What cloud providers are supported?
What cloud providers are supported?
InfraAudit supports AWS, Google Cloud Platform, Microsoft Azure, and Kubernetes. You can connect multiple accounts per provider — for example, multiple AWS accounts — and manage them all from the same InfraAudit workspace.For setup instructions, see the Integrations section.
Is there a free tier?
Is there a free tier?
Yes. The Community edition is free, MIT-licensed, and self-hosted. It includes every feature in the documentation: unlimited connected cloud accounts, all cloud providers, all compliance frameworks, AI recommendations (requires a Gemini API key), and full API and CLI access.SaaS editions (Starter, Professional, Enterprise) add managed hosting, longer data retention, and commercial support. See the Editions table for a comparison.
What's the difference between Community and SaaS editions?
What's the difference between Community and SaaS editions?
The features are identical across all editions. The differences are operational:
If you’re evaluating InfraAudit, the Community edition gives you the full feature set with no time limit.
| Community | Starter | Professional | Enterprise | |
|---|---|---|---|---|
| Hosting | Self-hosted | Managed | Managed | Managed or self-hosted |
| Resources | Unlimited | Up to 50 | Up to 200 | Unlimited |
| Support | Community (GitHub) | Priority email | Dedicated + SLA | |
| Enterprise SSO | No | No | No | Yes |
How does InfraAudit handle my cloud credentials?
How does InfraAudit handle my cloud credentials?
Your cloud credentials (AWS access keys, GCP service account JSON, Azure service principal secrets) are encrypted at rest using AES-256-GCM before being stored in the database. The encryption key (
ENCRYPTION_KEY) is never written to the database — only to your environment configuration.All scanning is read-only. InfraAudit never modifies your cloud resources during discovery, drift detection, vulnerability scanning, or compliance assessment. Changes only happen through remediation actions, and only when you explicitly approve and execute one.See Secrets and encryption for more detail on how the encryption works.Does InfraAudit make changes to my infrastructure automatically?
Does InfraAudit make changes to my infrastructure automatically?
No. All discovery, scanning, and assessment operations are strictly read-only. InfraAudit can propose remediation actions, but it will not execute them without your explicit approval (controlled by the
REMEDIATION_REQUIRE_APPROVAL setting, which defaults to true).Can I run InfraAudit in a private network?
Can I run InfraAudit in a private network?
Yes. InfraAudit runs entirely on your infrastructure and only needs outbound network access to reach your cloud provider APIs. The AI recommendation feature requires outbound access to Google’s Gemini API, but if you don’t set
GEMINI_API_KEY, it falls back to rule-based recommendations that run fully offline.For Kubernetes deployments in air-gapped environments, you can also configure a custom Trivy database mirror via TRIVY_DB_REPOSITORY.How often are scans run automatically?
How often are scans run automatically?
The default schedule for each background job:
You can change any of these by setting the corresponding
| Job | Default schedule |
|---|---|
| Resource inventory sync | Every 6 hours |
| Drift detection | Every 4 hours |
| Vulnerability scan | Daily at 02:00 |
| Cost sync | Daily at 03:00 |
| Compliance assessment | Daily at 04:00 |
JOB_*_SCHEDULE environment variable to a cron expression. You can also trigger any scan manually from the dashboard or CLI.What compliance frameworks are supported?
What compliance frameworks are supported?
InfraAudit includes built-in support for:
- CIS AWS Foundations Benchmark
- CIS GCP Foundations Benchmark
- CIS Azure Foundations Benchmark
- SOC 2 (Type II control mapping)
- NIST SP 800-53
- PCI-DSS
- HIPAA
Can I use SQLite instead of PostgreSQL?
Can I use SQLite instead of PostgreSQL?
Yes, for development and small single-user deployments. Set
DB_DRIVER=sqlite and SQLITE_PATH=./infraudit.db. SQLite is not recommended for production — it does not support concurrent writes well and lacks managed backup tooling.Why does the backend require Supabase?
Why does the backend require Supabase?
Supabase provides the authentication layer: JWT signing, OAuth with Google and GitHub, and user session management. InfraAudit does not maintain its own user database.A community PR to support an alternative auth backend (e.g. Keycloak or a native user table) would be welcome. See the Contributing guidelines.
What happens if I lose the ENCRYPTION_KEY?
What happens if I lose the ENCRYPTION_KEY?
Stored cloud credentials become permanently unreadable. You will need to disconnect and reconnect every provider. The credentials themselves (the cloud provider keys) are unaffected — only the copies stored in InfraAudit’s database are inaccessible.Back up your
ENCRYPTION_KEY in a secrets manager before going to production.