Using Shieldly with GitLab CI

Run AI-Powered analysis of AWS IAM policies or CloudFormation/CDK output as a GitLab CI job stage using @shieldly/cli — no GitLab-specific integration to install, just a job that runs the CLI.

1. Add the API key

Settings → CI/CD → Variables → add a masked, protected variable:

VariableTypePurpose
SHIELDLY_API_KEYCI/CD variable, masked + protectedAuth for the Shieldly API

No key set? analyze-iam/analyze-cf still run in demo mode (rate-limited, no signup) — useful to try this before creating a key.

2. Scan an IAM policy

shieldly-iam-scan:
  stage: test
  image: node:24-alpine
  script:
    - npx @shieldly/cli analyze-iam ./iam-policy.json
  variables:
    SHIELDLY_API_KEY: $SHIELDLY_API_KEY

3. Scan a CloudFormation / CDK template

shieldly-cf-scan:
  stage: test
  image: node:24-alpine
  before_script:
    - npm install -g aws-cdk
  script:
    - cdk synth
    - npx @shieldly/cli analyze-cf cdk.out/
  variables:
    SHIELDLY_API_KEY: $SHIELDLY_API_KEY

Both commands exit non-zero when a scan finds a Critical or High severity issue — GitLab fails the job (and, with merge request pipelines, blocks the merge) automatically, no extra config needed.

Scanning Terraform instead?

See Using Shieldly with Terraform for the extraction recipe — the resulting analyze-iam call drops into a GitLab CI job exactly like the one above.

Privacy

Shieldly does not log your policy or template input. Cache keys are one-way SHA-256 hashes.