@shieldly/cdk-guard

Catch risky IAM policies and CloudFormation misconfigurations on every cdk synth — before you deploy.

Install

npm install --save-dev @shieldly/cdk-guard

Get an API key at shieldly.io/app/api (Builder plan or above; a free demo runs without a key).

1. CLI — no code changes

Runs cdk synth then analyzes all synthesized stacks:

npx @shieldly/cdk-guard

# Pass extra cdk synth flags after --
npx @shieldly/cdk-guard -- --context env=prod

# Fail only on Critical findings
npx @shieldly/cdk-guard --fail-on Critical

# Analyze an existing cdk.out/ without re-synthesizing
npx @shieldly/cdk-guard --no-synth --out-dir cdk.out

# JSON output for scripting
npx @shieldly/cdk-guard --format json | jq '.[].findings[]'

2. CDK Construct — hook-based

Add ShieldlyGuard to your CDK app (JavaScript/TypeScript). It runs automatically after cdk synth via process.on('beforeExit') — no explicit call needed.

import * as cdk from 'aws-cdk-lib';
import { ShieldlyGuard } from '@shieldly/cdk-guard';

const app = new cdk.App();
new ShieldlyGuard({ failOn: 'High' });

new MyStack(app, 'MyStack');
OptionTypeDefaultDescription
apiKeystringSHIELDLY_API_KEY envShieldly API key
failOnstring'High'Exit code 1 if findings at or above this severity
outDirstring'cdk.out'CDK output directory to analyze
apiUrlstringhttps://api.shieldly.ioOverride for self-hosted / dev
silentbooleanfalseSuppress all console output

3. Explicit post-synth (ESM)

import * as cdk from 'aws-cdk-lib';
import { shieldlyGuard } from '@shieldly/cdk-guard';

const app = new cdk.App();
const stack = new MyStack(app, 'MyStack');
const assembly = app.synth();

const { failed } = await shieldlyGuard(assembly.directory, { failOn: 'High' });
if (failed) process.exit(1);

4. cdk.json hook

Runs analysis after every cdk synth automatically — works with any CDK language:

{
  "app": "node bin/my-app.js",
  "hooks": {
    "afterSynth": ["npx", "@shieldly/cdk-guard", "--no-synth"]
  }
}

CI / CD

GitHub Actions

- name: CDK security check
  run: npx @shieldly/cdk-guard
  env:
    SHIELDLY_API_KEY: ${{ secrets.SHIELDLY_API_KEY }}

package.json scripts

{
  "scripts": {
    "synth:check": "cdk synth && npx @shieldly/cdk-guard --no-synth",
    "deploy:safe": "npx @shieldly/cdk-guard && cdk deploy"
  }
}

Privacy

Your CDK templates are never logged. Cache keys are one-way SHA-256 hashes.