This GitHub Action runs a licensed Well-Architected scan against your repository code and IaC, and reports findings in the language of AWS Well-Architected pillars and FinOps.
The real scanning engine (rules, tools, analyzers) runs inside a container image; this repo only contains the public action wrapper.
- 🔐 License-gated – action refuses to run without a valid license.
- 🧱 Well-Architected pillars – run per pillar: security, cost-optimization, reliability, etc.
- 📦 Repo-local scanning – analysis runs entirely inside the GitHub Actions runner against your checked-out repo.
- 🧵 Single findings issue – optionally opens (or updates) one GitHub issue per repo to keep a single discussion thread.
This action is designed to run only on the GitHub Actions runner, against the repository that is already checked out via actions/checkout.
- Your source code is not sent to any external SaaS as part of the scan.
- All rules and tools live inside the container image, which runs locally in the runner.
- The only required outbound call is the license verification API, using the data you provide in
license-json/license-api-url. - If you enable GitHub issue reporting, the action uses the
github-token(orGITHUB_TOKEN) you provide to create / update issues in your own repo.
You can inspect the workflow that uses this action in your repository; there is no hidden “send the repo elsewhere” step.
| Name | Required | Default | Description |
|---|---|---|---|
license-json |
✅ Yes | none | License JSON string (usually stored in secrets.LICENSE). |
license-api-url |
❌ No | https://pxh5w4zqf9.execute-api.eu-central-1.amazonaws.com/Prod/license/verify |
License verification API endpoint. |
pillar |
❌ No | security |
Well-Architected pillar to analyze (security, cost-optimization, reliability, …). |
github-token |
❌ No | defaults to GITHUB_TOKEN if omitted (engine-dependent) |
Token with issues:write if you want the action to create/update a findings issue. |
Note: It is recommended to store
license-jsonin a GitHub Secret (e.g.secrets.LICENSE).
Minimal example (security pillar):
name: "Code Assessment – Licensed Scan"
on:
push:
branches: [ main ]
pull_request:
jobs:
code-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Well-Architected licensed scan
uses: your-org/cloud-code-assessment-action@v1
with:
license-json: ${{ secrets.LICENSE }}
pillar: security
github-token: ${{ secrets.GITHUB_TOKEN }}jobs:
reliability-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Reliability scan
uses: your-org/cloud-code-assessment-action@v1
with:
license-json: ${{ secrets.LICENSE }}
pillar: reliability
github-token: ${{ secrets.GITHUB_TOKEN }}This will:
- Verify the license against the configured license-api-url.
- Run all enabled Reliability rules from the internal catalog.
- Emit findings as an action output.
- Optionally create or update a single “Findings” issue in the repository.
This action is licensed and requires a valid license-json / license-api-url pair. Consult your vendor / documentation for how to obtain and manage licenses.