> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudeval.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Evaluation methodology and attribution

> Understand how CloudEval turns cloud and IaC evidence into evaluation signals, and how third-party tools are attributed.

CloudEval's core product is the evaluation layer. It builds a project model, resolves infrastructure context, creates architecture graph and cost signals, applies reviewed scoring treatment, normalizes evidence, and turns results into reports, release gates, exports, and agent-ready context.

Pinned open-source tools contribute selected evidence to that workflow. They do not define the product experience or scoring by themselves; CloudEval attributes them clearly when their catalogs contribute observations.

<Warning>
  Applicable checks depend on provider, IaC format, resources, project configuration, and enabled policies. Not every project runs every check.
</Warning>

## CloudEval evaluation surface

| CloudEval capability                | What CloudEval adds                                                                                                      |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| Project modeling                    | Source scope, provider, format, configuration, report history, sharing state, and evidence boundaries.                   |
| Architecture and dependency context | Graph, topology, relationships, affected resources, and review context.                                                  |
| Cost and FinOps context             | Cost estimates, coverage warnings, service-family summaries, and savings context for common billable Azure services.     |
| Reviewed scoring                    | Separates reviewed Well-Architected-style treatment from deployment-quality and additional IaC observations.             |
| Normalization and deduplication     | Turns multiple evidence sources into clearer findings without asking users to reconcile duplicate observations manually. |
| Release gates and reports           | Converts evidence into report sections, issue counts, gates, exports, and stakeholder-ready summaries.                   |
| Agent-ready context                 | Provides scoped report and evidence context for CLI, MCP-compatible agents, and handoff workflows.                       |
| Third-party evidence attribution    | Lists tool names, versions, licenses, and source links transparently when outside catalogs contribute observations.      |

## Published coverage counts

| Metric                         | Public wording                      | How to read it                                                                                                                                                        |
| ------------------------------ | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| CloudEval platform coverage    | **1,700+ cloud evaluation signals** | The published lower-bound count for CloudEval evaluation signals across architecture, security, deployment quality, cost, graph, report-readiness, and IaC workflows. |
| Attributed third-party catalog | **1,650+ scanner checks**           | The published lower-bound count across pinned scanner versions before CloudEval applicability, scoring, and output treatment are applied.                             |

These are ballpark public counts, not a promise that every project runs every check. CloudEval rounds down because applicability can change when providers, IaC formats, resources, project configuration, and policies change.

## How CloudEval uses evidence

```mermaid theme={null}
%%{init: {"flowchart": {"nodeSpacing": 34, "rankSpacing": 48, "curve": "basis"}, "themeVariables": {"fontSize": "16px"}}}%%
flowchart LR
  projectInputs["Cloud, IaC, repository,<br/>and project configuration"]:::input --> projectModel["CloudEval project model"]:::core

  projectModel --> architectureContext["Architecture graph<br/>and dependencies"]:::cloudeval
  projectModel --> costContext["Cost and FinOps<br/>context"]:::cloudeval
  projectModel --> reviewedScoring["Reviewed scoring<br/>and policy treatment"]:::cloudeval
  projectModel --> evidenceLayer["Evidence normalization<br/>and deduplication"]:::core

  thirdPartyCatalogs["Pinned open-source<br/>tool catalogs"]:::scanner --> evidenceLayer
  architectureContext --> evidenceLayer
  costContext --> evidenceLayer
  reviewedScoring --> evidenceLayer

  evidenceLayer --> cloudEvaluationReport["Cloud Evaluation report"]:::output
  evidenceLayer --> releaseGates["Release gates"]:::output
  evidenceLayer --> evaluationExports["PDF, Markdown,<br/>JSON, and agent context"]:::output
  evidenceLayer --> notAssessed["Not assessed<br/>where unsupported"]:::muted

  classDef input fill:#E0F2FE,stroke:#0284C7,color:#082F49,stroke-width:2px;
  classDef core fill:#CCFBF1,stroke:#0F766E,color:#134E4A,stroke-width:3px;
  classDef cloudeval fill:#DCFCE7,stroke:#16A34A,color:#14532D,stroke-width:2px;
  classDef scanner fill:#FEF3C7,stroke:#D97706,color:#451A03,stroke-width:2px;
  classDef output fill:#EDE9FE,stroke:#7C3AED,color:#3B0764,stroke-width:2px;
  classDef muted fill:#E5E7EB,stroke:#6B7280,color:#374151,stroke-width:2px;
```

## Third-party catalog snapshot

Snapshot date: **July 11, 2026**.

| Workflow           | Approximate scanner-native checks |
| ------------------ | --------------------------------: |
| Azure ARM          |                           **743** |
| Azure Bicep        |                           **684** |
| AWS CloudFormation |                           **460** |
| AWS Terraform      |                           **455** |
| Azure Terraform    |                           **302** |

