Originally published at shieldly.io/blog.
Most IAM problems are not caught by a clever attacker. They are caught â eventually â by an audit, months after a wildcard shipped because a deploy was blocked at 6pm. The fix is to move the check left: review the policy in the pull request, automatically, before it merges.
Why the PR Is the Right Place
By the time a misconfiguration reaches a quarterly security review, it has been live for a quarter. The PR is the moment the author has full context, the change is small, and tightening a policy costs one comment instead of a migration project.
A CI gate also takes the awkward human conversation off the table â the bot flags it, consistently, every time.
Add the Action in 3 Lines
# .github/workflows/shieldly.yml
name: IAM Security Analysis
on: [pull_request]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: shieldly-io/action@v1
with:
fail-on-severity: HIGH
env:
SHIELDLY_API_KEY: ${{ secrets.SHIELDLY_API_KEY }}
The Action scans changed IAM policies, resource-based policies, and CloudFormation templates in the PR, posts findings as a review comment with the why and the suggested fix, and fails the check on HIGH or CRITICAL findings so risky access cannot merge unnoticed.
What It Catches
- Wildcard
Action: *andResource: * - Privilege escalation paths (PassRole chains, CreatePolicyVersion, AttachUserPolicy abuse)
- Trust policy misconfigurations (Principal: *, missing ExternalId)
- CloudFormation roles with AdministratorAccess
-
iam:PassRoleonResource: * -
NotAction+Effect: Allowpatterns
Configuration Options
- uses: shieldly-io/action@v1
with:
paths: "**/*.json,**/*.yaml,cdk.out/**/*.template.json"
fail-on-severity: HIGH # CRITICAL, HIGH, MEDIUM, LOW
comment-on-pr: true # Post findings as PR comment (default: true)
Free Tier
The Action works on the free plan â no credit card, no per-seat charge. Each PR scan uses analysis units from your daily quota. The free plan includes 20 analysis units/day.
Launch offer: code 90Off2M â 90% off first 2 months. Builder from $1.90/mo, includes 150 analysis units/day and priority scan queuing.
Install: github.com/shieldly-io/action
Catch IAM risks automatically â paste a policy into Shieldly's free AI-Powered analysis. No signup, no credit card.
Top comments (0)