Go-Hunter: Multi-Cloud Attack Surface Management
Cloud security platform for discovering and monitoring assets across AWS, GCP, Azure, Cloudflare, and DigitalOcean.
What It Does
Attack surface management answers: “What’s exposed to the internet?” Organizations spin up cloud resources constantly. VMs, storage buckets, DNS records, load balancers—each is a potential entry point. Go-Hunter discovers these assets, scans them for misconfigurations, and tracks changes over time.
The multi-cloud angle matters. Reality is messy and most companies us multiple providers. Switching between them is a pain and the goal with Go-Hunter is to solve this.
Cloud Integrations
Each provider has an integration module:
AWS: EC2 instances, S3 buckets, Route53 zones, ELBs. Uses IAM credentials with read-only policies.
GCP: Compute instances, Cloud Storage, Cloud DNS. Service account with Viewer role.
Azure: Virtual Machines, Storage Accounts, DNS zones. App registration with Reader role.
Cloudflare: DNS records, zones. API token with read permissions.
DigitalOcean: Droplets, Spaces, domains. Personal access token.
Credentials are encrypted at rest using age. Each organization’s credentials are isolated—multi-tenant from the start.
Architecture
The API server (Chi router) handles HTTP requests and serves the HTMX dashboard. It’s stateless—all state lives in PostgreSQL.
Background workers (Asynq + Redis) run discovery and scanning jobs. Workers pull from a queue, execute scans, write results back to Postgres. Horizontal scaling is trivial—add more workers.
The data model: Organizations have Users and Credentials. Scans produce Assets. Assets have Findings (open ports, misconfigs). Everything is timestamped for historical queries.
Scanning Capabilities
Asset discovery: Enumerates all resources from cloud APIs. Runs on schedule or on-demand.
Port scanning: TCP connect scan on common ports. Identifies running services.
S3 bucket checks: Tests for public access, ACL misconfigurations.
Service detection: Banner grabbing to identify software versions.
Drift detection: SHA256 hash of asset state. Alerts when configurations change.
Challenges & Lessons
Rate limiting across providers required careful tuning. AWS throttles aggressively. The solution: per-provider rate limiters with exponential backoff. Scans take longer but don’t get blocked.
Credential security was non-negotiable. Encrypting at rest, never logging secrets, audit trails for access. The age library made encryption straightforward.
Scale testing revealed database bottlenecks. Indexing asset lookups and batching inserts got us to 1K assets/minute.
Security Considerations
Credentials are encrypted with age before storage. Decryption happens in-memory only when needed for scans.
Multi-tenant isolation uses row-level filtering. Every query includes organization ID. No cross-tenant data leakage.
Audit logging tracks credential access, scan initiation, and configuration changes. If something goes wrong, there’s a trail.
What I’d Do Differently
The HTMX dashboard works but feels limited for complex filtering. A proper frontend framework might be worth the complexity for power users.
I’d add vulnerability correlation earlier. Right now it finds open ports but doesn’t cross-reference with CVE databases. That’s the natural next step.