Context
cloudgov produces a single-shot HTML report from one scan. TemplateData (internal/report/report.go:28) carries TotalFindings, severity counts Critical/High/Medium/Low (from report.Summary.BySeverity, report.go:166-170), and per-domain findings (IAMFindings, StorageFindings, NetworkFindings, CertFindings, TagFindings, SecretFindings). Render (report.go:96) writes static HTML — there is no time-series, so governance posture can't be tracked over time (the dashboards audit graded cloudgov F on this basis: static report, nothing to back a trend dashboard).
Decision needed first
cloudgov is a single-shot CLI (CI/local), so "no Grafana dashboard" is a defensible end state — a per-run HTML report + SARIF gate may be all that's wanted. File this to make the choice explicit rather than leave the F unexplained.
If posture-over-time IS wanted, the fix:
Proposed (if pursuing the trend dashboard)
Add an exporter that pushes each scan's posture as metrics to a sink (Prometheus pushgateway / OTLP / CloudWatch — CLI runs can't be scraped). Metrics (labels: account, region, domain, severity):
cloudgov_findings ← BySeverity + per-domain counts (report.go:154-170)cloudgov_critical_findings ← Criticalcloudgov_drift_resources ← the drift command's diff countcloudgov_orphan_cost_usd ← the orphans command's estimated monthly cost
Then a governance-posture GrafanaDashboard CR (trend of critical findings, findings by domain/severity over time, drift rate, orphan-cost trend) + alerts (critical-finding spike, drift threshold). Delivery is push-based (the CLI runs in CI), unlike the scrape-based service dashboards.
Scope note
Deferred from the SRE-dashboards push (decision: fab/cloudgov tracked as issues). Lower priority than fab — for a CLI, a clean per-run report + SARIF may be the right end state; pursue the metrics push only if longitudinal posture tracking is a real need.
Context
cloudgov produces a single-shot HTML report from one scan.
TemplateData(internal/report/report.go:28) carriesTotalFindings, severity countsCritical/High/Medium/Low(fromreport.Summary.BySeverity,report.go:166-170), and per-domain findings (IAMFindings,StorageFindings,NetworkFindings,CertFindings,TagFindings,SecretFindings).Render(report.go:96) writes static HTML — there is no time-series, so governance posture can't be tracked over time (the dashboards audit graded cloudgov F on this basis: static report, nothing to back a trend dashboard).Decision needed first
cloudgov is a single-shot CLI (CI/local), so "no Grafana dashboard" is a defensible end state — a per-run HTML report + SARIF gate may be all that's wanted. File this to make the choice explicit rather than leave the F unexplained.
If posture-over-time IS wanted, the fix:
Proposed (if pursuing the trend dashboard)
Add an exporter that pushes each scan's posture as metrics to a sink (Prometheus pushgateway / OTLP / CloudWatch — CLI runs can't be scraped). Metrics (labels:
account,region,domain,severity):cloudgov_findings←BySeverity+ per-domain counts (report.go:154-170)cloudgov_critical_findings←Criticalcloudgov_drift_resources← thedriftcommand's diff countcloudgov_orphan_cost_usd← theorphanscommand's estimated monthly costThen a governance-posture GrafanaDashboard CR (trend of critical findings, findings by domain/severity over time, drift rate, orphan-cost trend) + alerts (critical-finding spike, drift threshold). Delivery is push-based (the CLI runs in CI), unlike the scrape-based service dashboards.
Scope note
Deferred from the SRE-dashboards push (decision: fab/cloudgov tracked as issues). Lower priority than fab — for a CLI, a clean per-run report + SARIF may be the right end state; pursue the metrics push only if longitudinal posture tracking is a real need.