After discovering cloud resources, ops0 can automatically scan them for known vulnerabilities and misconfigurations using Nuclei — an open-source vulnerability scanner. Security scanning runs alongside discovery and enriches your session with security findings.
ops0 finishes enumerating your cloud resources and records them in the session.
ops0 dispatches a security scan against the completed session. This happens in the background — no manual action required.
Nuclei checks each discovered resource against a curated library of security templates covering misconfigurations, exposed services, and known CVEs.
Each finding is tagged with a severity level (Critical, High, Medium, Low, or Informational) and attached to the session for review.
ops0 calculates an overall risk grade (A–F) for the session based on the distribution of finding severities and displays it on the session overview dashboard.
Automatic (default)
Security scanning is enabled by default. When a discovery scan completes, ops0 automatically queues a security scan against the session. No configuration is needed.
Manual
If you want to re-run scanning on an already-completed session — for example after remediating a finding — open the session, navigate to the Security tab, and click Run Scan.
| Severity | Color | Description | Example |
|---|---|---|---|
| Critical | Red | Immediate risk, likely exploitable | S3 bucket with public write access |
| High | Orange | Significant risk, should fix quickly | Security group open to 0.0.0.0/0 on SSH |
| Medium | Yellow | Moderate risk, fix in next sprint | Outdated SSL/TLS version on ALB |
| Low | Blue | Minor risk, best-practice gap | Missing resource tags |
| Informational | Gray | No risk, awareness item | Resource not encrypted (free tier) |
The risk grade summarizes the overall security posture of a discovery session at a glance.
| Grade | Criteria |
|---|---|
| A | 0 critical findings, 0 high findings |
| B | 1–2 high findings, 0 critical findings |
| C | 1 critical finding, or 3–5 high findings |
| D | 2 or more critical findings |
| F | 5 or more critical findings |
The grade appears as a badge on the session overview dashboard and updates each time a security scan completes.
Open a session and click the Security tab. The panel shows:
| Column | Description |
|---|---|
| Resource Name | The discovered resource that triggered the finding |
| Resource Type | Cloud resource type (e.g. aws_s3_bucket, google_compute_firewall) |
| Finding Title | Short name of the security template that matched |
| Severity | Critical / High / Medium / Low / Informational |
| Description | Summary of the vulnerability or misconfiguration |
| Remediation | Link to remediation guidance or documentation |
Click any row in the findings table to open the detail panel. It includes:
Use the filter bar above the findings table to narrow results:
Filters can be combined and are applied instantly without reloading the page.
Click Export in the Security tab toolbar to download the current finding set. Two formats are available:
Exports respect the active filters, so you can export only Critical and High findings if needed.
| Provider | Typical Findings |
|---|---|
| AWS | S3 bucket public access, security groups open to 0.0.0.0/0, unencrypted RDS instances, over-permissive IAM policies |
| GCP | Firewall allow-all rules, public Cloud SQL instances, unencrypted persistent disks |
| Azure | NSG allow-all rules, public blob containers, unencrypted storage accounts |
Open the session Security tab and click the finding you want to resolve.
Read the full description and note the affected resource ID and CVE reference if present.
Apply the recommended remediation — either directly in the cloud provider console or by updating your infrastructure-as-code and deploying the change.
Start a new discovery scan to refresh the resource inventory for the session.
After the new scan completes, the security scan re-runs automatically. The resolved finding should no longer appear in the results.
Security scanning does not make any changes to your infrastructure. It is read-only — it inspects the configuration returned by the discovery scan, not your live resources directly.
