Scan AWS, Azure, GCP, and M365 for SOC2, PCI-DSS, HIPAA, CMMC, CIS Benchmarks, and NIST 800-53 compliance. Get audit-ready reports in minutes.
Need CMMC Level 2, evidence packages, or continuous monitoring? → auditkit.io
# Install
git clone https://github.com/guardian-nexus/AuditKit-Community-Edition
cd AuditKit-Community-Edition/scanner
go build ./cmd/auditkit
# Scan AWS
./auditkit scan -provider aws -framework soc2 # SOC2 compliance
./auditkit scan -provider aws -framework cis-aws # CIS security hardening
# Scan Azure
./auditkit scan -provider azure -framework soc2 # SOC2 compliance
./auditkit scan -provider azure -framework cis-azure # CIS security hardening
# Scan GCP
./auditkit scan -provider gcp -framework soc2 # SOC2 compliance
./auditkit scan -provider gcp -framework cis-gcp # CIS security hardening
# Generate reports (PDF, HTML, CSV, JSON)
./auditkit scan -provider aws -framework soc2 -format pdf -output aws-soc2.pdf
./auditkit scan -provider gcp -framework pci -format html -output gcp-pci.htmlSetup: AWS • Azure • GCP • M365
AuditKit scans your cloud infrastructure for compliance gaps and security misconfigurations:
- Automated Scanning: ~150 technical controls per framework
- Multi-Cloud Support: AWS, Azure, GCP, M365 in one tool
- Audit-Ready Reports: PDF/HTML/JSON output with evidence
- Fix Commands: Exact CLI/Terraform commands to remediate issues
- Framework Crosswalk: One control fix improves multiple frameworks
What it doesn't do: Replace auditors, scan for vulnerabilities, or guarantee certification.
View Examples → • Read Documentation →
| Framework | AWS | Azure | GCP | Purpose |
|---|---|---|---|---|
| SOC2 Type II | 64 | 64 | 64 | SaaS customer requirements |
| PCI-DSS v4.0 | All 12 Req | All 12 Req | All 12 Req | Payment card processing |
| CMMC Level 1 | 17 | 17 | 17 | DoD contractor compliance (FCI) |
| CMMC Level 2 | 110 | 110 | 110 | DoD contractor compliance (CUI) - AuditKit |
| NIST 800-53 Rev 5 | ~150 | ~150 | ~150 | Federal contractor requirements / FedRAMP |
| ISO 27001:2022 | ~60 | ~60 | ~60 | International information security |
| HIPAA Security Rule | 70 | 62 | 40 | Healthcare data protection |
| Framework | AWS | Azure | GCP | Purpose |
|---|---|---|---|---|
| CIS Benchmarks | 126+ | ~40+ | 61 | Industry security best practices |
Framework Details → • What's the difference? →
| Feature | Community Edition | AuditKit ($297/mo) |
|---|---|---|
| Cloud Providers | AWS, Azure, GCP, M365 | Same |
| Compliance Frameworks | SOC2, PCI-DSS, CMMC L1, NIST 800-53 | Same |
| CIS Benchmarks | AWS (126+ controls) | All clouds when available |
| GCP Core | 170+ checks | Same |
| GCP Advanced | - | GKE + Vertex AI (32 checks) |
| On-Prem Scanning | - | Azure Arc (Experimental) |
| Multi-Account | - | AWS Orgs, Azure Mgmt, GCP Folders |
| CMMC Level 2 | - | 110 practices (CUI handling) |
| Desktop GUI | - | Web dashboard at localhost:1337 |
| Support | Community (GitHub Issues) | Priority email + 14-day trial |
Compare Features → • Start Free Trial →
February 2026
New Features:
- Prowler Integration - Import Prowler scan results and convert to AuditKit format with full framework mapping
- Azure Fix Scripts - Generate remediation scripts for Azure (AWS and GCP already supported)
- Evidence Tracker HTML - Interactive HTML checklist for evidence collection with progress tracking
Improvements:
- Evidence tracker now includes localStorage persistence, export to JSON, and print support
- Prowler integration supports AWS, Azure, and GCP findings with automatic provider detection
- AWS Data Services - Added SageMaker, Redshift, ElastiCache, OpenSearch checks
- Offline Mode - Cache scan results for air-gapped environments
- GDPR/NIST CSF - Added framework mappings via NIST 800-53 crosswalk
- AWS service coverage increased to 90+ checks
AuditKit customers now get a beautiful web-based dashboard that runs locally on your machine.
