Skip to main content


When running a policy with cloudquery policy run, you can choose from several options, including a remote policy (CloudQuery Hub or GitHub), or a local policy from your filesystem.


You can run policies from the official cloudquery hub by simply specifying their name:

cloudquery policy run aws # Also accepts: "gcp", "azure", "k8s"


Local path references allow for running local policies or while developing new policies.

cloudquery policy run "./path/to/policy/directory"

A local path can be supplied either with a full path or a relative path.


When specifying a local policy, you must specify the path to a directory. This directory must contain a valid policy file named policy.hcl. See also the tutorial on custom policies.


CloudQuery will recognize prefixed URLs and interpret them automatically as Git repository sources.

cloudquery policy run

The above will clone the repository with HTTPS. To clone using SSH, use the following form: `[email protected]:cloudquery-policies/aws.git"

Generic Git Repository

Arbitrary Git repositories can be used by prefixing the address with the special git:: prefix. After this prefix, any valid Git URL can be specified to select one of the protocols supported by Git.

For example, to use HTTPS or SSH:

cloudquery policy run git::

Git repositories are cloned using the git clone command, so it will respect any local Git credentials that were already set in your system. To access private Git repositories, configure your git with the suitable credentials for that repository.


Use SSH to access private Git repositories from automated systems because it allows access to private repositories without interactive prompts.

Selecting a Revision

By default, CloudQuery will clone the latest tagged version of the policy. You can override this using the ref or @ query parameter. The value of the ref or @ parameter can be any reference accepted by the git checkout command, such as commit hash, tag name or branch.

cloudquery policy run "git::"
cloudquery policy run ""
cloudquery policy run "[email protected]"