scan checks

What the scan validates — and what it does not.

Five public checks in plain language. The scan is read-only and discovery-first; it does not certify, audit, or remediate.

Back to scan Start discovery

vishcore [scan checks]

client@site:~$ vishcore scan --target client-prod --mode read-only

→ read-only metadata collection

→ no writes, no remediation, no secret reads

→ control-discovery report, not an audit opinion

Public scan-check contract

These are the five checks published in the public scan-check contract at /api/scan-checks.json. A real engagement may evaluate additional approved tests, but these five checks are the public contract.

S3 public access posture

What it validates: Account-level Block Public Access setting and bucket-level public access block configuration for every S3 bucket in scope.
What it does not validate: Bucket contents, individual object ACLs outside the public access block path, S3 encryption settings, or versioning state.
Boundary: Read-only metadata only. No object contents or access patterns are inspected.

Root MFA and IAM control basics

What it validates: Root account MFA status, root access key presence, IAM password policy, console users without MFA, and stale active IAM access keys.
What it does not validate: IAM Identity Center, SSO, SAML federation, or temporary session policies. Admin escalation through attached policies is noted but not blocked by the scan.
Boundary: Read-only IAM metadata. No credential values or secret material is accessed.

GAP

CloudTrail multi-region logging and validation

What it validates: Presence of a multi-region CloudTrail with log-file validation enabled. Checks whether the trail is encrypted with a KMS key.
What it does not validate: Custom event selectors, CloudWatch Logs integration, log integrity proof, or SIEM forwarding configuration.
Boundary: Read-only trail metadata. No log contents or data-plane events are read.

Sample note: no multi-region trail with log-file validation

RDS encryption and backup posture

What it validates: RDS DB instance and cluster encryption at rest, backup retention period, and deletion protection.
What it does not validate: RDS IAM authentication, Performance Insights, in-transit TLS specifics, or database-level access controls.
Boundary: Read-only instance and cluster metadata. No database contents or connection strings are accessed.

GAP

Security group open ingress on sensitive ports

What it validates: Security group rules for open ingress on sensitive ports such as SSH (tcp/22) and RDP (tcp/3389) across all regions in scope.
What it does not validate: Egress rules, network ACLs, VPC flow logs, or application-layer firewall policies such as AWS WAF.
Boundary: Read-only security group metadata. No traffic capture or packet inspection is performed.

Sample note: security-group:1 allows 0.0.0.0/0 on tcp/22

Scope and safety boundaries

The scan is strictly read-only. It does not create, modify, delete, or remediate any resource. It does not read secret values, environment variables, or data-plane contents.

Access is through a client-created cross-account IAM role with an External ID, scoped to the Vishcore scanner allowlist. The role has no write permissions and no secret-value read permissions.

The scan is not an audit opinion, a compliance certification, a penetration test, or a guarantee that an environment will meet SOC 2 or any other framework requirements.

These five checks are the public scan-check contract. A client report may include additional approved tests, scoped and delivered separately.