Nebula is a command-line security scanning tool built on the Janus framework for testing cloud environments. It provides modular security testing capabilities across AWS, Azure, and GCP with extensible link-based architecture.
For development guidance, see DEVELOPMENT.md.
📖 Full CLI Documentation - Complete command reference with examples
- Multi-Cloud Support: AWS, Azure, GCP, and SaaS platforms
- Modular Architecture: Built on Janus framework with composable links
- Security Scanning: Resource discovery, secret detection, public exposure analysis
- Flexible Output: JSON, Markdown, and console formats
- MCP Integration: Model Context Protocol server for AI assistants
From Source:
git clone https://github.com/praetorian-inc/nebula
cd nebula
go buildDocker:
docker build -t nebula .
docker run --rm -v ~/.aws:/root/.aws nebula aws recon whoamiPre-built binaries available in GitHub Releases.
Dependencies secret scanning is done using https://github.com/praetorian-inc/noseyparker and must be available in your $PATH.
Nebula uses standard cloud provider authentication:
- AWS: Environment variables, credentials file (~/.aws/credentials), IAM roles
- Azure: Environment variables, Azure CLI, managed identity
- GCP: Service account keys, application default credentials
- Docker: Registry credentials via --docker-user and --docker-password flags
nebula <provider> <category> <module> [flags]Examples:
# Check AWS account identity
nebula aws recon whoami
# List all S3 buckets across regions
nebula aws recon list -t AWS::S3::Bucket -r all
# Find secrets in Lambda functions
nebula aws recon find-secrets -t AWS::Lambda::Function
# Discover public Azure resources
nebula azure recon public-resources -s subscription-id
# Get GCP project information
nebula gcp recon projects-list
# Analyze Docker container for secrets
nebula saas recon docker-dump -i nginx:latestAWS Reconnaissance:
# Account information and permissions
nebula aws recon account-auth-details
nebula aws recon whoami
# Resource discovery
nebula aws recon list-all-resources -r us-east-1
nebula aws recon public-resources -r all
# Secrets scanning
nebula aws recon find-secrets -t all -r all
nebula aws recon find-secrets -t AWS::Lambda::Function -r us-east-2Azure Reconnaissance:
# Environment details
nebula azure recon summary -s subscription-id
# Resource enumeration
nebula azure recon list-all-resources -s subscription-id
nebula azure recon public-resources -s all
# DevOps secrets scanning
nebula azure recon devops-secrets --organization org-nameSaaS Reconnaissance:
# Docker container analysis and secret scanning
nebula saas recon docker-dump -i image-nameAnalysis Modules:
# AWS key analysis
nebula aws analyze access-key-to-account-id -k AKIA...
nebula aws analyze known-account -a 123456789012
# IP analysis
nebula aws analyze ip-lookup -i 1.2.3.4Output Formats:
- Console: Real-time progress and summaries
- JSON: Structured data in
nebula-output/directory - Markdown: Human-readable tables
Common Flags:
# Global options
--log-level string Log level (debug, info, warn, error)
--output string Output directory (default "nebula-output")
--quiet Suppress user messages
--no-color Disable colored output
# Provider-specific
-r, --regions string AWS regions ('all' or comma-separated)
-s, --subscription Azure subscription ID
-t, --resource-type Cloud resource type filter
-i, --image string Docker image name for SaaS modulesNebula provides an MCP (Model Context Protocol) server for AI assistants:
Stdio Server:
nebula mcp-serverHTTP Server:
nebula mcp-server --http --addr :8080Claude Desktop Configuration:
{
"mcpServers": {
"nebula": {
"command": "/path/to/nebula",
"args": ["mcp-server"]
}
}
}- Permissions: Ensure appropriate read-only permissions before scanning. Note: Many AWS modules use the Cloud Control API which requires
cloudformation:ListResourcesandcloudformation:GetResources. - Scope Control: Use resource type and region filters to limit scan scope
Nebula uses Praetorian's Janus Framework.
- Links: Individual processing units that can be chained together
- Modules: Pre-configured chains for specific security testing scenarios
- Outputters: Pluggable output processing for different formats
- Registry: Dynamic module discovery and CLI generation
For development details, see DEVELOPMENT.md.