Skip to content

Add multi-account AWS scanning#18

Merged
maksimov merged 12 commits intomasterfrom
feature/multi-account-scanning
Apr 19, 2026
Merged

Add multi-account AWS scanning#18
maksimov merged 12 commits intomasterfrom
feature/multi-account-scanning

Conversation

@maksimov
Copy link
Copy Markdown
Collaborator

@maksimov maksimov commented Apr 18, 2026

Summary

Scan multiple AWS accounts in a single invocation via STS AssumeRole or automatic discovery via AWS Organizations.

  • New CLI flags: --targets, --role, --external-id, --org, --skip-self
  • ResolveTargets() handles credential resolution with self-detection, org discovery, and partial failure tolerance
  • Parallel scanning across targets and regions
  • Per-target summary tables in all output formats (table, markdown, Slack)
  • gpuaudit iam-policy now includes cross-account and Organizations policy statements
  • README with Terraform and CloudFormation StackSet examples for cross-account role setup

Key design decisions

  • Provider-neutral flag names (--targets not --accounts) for future GCP/Azure support
  • Self account never uses AssumeRole — original credentials are preserved
  • Failed targets are warnings, not fatal — scan continues for reachable accounts
  • omitempty on new JSON fields ensures backward-compatible output for single-account scans
  • Severity classification deduplicated into models.MaxSeverity()

Changes

  • internal/providers/aws/multiaccount.go — ResolveTargets, AssumeRole, org account listing
  • internal/providers/aws/multiaccount_test.go — 6 tests covering all targeting modes
  • internal/providers/aws/summary.go — BuildSummary (extracted) + BuildTargetSummaries
  • internal/providers/aws/summary_test.go — 3 tests
  • internal/providers/aws/scanner.go — Refactored Scan() for parallel multi-target scanning
  • internal/models/models.go — TargetSummary, TargetErrorInfo, MaxSeverity
  • internal/output/table.go — Per-target summary table, conditional target column
  • internal/output/markdown.go — Per-target markdown section
  • internal/output/slack.go — Per-target Slack blocks
  • cmd/gpuaudit/main.go — New flags, validation, IAM policy updates

Test plan

  • All 42 tests pass (go test ./...)
  • go vet clean
  • Manual test: single-account scan produces identical output to before
  • Manual test: multi-account scan with --targets and --role
  • Manual test: org discovery with --org

Note: This PR is stacked on #17 (diff command). Review the diff against that branch.

🤖 Generated with Claude Code

maksimov added 12 commits April 18, 2026 15:03
@maksimov
Add multi-target scanning design spec
60cf644 
Covers CLI flags (--targets, --role, --org), architecture for
parallel cross-account scanning via STS AssumeRole, output changes
with per-target sub-summaries, and IAM role setup docs (Terraform
+ CloudFormation).
@maksimov
Add multi-target scanning implementation plan
0330be7
@maksimov
Add TargetSummary and TargetErrorInfo model types for multi-target sc…
bf6ab49 
…anning
@maksimov
Extract BuildSummary to summary.go and add BuildTargetSummaries
817eaac
@maksimov
Implement ResolveTargets with STS AssumeRole for multi-account scanning
1f21c28 
Add ResolveTargets function that resolves scan targets based on
--targets, --org, --role, and --skip-self options. Self account uses
original credentials (no AssumeRole), failed assumptions are collected
as TargetError rather than being fatal.

Add STSClient and OrgClient interfaces, Target and TargetError types,
multi-target fields to ScanOptions, and organizations SDK dependency.

Includes 6 tests covering: self-only, explicit targets, skip-self,
partial failure, org discovery with suspended account filtering, and
self-in-targets deduplication.
@maksimov
Refactor Scan() for parallel multi-target scanning
6bb43ea
@maksimov
Add --targets, --role, --org, --external-id, --skip-self flags to sca…
ce75ab1 
…n command
@maksimov
Add per-target summary table and target column to table formatter
1906f9f
@maksimov
Add per-target summaries to markdown and Slack formatters
5328980
@maksimov
Add cross-account and Organizations permissions to iam-policy output
2e54bd0
@maksimov
Add multi-account scanning docs to README
f824823
@maksimov
Fix callerAccount bug, deduplicate severity logic, clean up dead code
ebd0806 
ResolveTargets now returns selfAccount separately so Scan() always
gets the correct caller identity regardless of --skip-self. Extracted
models.MaxSeverity to replace three copies of severity classification.
Removed dead error return from scanTarget. Added missing copyright
headers.
Base automatically changed from feature/diff-command-only to master April 18, 2026 17:27
@maksimov maksimov merged commit 2043078 into master Apr 19, 2026
2 checks passed
@maksimov maksimov deleted the feature/multi-account-scanning branch April 19, 2026 20:20
@maksimov maksimov mentioned this pull request Apr 20, 2026
Closed
maksimov added a commit that referenced this pull request Apr 21, 2026
@maksimov
Merge pull request #18 from gpuaudit/feature/multi-account-scanning
5ff7f28 
Add multi-account AWS scanning
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maksimov