Integrations
Native Security integrates with your existing CI/CD toolchain and cloud provider APIs. All integrations use the same policy evaluation engine — you get consistent results whether you're using GitHub Actions, Terraform Cloud, or a direct API call.
GitHub Actions
Use the native-security/enforce-action action to add a policy gate to any workflow. The action accepts a Terraform plan JSON file and returns a PASS or FAIL result.
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Terraform init + plan
run: |
terraform init
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
- name: Native Security policy gate
uses: native-security/enforce-action@v1
with:
api-key: ${{ secrets.NS_API_KEY }}
plan-file: tfplan.json
account-id: ${{ vars.AWS_ACCOUNT_ID }}
enforcement-level: block
- name: Terraform apply
run: terraform apply tfplan.binary
GitLab CI
Include the Native Security job definition in your .gitlab-ci.yml:
include:
- project: 'native-security/ci-templates'
file: '/templates/policy-gate.yml'
stages:
- plan
- policy-check
- apply
terraform-plan:
stage: plan
script:
- terraform init
- terraform plan -out=tfplan.binary
- terraform show -json tfplan.binary > tfplan.json
artifacts:
paths: [tfplan.json]
native-security-gate:
stage: policy-check
extends: .ns-policy-gate
variables:
NS_API_KEY: $NS_API_KEY
NS_ACCOUNT_ID: $AWS_ACCOUNT_ID
NS_PLAN_FILE: tfplan.json
NS_ENFORCEMENT_LEVEL: block
terraform-apply:
stage: apply
needs: [native-security-gate]
script:
- terraform apply tfplan.binary
Terraform Cloud Run Task
Register Native Security as a Run Task in Terraform Cloud to automatically gate all runs in your organization:
- In Terraform Cloud, go to Organization Settings > Integrations > Run Tasks
- Add a new Run Task with the Native Security webhook URL and HMAC key from your NS dashboard
- Assign the Run Task to workspaces (Advisory or Mandatory enforcement)
The Run Task evaluates every plan before apply. Results appear directly in the Terraform Cloud run UI.
CloudFormation Hooks
Use the NativeSecurity::PolicyGate::Hook CloudFormation Hook to evaluate stacks before they deploy:
aws cloudformation activate-type \
--type HOOK \
--type-name NativeSecurity::PolicyGate::Hook \
--publisher-id NATIVE_SECURITY_PUBLISHER_ID
aws cloudformation set-type-configuration \
--type-name NativeSecurity::PolicyGate::Hook \
--type HOOK \
--configuration '{
"CloudFormationConfiguration": {
"HookConfiguration": {
"TargetStacks": "ALL",
"FailureMode": "FAIL",
"Properties": {
"ApiKey": "ns_live_xxx",
"AccountId": "123456789012",
"EnforcementLevel": "block"
}
}
}
}'
AWS Organizations
Connection uses a cross-account IAM role with read-only permissions. See the Quickstart guide for the full setup with IAM policy JSON.
Azure Management Groups
Connection uses an App Registration with Reader role at Management Group scope. See the Quickstart guide for setup commands.
GCP Organization Policy
Connection uses a Service Account with roles/orgpolicy.policyViewer. See the Quickstart guide for setup commands.