Welcome to Casefile
Casefile is a VS Code workbench for authorized cloud security assessments. It pairs a read-only inventory of AWS, Google Cloud, and Azure with a guarded runner for well-known security tools and a normalized findings view, so the scope, tools, evidence, and report of an engagement stay together in one portable case.
It ships as the Cloud Security Workbench extension and lives in its own activity-bar container, with five views: Case, Account, Infrastructure, Security Tools, and Findings.
:::warning Authorized use only Casefile coordinates real offensive and auditing tools. Only run it against accounts you are explicitly authorized to assess, from a dedicated least-privilege role, ideally in an isolated test account. These tools can disrupt services, incur cost, expose data, or delete resources. :::
Who it is for
Cloud security assessors, red teams, and consultants who run the same recon and audit tools against AWS, GCP, and Azure and need to keep defensible evidence and produce a client-ready report, without stitching together a folder of shell logs by hand.
How an assessment flows
- Sign in once. Add access keys, validated with
sts:GetCallerIdentityand stored in VS Code SecretStorage. Keys are never written to settings or tool output. - Map the account. Pull a read-only inventory (EC2, S3, IAM, Lambda, RDS, ECS, EKS, CloudFormation, and the GCP/Azure equivalents) across your configured regions.
- Run the toolkit. Pick from a catalog of 40 tools. Each runs as a direct process (no shell), streaming redacted output, with credentials injected only into tools that need them.
- Triage findings. Output is normalized and de-duplicated into a searchable findings view with severity, tool, and status filters, drill-down, notes, and an open / acknowledged / resolved / ignored workflow.
- Generate the report. One command compiles scope, account identity, severity counts, tool
activity, findings, hashed evidence, and your notes into a single
report.md.
What makes it a case
Starting a case creates a portable directory that the extension keeps up to date as you work:
case-name/
├── case.json # scope and account identity
├── inventory.json # infrastructure snapshot
├── findings.json # normalized, de-duplicated findings
├── notes.md # your analyst notes
├── report.md # the generated report
├── runs/ # sanitized per-tool run output
├── outputs/ # generated tables and loot files
└── evidence/ # raw artifacts, copied byte-for-byte and SHA-256 indexed
Evidence is copied into the case unchanged and indexed with SHA-256 hashes, so what you hand over is traceable back to the run that produced it.
The guardrails
- No shell. Tools run as direct processes, which removes command-injection risk from arguments.
- Credential isolation. AWS/GCP/Azure keys reach only the tools whose catalog entry requires them. Repository and public-target scanners never receive cloud credentials.
- Risk gates. Every tool is tiered.
assessmenttools run after an authorization confirmation,activetools carry a stronger warning, and the singledestructivetool is disabled by default and requires typed, account-specific confirmation. - Redaction. Process output is sanitized before it is shown or stored.
Next steps
Use the sidebar to explore the docs. Casefile is in early access, so if you want it for your engagements, join the waitlist.