Skip to content

title: CloudSlash - GitHub App Reference description: Install the GitHub App and every PR that touches infrastructure gets a CloudSlash scan posted as a comment: before it merges. When a developer opens or updat...


GitHub App

Install the GitHub App and every PR that touches infrastructure gets a CloudSlash scan posted as a comment: before it merges.

What It Does

When a developer opens or updates a PR with infrastructure changes (Terraform, Pulumi, etc.), CloudSlash automatically:

  1. Scans the changed infrastructure
  2. Posts a comment on the PR with findings and estimated savings
  3. Re-scans on every new push

No manual step needed: it works once the app is installed.

Example PR Comment

☁️ CloudSlash Infrastructure Analysis

Severity Resource Finding Monthly Impact
🔴 Critical aws_instance.api_server Oversized: t2.2xlarge → t3.medium saves 78% -$234.00
🟡 Warning aws_ebs_volume.backup Unattached volume (orphaned) -$50.00
🟡 Warning aws_db_instance.analytics Idle RDS: 0 connections for 72h -$127.40

Total projected savings: $411.40/month


Scanned feature/update-infra at a1b2c3d4 | CloudSlash

Install

GitHub App

  1. Go to the CloudSlash GitHub App page
  2. Click Install
  3. Choose your organization or personal account
  4. Select which repositories to scan (all or specific ones)
  5. Click Install & Authorize

CloudSlash starts scanning PRs immediately.

CI/CD Alternative

GitHub Actions

Run CloudSlash in your own pipeline instead of using the hosted GitHub App:

# .github/workflows/cloudslash.yml
name: CloudSlash Scan
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install CloudSlash
        run: curl -sSL https://get.cloudslash.dev | sh

      - name: Run Infrastructure Scan
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        run: |
          cs scan --format=sarif --output=results.sarif --fail-on=critical

      - name: Upload to GitHub Advanced Security
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Post PR Comment
        if: always()
        run: |
          cs scan --format=github-pr > comment.md
          gh pr comment ${{ github.event.pull_request.number }}: body-file comment.md
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This approach gives you full control: the scan runs in your own infrastructure with your own cloud credentials.

Supported Providers

The GitHub App and CI/CD workflow scan infrastructure changes for:

Provider Supported
AWS
GCP
Azure
Linode
Kubernetes
Any plugin