title: CloudSlash - GitHub App Reference description: Install the GitHub App and every PR that touches infrastructure gets a CloudSlash scan posted as a comment: before it merges. When a developer opens or updat...
GitHub App¶
Install the GitHub App and every PR that touches infrastructure gets a CloudSlash scan posted as a comment: before it merges.
What It Does¶
When a developer opens or updates a PR with infrastructure changes (Terraform, Pulumi, etc.), CloudSlash automatically:
- Scans the changed infrastructure
- Posts a comment on the PR with findings and estimated savings
- Re-scans on every new push
No manual step needed: it works once the app is installed.
Example PR Comment¶
☁️ CloudSlash Infrastructure Analysis¶
Severity Resource Finding Monthly Impact 🔴 Critical aws_instance.api_serverOversized: t2.2xlarge → t3.medium saves 78% -$234.00 🟡 Warning aws_ebs_volume.backupUnattached volume (orphaned) -$50.00 🟡 Warning aws_db_instance.analyticsIdle RDS: 0 connections for 72h -$127.40 Total projected savings: $411.40/month
Scanned
feature/update-infraata1b2c3d4| CloudSlash
Install¶
GitHub App
- Go to the CloudSlash GitHub App page
- Click Install
- Choose your organization or personal account
- Select which repositories to scan (all or specific ones)
- Click Install & Authorize
CloudSlash starts scanning PRs immediately.
CI/CD Alternative¶
GitHub Actions
Run CloudSlash in your own pipeline instead of using the hosted GitHub App:
# .github/workflows/cloudslash.yml
name: CloudSlash Scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install CloudSlash
run: curl -sSL https://get.cloudslash.dev | sh
- name: Run Infrastructure Scan
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
cs scan --format=sarif --output=results.sarif --fail-on=critical
- name: Upload to GitHub Advanced Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Post PR Comment
if: always()
run: |
cs scan --format=github-pr > comment.md
gh pr comment ${{ github.event.pull_request.number }}: body-file comment.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This approach gives you full control: the scan runs in your own infrastructure with your own cloud credentials.
Supported Providers¶
The GitHub App and CI/CD workflow scan infrastructure changes for:
| Provider | Supported |
|---|---|
| AWS | ✅ |
| GCP | ✅ |
| Azure | ✅ |
| Linode | ✅ |
| Kubernetes | ✅ |
| Any plugin | ✅ |