Integrations

Native Security integrates with your existing CI/CD toolchain and cloud provider APIs. All integrations use the same policy evaluation engine — you get consistent results whether you're using GitHub Actions, Terraform Cloud, or a direct API call.

GitHub Actions

Use the native-security/enforce-action action to add a policy gate to any workflow. The action accepts a Terraform plan JSON file and returns a PASS or FAIL result.

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          aws-region: us-east-1

      - name: Terraform init + plan
        run: |
          terraform init
          terraform plan -out=tfplan.binary
          terraform show -json tfplan.binary > tfplan.json

      - name: Native Security policy gate
        uses: native-security/enforce-action@v1
        with:
          api-key: ${{ secrets.NS_API_KEY }}
          plan-file: tfplan.json
          account-id: ${{ vars.AWS_ACCOUNT_ID }}
          enforcement-level: block

      - name: Terraform apply
        run: terraform apply tfplan.binary

GitLab CI

Include the Native Security job definition in your .gitlab-ci.yml:

include:
  - project: 'native-security/ci-templates'
    file: '/templates/policy-gate.yml'

stages:
  - plan
  - policy-check
  - apply

terraform-plan:
  stage: plan
  script:
    - terraform init
    - terraform plan -out=tfplan.binary
    - terraform show -json tfplan.binary > tfplan.json
  artifacts:
    paths: [tfplan.json]

native-security-gate:
  stage: policy-check
  extends: .ns-policy-gate
  variables:
    NS_API_KEY: $NS_API_KEY
    NS_ACCOUNT_ID: $AWS_ACCOUNT_ID
    NS_PLAN_FILE: tfplan.json
    NS_ENFORCEMENT_LEVEL: block

terraform-apply:
  stage: apply
  needs: [native-security-gate]
  script:
    - terraform apply tfplan.binary

Terraform Cloud Run Task

Register Native Security as a Run Task in Terraform Cloud to automatically gate all runs in your organization:

  1. In Terraform Cloud, go to Organization Settings > Integrations > Run Tasks
  2. Add a new Run Task with the Native Security webhook URL and HMAC key from your NS dashboard
  3. Assign the Run Task to workspaces (Advisory or Mandatory enforcement)

The Run Task evaluates every plan before apply. Results appear directly in the Terraform Cloud run UI.

CloudFormation Hooks

Use the NativeSecurity::PolicyGate::Hook CloudFormation Hook to evaluate stacks before they deploy:

aws cloudformation activate-type \
  --type HOOK \
  --type-name NativeSecurity::PolicyGate::Hook \
  --publisher-id NATIVE_SECURITY_PUBLISHER_ID

aws cloudformation set-type-configuration \
  --type-name NativeSecurity::PolicyGate::Hook \
  --type HOOK \
  --configuration '{
    "CloudFormationConfiguration": {
      "HookConfiguration": {
        "TargetStacks": "ALL",
        "FailureMode": "FAIL",
        "Properties": {
          "ApiKey": "ns_live_xxx",
          "AccountId": "123456789012",
          "EnforcementLevel": "block"
        }
      }
    }
  }'

AWS Organizations

Connection uses a cross-account IAM role with read-only permissions. See the Quickstart guide for the full setup with IAM policy JSON.

Azure Management Groups

Connection uses an App Registration with Reader role at Management Group scope. See the Quickstart guide for setup commands.

GCP Organization Policy

Connection uses a Service Account with roles/orgpolicy.policyViewer. See the Quickstart guide for setup commands.