See CI/CD guide →
When you're ready to scan your real environment, authenticate first — then run:
# AWS: make sure you're logged in (aws configure, aws sso login, or IAM role)
cleancloud scan --provider aws --all-regions
# Azure: make sure you're logged in (az login)
cleancloud scan --provider azure
# GCP: make sure you're logged in (gcloud auth application-default login)
cleancloud scan --provider gcp --all-projects
Not sure if your credentials have the right permissions? Run cleancloud doctor --provider aws, cleancloud doctor --provider azure, or cleancloud doctor --provider gcp first.
Scan flags:
| Flag | What it does |
|---|---|
| --provider aws\|azure\|gcp | Cloud provider to scan (required) |
| --region REGION | Scan a single region |
| --all-regions | Scan all active regions — AWS/Azure only |
| AWS multi-account | |
| --org | Auto-discover all accounts via AWS Organizations |
| --multi-account FILE | Config file listing accounts to scan |
| --accounts 111,222 | Inline account IDs, comma-separated |
| --concurrency N | Parallel accounts/projects (default: 3) |
| --timeout SECONDS | Total scan timeout in seconds (default: 3600) |
| Azure multi-subscription | |
| --management-group ID | Scan all subscriptions under a Management Group |
| --subscription ID | Scan a specific subscription (default: all accessible) |
| GCP multi-project | |
| --all-projects | Scan all accessible GCP projects |
| --project ID | Scan a specific project (repeatable) |
| Output | |
| --output human\|json\|csv\|markdown | Output format (default: human) |
| --output-file FILE | Write output to file instead of stdout |
| Enforcement (exit code 2 on match) | |
| --fail-on-confidence HIGH\|MEDIUM | Fail on findings at or above this confidence |
| --fail-on-cost N | Fail if estimated monthly waste ≥ $N |
| --fail-on-findings | Fail on any finding |
No install — try in your cloud shell
Got an AWS or Azure account? Run a real scan in seconds with no local setup.
AWS — AWS CloudShell:
pip install --upgrade cleancloud
cleancloud doctor --provider aws # check what permissions your session has
cleancloud scan --provider aws --all-regions
Azure — Azure Cloud Shell:
pip install --upgrade --user cleancloud
export PATH="$HOME/.local/bin:$PATH"
cleancloud doctor --provider azure # check what permissions your session has
cleancloud scan --provider azure
GCP — Cloud Shell:
pip install --upgrade --user cleancloud
export PATH="$HOME/.local/bin:$PATH"
cleancloud doctor --provider gcp # check what permissions your session has
cleancloud scan --provide
