CloudForge Documentation
CloudForge is an enterprise cloud governance platform that unifies posture findings, AI-powered risk scoring, policy enforcement, and automated remediation across AWS, Azure, and GCP.
Quick Links
| Section | Description |
|---|---|
| Architecture | High-Level Design, Detailed Design, DR/BC |
| ADRs | 21 Architecture Decision Records |
| Diagrams | System architecture and flow diagrams |
| API Reference | OpenAPI schema download plus markdown endpoint reference (89 operations) |
| Posture Management | Multi-cloud finding aggregation module |
| Runbooks | 9 operational runbooks |
| Security | STRIDE threat model |
Architecture at a Glance
For the detailed component-level diagram, see Diagrams.
Key Capabilities
- Posture Management -- Normalize findings from AWS Security Hub, Azure Defender, GCP SCC, Trivy, and Prowler into a unified schema
- AI Risk Scoring -- LLM-powered severity re-scoring considering asset tier, environment, exposure, and blast radius
- Dual-OPA Policy -- External OPA server for cloud provisioning + embedded Go SDK for AI agent governance
- Automated Remediation -- Dispatcher routes findings to provider-specific handlers with approval workflows
- FinOps Integration -- Multi-cloud cost aggregation with anomaly detection
- Graph Analysis -- Security-graph context and attack-path analysis for triage and containment
Auth Architecture Today
- Frontend SSO is a browser-owned Okta SPA PKCE flow that redirects to
/callbackwhenVITE_OKTA_ISSUERandVITE_OKTA_CLIENT_IDare configured. - The backend validates bearer JWTs via HS256 or RS256/JWKS and serves the public demo with static/demo auth modes.
- Backend authorize/callback routes, refresh-token storage, and
httpOnlysession cookies are not implemented today.