Every Terraform plan checked against your SCPs before apply.
Block non-compliant infrastructure changes before they reach cloud APIs. Terraform Cloud Run Task integration, GitHub Actions native action, and CloudFormation pre-deployment hooks.
Works with your existing pipeline.
Three integration patterns. Pick the one that fits your existing deployment workflow.
Terraform Cloud Run Task
Native Security registers as a Run Task in Terraform Cloud. Before any workspace run applies, the policy gate runs against the plan. Violations surface directly in the Terraform Cloud run UI with full violation detail.
- No GitHub Actions configuration required
- Works with all Terraform Cloud workspaces via org-level hook
- Run task result: Advisory (warn) or Mandatory (block)
Run Task: Native Security Policy Gate
Status: Failed
Level: Mandatory
Results:
aws_s3_bucket.logs PASS
aws_s3_bucket.assets PASS
aws_iam_role.lambda_exec FAIL
Violation: SCP-DenyAdminWithoutBoundary
aws_iam_role.lambda_exec
Missing: PermissionsBoundary
Fix: attach OrgPermBoundary policy
Run cancelled. Apply blocked.
GitHub Actions native action
Drop-in step using native-security/enforce-action@v1. Accepts the Terraform plan JSON output, evaluates against your org's policy graph via the Native Security API, and fails the workflow if violations are found.
- name: Native Security policy gate
uses: native-security/enforce-action@v1
with:
api-key: ${{ secrets.NS_API_KEY }}
plan-file: tfplan.json
enforcement-level: block
account-id: ${{ vars.AWS_ACCOUNT_ID }}
Wire in the policy gate this sprint.
One step added to your pipeline. Every Terraform plan evaluated against your org policies. No new rules to write.