- Visual Dashboard - Real-time compliance scores and trends
- Scan History - Browse all past scans with search and filtering
- Findings Explorer - Searchable table of all findings with severity filtering
- Evidence Packages - Generate audit-ready ZIP files from the browser
- Exception Management - Track waivers and compensating controls with full CRUD
- Drift Detection - Visual comparison of scans to identify configuration changes
- Continuous Monitoring - Schedule recurring scans with cron-style scheduling
- 100% Offline - Runs locally, no cloud dependencies, air-gap compatible
| Dashboard | Findings | Scan History |
|---|---|---|
|
 |
 |
# Save your .lic file (received after purchase/trial signup)
mkdir -p ~/.auditkit-pro
cp ~/Downloads/license.lic ~/.auditkit-pro/license.lic
# Run — activation is automatic on first run
./auditkit-pro-desktop
# Browser opens automatically to http://localhost:1337
# Change port if needed: ./auditkit-pro-desktop --port 8080
# Legacy method (deprecated): export AUDITKIT_PRO_LICENSE="AKP-..."Learn More → • Start 14-Day Trial →
For Startups: Free SOC2 prep without $50K consultants
For Security Teams: CIS Benchmarks for proactive hardening
For DoD Contractors: CMMC Level 1 (Community Edition) or Level 2 compliance
For Multi-Cloud: Single tool for AWS + Azure + GCP + M365
For DevOps: JSON output for CI/CD integration
Download from GitHub Releases
Option 1: Universal Scanner (All Clouds)
git clone https://github.com/guardian-nexus/AuditKit-Community-Edition
cd AuditKit-Community-Edition/scanner
go build ./cmd/auditkit
./auditkit scan -provider aws -framework soc2Option 2: Provider-Specific Scanners (Smaller Binaries)
# AWS-only scanner (~30% smaller)
go build -o auditkit-aws ./cmd/auditkit-aws
./auditkit-aws scan -framework soc2
# Azure-only scanner
go build -o auditkit-azure ./cmd/auditkit-azure
./auditkit-azure scan -framework soc2
# GCP-only scanner
go build -o auditkit-gcp ./cmd/auditkit-gcp
./auditkit-gcp scan -framework soc2Requirements:
- Go 1.19+
- Cloud credentials configured (AWS CLI, Azure CLI, gcloud CLI)
- Read-only permissions (no write access needed)
# AWS scans
./auditkit scan -provider aws -framework soc2 # SOC2 Type II
./auditkit scan -provider aws -framework pci # PCI-DSS v4.0
./auditkit scan -provider aws -framework cmmc # CMMC Level 1
./auditkit scan -provider aws -framework 800-53 # NIST 800-53 Rev 5
# Azure scans
./auditkit scan -provider azure -framework soc2 # SOC2 Type II
./auditkit scan -provider azure -framework pci # PCI-DSS v4.0
./auditkit scan -provider azure -framework cmmc # CMMC Level 1
# GCP scans
./auditkit scan -provider gcp -framework soc2 # SOC2 Type II
./auditkit scan -provider gcp -framework pci # PCI-DSS v4.0
./auditkit scan -provider gcp -framework cmmc # CMMC Level 1./auditkit scan -provider aws -framework cis-aws # CIS AWS (58 controls)
./auditkit scan -provider azure -framework cis-azure # CIS Azure (40+ controls)
./auditkit scan -provider gcp -framework cis-gcp # CIS GCP (30+ controls)# PDF reports
./auditkit scan -provider aws -framework soc2 -format pdf -output aws-soc2.pdf
./auditkit scan -provider azure -framework pci -format pdf -output azure-pci.pdf
./auditkit scan -provider gcp -framework cmmc -format pdf -output gcp-cmmc.pdf
# HTML reports (interactive)
./auditkit scan -provider aws -framework cis-aws -format html -output cis-report.html
# JSON (for CI/CD pipelines)
./auditkit scan -provider gcp -framework all -format json -output compliance.json
# CSV (for spreadsheets)
./auditkit scan -provider azure -framework soc2 -format csv -output azure-soc2.csv# Using provider-specific binaries (smaller, faster)
./auditkit-aws scan -framework soc2 -format pdf -output aws-soc2.pdf
./auditkit-azure scan -framework pci -format html -output azure-pci.html
./auditkit-gcp scan -framework cmmc -format json -output gcp-cmmc.json# Import Prowler results
prowler aws --output-formats json -o prowler-output # Run Prowler first
./auditkit integrate -source prowler -file prowler-output.json
# Import with PDF report
./auditkit integrate -source prowler -file prowler.json -format pdf -output prowler-report.pdf
# Import ScubaGear M365 results
./auditkit integrate -source scubagear -file scubagear-results.json# Generate fix scripts (review before running!)
