Skip to main content

Security & Trust

How CloudCostChefs presents download verification, tool trust metadata, and safe usage guidance.

Last reviewed: February 23, 2026
Blaze
Blaze says:Treat every script like production infrastructure: verify integrity, confirm scope, and test in a sandbox before rollout.

What this page covers

CloudCostChefs publishes tools, scripts, and operational guides for FinOps and cloud cost optimization. This page explains how we present trust metadata, how to verify downloadable files, and how to safely evaluate tools before running them in production.

The goal is simple: reduce uncertainty before users download or run anything.

Download verification and trust metadata

  • Tool documentation pages include trust and run-safety metadata such as change risk, distribution type, minimum access, execution type, version, and last tested date.
  • When a tool is distributed as a local downloadable artifact, we publish a SHA256 checksum in the trust panel whenever available.
  • If a checksum or test date is not published, the trust panel states that explicitly instead of implying the data exists.
  • Verification notes and safety checklists are shown per tool so users understand how to test safely before production use.

Safe usage expectations

  • Review scripts and configuration before running them in production, especially tools that can modify tags, budgets, schedules, or policy assignments.
  • Start in a limited scope (sandbox subscription/account/project/tenancy) before broad rollout.
  • Use least-privilege credentials and role assignments for both discovery and remediation.
  • Validate findings with workload owners before cleanup or rightsizing changes.
  • Protect generated reports and exports if they contain resource names, tags, or ownership metadata.

Security issue reporting

If you believe you found a security issue in the website or tooling content, use the Responsible Disclosure process. Please do not publicly disclose issues before giving us a reasonable opportunity to review and respond.

See the full process on the Responsible Disclosure page.

How to verify a SHA256 checksum

Compare the checksum shown in the tool trust panel with a locally computed SHA256 checksum before running a downloaded file.

macOS / Linux

shasum -a 256 /path/to/file.zip

PowerShell (Windows)

Get-FileHash C:\\path\\to\\file.zip -Algorithm SHA256

Questions or reports

Contact mathieu@cloudcostchefs.com for policy questions. For security issues, use the disclosure process on the Responsible Disclosure page.

These pages are operational policy references and may be updated as tools, hosting, or data handling practices change.

What to do next

Pick the path that fits where you are right now.

Browse Tools35+ free scripts & utilities
Read Security Details25+ step-by-step guides