@shieldly/cdk-guard
Catch risky IAM policies and CloudFormation misconfigurations on every cdk synth — before you deploy.
Install
npm install --save-dev @shieldly/cdk-guardGet an API key at shieldly.io/app/api (Builder plan or above; a free demo runs without a key).
1. CLI — no code changes
Runs cdk synth then analyzes all synthesized stacks:
npx @shieldly/cdk-guard
# Pass extra cdk synth flags after --
npx @shieldly/cdk-guard -- --context env=prod
# Fail only on Critical findings
npx @shieldly/cdk-guard --fail-on Critical
# Analyze an existing cdk.out/ without re-synthesizing
npx @shieldly/cdk-guard --no-synth --out-dir cdk.out
# JSON output for scripting
npx @shieldly/cdk-guard --format json | jq '.[].findings[]'2. CDK Construct — hook-based
Add ShieldlyGuard to your CDK app (JavaScript/TypeScript). It runs automatically after cdk synth via process.on('beforeExit') — no explicit call needed.
import * as cdk from 'aws-cdk-lib';
import { ShieldlyGuard } from '@shieldly/cdk-guard';
const app = new cdk.App();
new ShieldlyGuard({ failOn: 'High' });
new MyStack(app, 'MyStack');| Option | Type | Default | Description |
|---|---|---|---|
| apiKey | string | SHIELDLY_API_KEY env | Shieldly API key |
| failOn | string | 'High' | Exit code 1 if findings at or above this severity |
| outDir | string | 'cdk.out' | CDK output directory to analyze |
| apiUrl | string | https://api.shieldly.io | Override for self-hosted / dev |
| silent | boolean | false | Suppress all console output |
3. Explicit post-synth (ESM)
import * as cdk from 'aws-cdk-lib';
import { shieldlyGuard } from '@shieldly/cdk-guard';
const app = new cdk.App();
const stack = new MyStack(app, 'MyStack');
const assembly = app.synth();
const { failed } = await shieldlyGuard(assembly.directory, { failOn: 'High' });
if (failed) process.exit(1);4. cdk.json hook
Runs analysis after every cdk synth automatically — works with any CDK language:
{
"app": "node bin/my-app.js",
"hooks": {
"afterSynth": ["npx", "@shieldly/cdk-guard", "--no-synth"]
}
}CI / CD
GitHub Actions
- name: CDK security check
run: npx @shieldly/cdk-guard
env:
SHIELDLY_API_KEY: ${{ secrets.SHIELDLY_API_KEY }}package.json scripts
{
"scripts": {
"synth:check": "cdk synth && npx @shieldly/cdk-guard --no-synth",
"deploy:safe": "npx @shieldly/cdk-guard && cdk deploy"
}
}Privacy
Your CDK templates are never logged. Cache keys are one-way SHA-256 hashes.