Eunomio CI Guard, our first product

Risky CI auth changes, caught in the PR.

Replace GitHub Actions AWS secrets with OIDC. Block risky auth changes before they merge. GitHub‑native, narrow by design.

Install GitHub App Read the docs
✓ GitHub Actions ✓ AWS ✓ Terraform
Open #284 · terraform: widen CI deploy role +24 −3
build, 2m 14s
unit tests, 1,284 passed
eunomio / ci-guard, no risky auth change
Changes requested #284 · terraform: widen CI deploy role +24 −3
build, 2m 14s
unit tests, 1,284 passed
eunomio / ci-guard, risky auth change detected
eunomio / ci-guard
This PR widens the trust policy on gha-deploy to allow any branch. Consider scoping to refs/heads/main.
For teams already convinced
that static CI credentials are a problem.
OIDC
migration help
PR-native
guardrails
Org-level
GitHub App
Repo-band
pricing
The problem

CI access gets risky long before anyone notices.

Long‑lived AWS credentials sit in GitHub Actions longer than they should. Workflow, IAM, and trust‑policy changes get reviewed like normal code, even though they quietly change what CI can touch in production.

Credential risk lingers. Auth drift accumulates. Risky changes land without a guardrail.

What it does

One focused product. Three useful jobs.

github-native · narrow by design
01
Find.
Find secret‑based CI auth

Detect repositories still using long‑lived AWS credentials in GitHub Actions. No surprises about which repos are still on static keys.

Read the docs →
02
Migrate.
Help migrate to OIDC

Open migration pull requests or managed guidance so teams can move to GitHub Actions OIDC with less manual work.

Read the docs →
03
Guard.
Fail risky auth diffs in PRs

Catch risky changes to workflows and Terraform‑defined IAM access before they merge.

Read the docs →
How it works

Five steps.
One GitHub App.

No dashboard to babysit. No runtime mutation. The loop lives in GitHub, where your team already argues about code.

  1. 1
    Install
    Install the GitHub App in your organization.
  2. 2
    Scan
    The app scans selected repositories for GitHub Actions to AWS access paths.
  3. 3
    Bootstrap
    It opens a bootstrap PR so access paths are declared in code.
  4. 4
    Migrate
    For secret‑based repos, it opens an OIDC migration PR, or a managed guidance issue when auto‑patching isn't possible.
  5. 5
    Guard
    Relevant PRs get a check that surfaces risky CI auth changes before merge.
Managed migration

The migration PR writes itself.

Where automatic patching is possible, Eunomio CI Guard opens the OIDC migration PR. Where it isn't, you get a managed guidance issue with the exact trust policy and workflow diff to apply.

See the migration docs →
.github/workflows/deploy.yml +9 −5
- name: configure aws
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET }}
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: arn:aws:iam::…:role/gha-deploy
+ aws-region: us-east-1
permissions:
+ id-token: write
contents: read
Supported today
GitHub Actions
AWS
Terraform
Org‑level install
PR‑centric workflow
Repo‑band pricing
Not in scope, on purpose
Generic IAM platform
Secrets manager
Cloud posture
Dashboard‑led UI
GitLab / Azure
Per‑seat billing
Built for

Teams that already know static CI credentials are a problem.

Platform & DevOps

A safer path from GitHub Actions to AWS, without a heavy security platform.

Engineering leaders

Risky CI auth changes reviewed before they land. Clear coverage per repo.

Security-minded teams

Clear guardrails without widening scope into a governance program.

FAQ

Before you install.

Does it require live AWS access?
No. The product is designed around repository contents and pull‑request diffs.
Does it replace our IAM stack?
No. It adds guardrails around the CI‑to‑cloud access path you already define in code.
Is this a dashboard product?
No. The product loop is GitHub‑native by design.
Does it support GitLab or Azure DevOps?
Not today. GitHub Actions + AWS + Terraform is the intentional starting scope.
Start now

Start with a focused wedge, not a bigger platform.

Reduce CI credential risk and make CI auth changes easier to review, in the workflow your team already uses.

Install GitHub App See pricing