<Note>
  Workflow counts overlap and must not be added together. A scanner check can apply to more than one workflow or IaC format.
</Note>

## Third-party roles

| Tool                                                                                   | Pinned version    | Provider and format                                                     | Role inside CloudEval                                                  | Default output treatment                                                              |
| -------------------------------------------------------------------------------------- | ----------------- | ----------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| [PSRule.Rules.Azure](https://github.com/Azure/PSRule.Rules.Azure)                      | `1.47.0`          | Azure ARM and Bicep-generated ARM                                       | Azure architecture evidence                                            | Reviewed Azure architecture mappings can contribute to CloudEval architecture review. |
| [ARM TTK](https://github.com/Azure/arm-ttk)                                            | `20250401 (0.26)` | Azure ARM                                                               | Template deployment-quality evidence                                   | Deployment quality.                                                                   |
| [Checkov](https://github.com/bridgecrewio/checkov)                                     | `3.3.6`           | ARM, Bicep-generated ARM, CloudFormation, and Terraform where supported | Additional IaC evidence                                                | Additional IaC findings unless CloudEval has reviewed a different output treatment.   |
| [cfn-lint](https://github.com/aws-cloudformation/cfn-lint)                             | `1.52.1`          | AWS CloudFormation                                                      | CloudFormation syntax, resource model, and deployment-quality evidence | Deployment quality.                                                                   |
| [AWS CloudFormation Guard](https://github.com/aws-cloudformation/cloudformation-guard) | `3.2.0`           | AWS CloudFormation                                                      | AWS beta policy evidence and release-gate evaluation                   | Reviewed AWS beta controls where CloudEval supports that treatment.                   |

## Count methodology

| Method                      | Public behavior                                                                                                                                                                                          |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Platform signal count       | `1,700+ cloud evaluation signals` covers CloudEval platform output, not just scanner-native checks.                                                                                                      |
| Pinned third-party versions | Catalog counts are taken from the tool versions listed above.                                                                                                                                            |
| Double-count prevention     | The same third-party check is not counted twice merely because it can apply to more than one workflow.                                                                                                   |
| Workflow applicability      | Workflow rows show where those checks can apply. They overlap and are not additive.                                                                                                                      |
| Reviewed treatment          | Only checks CloudEval has reviewed for architecture scoring contribute to Well-Architected-style review. Other observations stay in deployment quality, additional IaC findings, or release-gate output. |
| Not assessed behavior       | Unsupported provider, format, resource, or policy areas should be shown as `Not assessed`, not as pass, fail, or zero risk.                                                                              |

## Licensing and attribution

CloudEval integrates permissively licensed open-source tools as evidence sources. CloudEval independently evaluates, normalizes, and presents results. These third-party projects are independent of CloudEval; no affiliation, certification, sponsorship, or approval is implied.

| Project                          | License    | Source and license                                                                                                                                            |
| -------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| PSRule.Rules.Azure `1.47.0`      | MIT        | [Source](https://github.com/Azure/PSRule.Rules.Azure), [License](https://github.com/Azure/PSRule.Rules.Azure/blob/main/LICENSE)                               |
| ARM TTK `20250401 (0.26)`        | MIT        | [Source](https://github.com/Azure/arm-ttk), [License](https://github.com/Azure/arm-ttk/blob/master/LICENSE)                                                   |
| Checkov `3.3.6`                  | Apache-2.0 | [Source](https://github.com/bridgecrewio/checkov), [License](https://github.com/bridgecrewio/checkov/blob/main/LICENSE)                                       |
| cfn-lint `1.52.1`                | MIT-0      | [Source](https://github.com/aws-cloudformation/cfn-lint), [License](https://github.com/aws-cloudformation/cfn-lint/blob/main/LICENSE)                         |
| AWS CloudFormation Guard `3.2.0` | Apache-2.0 | [Source](https://github.com/aws-cloudformation/cloudformation-guard), [License](https://github.com/aws-cloudformation/cloudformation-guard/blob/main/LICENSE) |

CloudEval uses project names as text attribution. It does not use project logos unless separate trademark clearance exists.

## Coverage boundaries

* The `1,700+ cloud evaluation signals` count is a CloudEval platform count, not a scanner-rule total.
* Workflow counts overlap and are not additive.
* Not every project runs every signal.
* AWS CloudFormation beta support is not an end-to-end AWS Well-Architected assessment.
* Checkov observations appear as additional IaC findings unless CloudEval has reviewed a different output treatment.
* Third-party projects are independent; no affiliation, certification, sponsorship, or approval is implied.

## Related pages

* [Evaluation coverage](/reference/evaluation-coverage)
* [Cloud and IaC support](/cloud-support)
* [Feature matrix](/feature-availability)
* [Data and model boundaries](/reference/data-and-model-boundaries)
* [Report types and statuses](/reference/report-types-and-statuses)
