Using Shieldly with GitLab CI
Run AI-Powered analysis of AWS IAM policies or CloudFormation/CDK output as a GitLab CI job stage using @shieldly/cli — no GitLab-specific integration to install, just a job that runs the CLI.
1. Add the API key
Settings → CI/CD → Variables → add a masked, protected variable:
| Variable | Type | Purpose |
|---|---|---|
| SHIELDLY_API_KEY | CI/CD variable, masked + protected | Auth for the Shieldly API |
No key set? analyze-iam/analyze-cf still run in demo mode (rate-limited, no signup) — useful to try this before creating a key.
2. Scan an IAM policy
shieldly-iam-scan:
stage: test
image: node:24-alpine
script:
- npx @shieldly/cli analyze-iam ./iam-policy.json
variables:
SHIELDLY_API_KEY: $SHIELDLY_API_KEY3. Scan a CloudFormation / CDK template
shieldly-cf-scan:
stage: test
image: node:24-alpine
before_script:
- npm install -g aws-cdk
script:
- cdk synth
- npx @shieldly/cli analyze-cf cdk.out/
variables:
SHIELDLY_API_KEY: $SHIELDLY_API_KEYBoth commands exit non-zero when a scan finds a Critical or High severity issue — GitLab fails the job (and, with merge request pipelines, blocks the merge) automatically, no extra config needed.
Scanning Terraform instead?
See Using Shieldly with Terraform for the extraction recipe — the resulting analyze-iam call drops into a GitLab CI job exactly like the one above.
Privacy
Shieldly does not log your policy or template input. Cache keys are one-way SHA-256 hashes.