./auditkit fix -provider aws # AWS remediation script
./auditkit fix -provider azure # Azure remediation script
./auditkit fix -provider gcp # GCP remediation script- Quick Start Guide - First scan in 5 minutes
- Cloud Provider Setup - AWS, Azure, GCP, M365 authentication
- Understanding Results - Pass/Fail/Info status explained
- SOC2 Type II - Trust Services Criteria
- PCI-DSS v4.0 - Payment card security
- CMMC - DoD contractor compliance
- CIS Benchmarks - Security hardening
- NIST 800-53 - Federal requirements
- All Frameworks →
- Sample Reports - See what output looks like
- Remediation Examples - How to fix issues
- CI/CD Integration - Automate compliance checks
- CLI Reference - All commands and flags
- FAQ - Common questions
- Troubleshooting - Known issues and fixes
- Prowler Integration: Import Prowler AWS/Azure/GCP results and map to compliance frameworks
- Azure Fix Scripts: Generate remediation scripts for Azure resources
- Evidence Tracker HTML: Interactive checklist with progress bar, localStorage persistence, and JSON export
- Evidence tracker now saves progress across browser sessions
- Prowler auto-detects cloud provider from scan results
- Daemon stop/status commands for continuous monitoring
- Azure MFA checks via Microsoft Graph API
- Windows daemon support
What is CIS? The Center for Internet Security publishes security configuration best practices used by organizations worldwide.
Why add CIS to AuditKit?
- Proactive security: CIS catches misconfigurations before they become incidents
- Complements compliance: SOC2/PCI/CMMC focus on audit requirements; CIS focuses on technical hardening
- Industry standard: CIS Benchmarks are referenced by cyber insurance, security frameworks, and auditors
Example: Your AWS account might pass SOC2 compliance but still have security gaps that CIS would catch (weak password policies, unnecessary services enabled, missing encryption).
We need help with:
- CIS Azure & GCP expansion (add more controls to existing implementations)
- Additional framework mappings (ISO 27001 expansion)
- FedRAMP baseline filtering for Low/Moderate/High
- Kubernetes compliance scanning
- Automated evidence collection workflows
- Additional Prowler mappings (expand framework coverage for imported findings)
Contributing Guide → • Good First Issues →
- Community Support: GitHub Issues
- Security Issues: SECURITY.md
- Newsletter: auditkit.substack.com
- AuditKit Support: Priority email + Slack channel (info@auditkit.io)
Apache 2.0 - Use freely, even commercially. See LICENSE for details.
AuditKit is built by current defense sector professionals with deep expertise in compliance and cloud security. We ship working software monthly instead of enterprise vaporware.
Our Background:
- Active security clearance holders
- 15+ years in defense sector compliance
- Former and current defense contractor (understand CMMC pain firsthand)
- Built compliance tools used by Fortune 500 companies
Our Philosophy:
- Ship features, not promises
- Open source first, paid tier for advanced needs
- Documentation that doesn't suck
- Responsive support (we actually read your issues)
Questions? Email: hello@auditkit.io
