Shieldly GitHub Action

Block insecure AWS infrastructure in pull requests. Runs AI-Powered analysis of IAM policies and CloudFormation templates, posts findings as a PR comment, and fails the build when issues meet your severity threshold.

Usage

name: Shieldly Security Check
on: [pull_request]

permissions:
  contents: read
  pull-requests: write

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: AI-Powered Security Analysis
        uses: shieldly-io/action@v1
        with:
          api-key: ${{ secrets.SHIELDLY_API_KEY }}
          scan-path: ./cdk.out
          fail-on-severity: High

Point scan-path at your IaC output after the synth/package step — CDK writes to ./cdk.out (after cdk synth), Serverless Framework writes to ./.serverless. A direct .json/.yaml file path also works. When no IaC files are found, the Action posts an informational comment and exits cleanly.

An api-key is required — demo mode is not available in CI. Create a free key at shieldly.io/app/api and store it as a repository secret (SHIELDLY_API_KEY). The free tier covers both IAM policies and CloudFormation templates.

Inputs

InputDefaultDescription
api-key''Required. Shieldly API key (sk_live_...). Demo mode is not available in CI.
scan-path.Directory or file to scan.
fail-on-severityHighFail at/above this severity: Critical, High, Medium, Low, none.
post-pr-commenttruePost results as a PR comment. Needs pull-requests: write.
github-token''Token for PR comments (defaults to GITHUB_TOKEN).
api-urlhttps://api.shieldly.ioAPI base URL (override for dev).

Outputs

OutputDescription
scoreSecurity score (0–100).
risk-levelOverall risk: Critical, High, Medium, Low.
findings-countTotal findings.
critical-countNumber of Critical findings.

Using outputs

- name: AI-Powered Security Analysis
  id: shieldly
  uses: shieldly-io/action@v1
  with:
    api-key: ${{ secrets.SHIELDLY_API_KEY }}

- run: echo "Score ${{ steps.shieldly.outputs.score }} (${{ steps.shieldly.outputs.risk-level }})"

Privacy

Shieldly does not log your policy or template input. Cache keys are one-way SHA-256 hashes.