Eunomio CI Guard, our first product

Risky CI auth changes, caught in the PR.

Replace GitHub Actions AWS secrets with OIDC. Block risky auth changes before they merge. GitHub‑native, narrow by design.

Install GitHub App Read the docs
✓ GitHub Actions ✓ AWS ✓ Terraform
Open #284 · terraform: widen CI deploy role +24 −3
build, 2m 14s
unit tests, 1,284 passed
eunomio / ci-guard, no risky auth change
Changes requested #284 · terraform: widen CI deploy role +24 −3
build, 2m 14s
unit tests, 1,284 passed
eunomio / ci-guard, risky auth change detected
eunomio / ci-guard
This PR widens the trust policy on gha-deploy to allow any branch. Consider scoping to refs/heads/main.
About Eunomio

A focused suite, starting with one wedge.

Eunomio is building a focused suite of identity, access, trust, and security tools — useful enough for developers and platform engineers who run them, credible enough for IT admins, security teams, and compliance owners who approve them, and narrow enough to operate safely. Eunomio CI Guard is our first product; more focused tools may follow when each one is justified by real customer demand.

For teams already convinced
that static CI credentials are a problem.
OIDC
migration help
PR-native
guardrails
Org-level
GitHub App
Repo-band
pricing
The problem

CI access gets risky long before anyone notices.

Long‑lived AWS credentials sit in GitHub Actions longer than they should. Workflow, IAM, and trust‑policy changes get reviewed like normal code, even though they quietly change what CI can touch in production.

Credential risk lingers. Auth drift accumulates. Risky changes land without a guardrail.

What it does

One focused product. Three useful jobs.

github-native · narrow by design
01
Find.
Find secret‑based CI auth

Detect repositories still using long‑lived AWS credentials in GitHub Actions. No surprises about which repos are still on static keys.

Read the docs →
02
Migrate.
Help migrate to OIDC

Open migration pull requests or managed guidance so teams can move to GitHub Actions OIDC with less manual work.

Read the docs →
03
Guard.
Fail risky auth diffs in PRs

Catch risky changes to workflows and Terraform‑defined IAM access before they merge.

Read the docs →
How it works

Five steps.
One GitHub App.

No dashboard to babysit. No runtime mutation. The loop lives in GitHub, where your team already argues about code.

  1. 1
    Install
    Install the GitHub App in your organization.
  2. 2
    Scan
    The app scans selected repositories for GitHub Actions to AWS access paths.
  3. 3
    Bootstrap
    It opens a bootstrap PR so access paths are declared in code.
  4. 4
    Migrate
    For secret‑based repos, it opens an OIDC migration PR, or a managed guidance issue when auto‑patching isn't possible.
  5. 5
    Guard
    Relevant PRs get a check that surfaces risky CI auth changes before merge.
Managed migration

The migration PR writes itself.

Where automatic patching is possible, Eunomio CI Guard opens the OIDC migration PR. Where it isn't, you get a managed guidance issue with the exact trust policy and workflow diff to apply.

See the migration docs →
.github/workflows/deploy.yml +9 −5
- name: configure aws
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET }}
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: arn:aws:iam::…:role/gha-deploy
+ aws-region: us-east-1
permissions:
+ id-token: write
contents: read
Supported today
GitHub Actions
AWS
Terraform
Org‑level install
PR‑centric workflow
Repo‑band pricing
Not part of CI Guard today
Generic IAM platform
Secrets manager
Cloud posture
Dashboard-led CI Guard UI
GitLab / Azure
Per-seat billing

These are CI Guard's current product boundaries, not a permanent rule for the whole Eunomio suite — future tools may take other shapes.

Built for

Teams that already know static CI credentials are a problem.

Platform engineers install and operate CI Guard day to day, but the decision to adopt it usually involves IT admins, security teams, founders or CTOs, and compliance owners. We try to be useful and credible to all of them.

Platform & DevOps

Hands-on operators of the GitHub App. A safer path from GitHub Actions to AWS, without a heavy security platform.

Security & IT teams

Clear guardrails on CI-to-cloud access. Less static credential exposure, fewer trust-policy surprises, no widening into a governance program.

Founders, CTOs & compliance

A narrow, reviewable change path you can stand behind. Risky CI auth changes get reviewed before they land, with clear coverage per repo.

FAQ

Before you install.

Does it require live AWS access?
No. The product is designed around repository contents and pull‑request diffs.
Does it replace our IAM stack?
No. It adds guardrails around the CI‑to‑cloud access path you already define in code.
Is this a dashboard product?
No — Eunomio CI Guard's product loop is GitHub‑native by design. Future Eunomio tools may have different surfaces when those surfaces help customers.
Does it support GitLab or Azure DevOps?
Not today. GitHub Actions + AWS + Terraform is the intentional starting scope.
Start now

Start with a focused wedge, not a bigger platform.

Reduce CI credential risk and make CI auth changes easier to review, in the workflow your team already uses.

Install GitHub App See pricing