DEV Community

Shieldly
Shieldly

Posted on • Originally published at shieldly.io

Gate Insecure AWS IAM in Pull Requests with a Free GitHub Action

Originally published at shieldly.io/blog.

Most IAM problems are not caught by a clever attacker. They are caught — eventually — by an audit, months after a wildcard shipped because a deploy was blocked at 6pm. The fix is to move the check left: review the policy in the pull request, automatically, before it merges.

Why the PR Is the Right Place

By the time a misconfiguration reaches a quarterly security review, it has been live for a quarter. The PR is the moment the author has full context, the change is small, and tightening a policy costs one comment instead of a migration project.

A CI gate also takes the awkward human conversation off the table — the bot flags it, consistently, every time.

Add the Action in 3 Lines

# .github/workflows/shieldly.yml
name: IAM Security Analysis
on: [pull_request]

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: shieldly-io/action@v1
        with:
          fail-on-severity: HIGH
        env:
          SHIELDLY_API_KEY: ${{ secrets.SHIELDLY_API_KEY }}
Enter fullscreen mode Exit fullscreen mode

The Action scans changed IAM policies, resource-based policies, and CloudFormation templates in the PR, posts findings as a review comment with the why and the suggested fix, and fails the check on HIGH or CRITICAL findings so risky access cannot merge unnoticed.

What It Catches

  • Wildcard Action: * and Resource: *
  • Privilege escalation paths (PassRole chains, CreatePolicyVersion, AttachUserPolicy abuse)
  • Trust policy misconfigurations (Principal: *, missing ExternalId)
  • CloudFormation roles with AdministratorAccess
  • iam:PassRole on Resource: *
  • NotAction + Effect: Allow patterns

Configuration Options

- uses: shieldly-io/action@v1
  with:
    paths: "**/*.json,**/*.yaml,cdk.out/**/*.template.json"
    fail-on-severity: HIGH   # CRITICAL, HIGH, MEDIUM, LOW
    comment-on-pr: true      # Post findings as PR comment (default: true)
Enter fullscreen mode Exit fullscreen mode

Free Tier

The Action works on the free plan — no credit card, no per-seat charge. Each PR scan uses analysis units from your daily quota. The free plan includes 20 analysis units/day.

Launch offer: code 90Off2M — 90% off first 2 months. Builder from $1.90/mo, includes 150 analysis units/day and priority scan queuing.

Install: github.com/shieldly-io/action


Catch IAM risks automatically — paste a policy into Shieldly's free AI-Powered analysis. No signup, no credit card.

Top comments (0)