Use Case — IaC

Every Terraform plan checked against your SCPs before apply.

Block non-compliant infrastructure changes before they reach cloud APIs. Terraform Cloud Run Task integration, GitHub Actions native action, and CloudFormation pre-deployment hooks.

Integration Options

Works with your existing pipeline.

Three integration patterns. Pick the one that fits your existing deployment workflow.

Terraform Cloud Run Task

Native Security registers as a Run Task in Terraform Cloud. Before any workspace run applies, the policy gate runs against the plan. Violations surface directly in the Terraform Cloud run UI with full violation detail.

  • No GitHub Actions configuration required
  • Works with all Terraform Cloud workspaces via org-level hook
  • Run task result: Advisory (warn) or Mandatory (block)
Terraform Cloud — Run Task result
Run Task: Native Security Policy Gate
Status: Failed
Level: Mandatory

Results:
  aws_s3_bucket.logs          PASS
  aws_s3_bucket.assets        PASS
  aws_iam_role.lambda_exec    FAIL

Violation: SCP-DenyAdminWithoutBoundary
  aws_iam_role.lambda_exec
  Missing: PermissionsBoundary
  Fix: attach OrgPermBoundary policy

Run cancelled. Apply blocked.

GitHub Actions native action

Drop-in step using native-security/enforce-action@v1. Accepts the Terraform plan JSON output, evaluates against your org's policy graph via the Native Security API, and fails the workflow if violations are found.

GitHub Actions step
- name: Native Security policy gate
  uses: native-security/enforce-action@v1
  with:
    api-key: ${{ secrets.NS_API_KEY }}
    plan-file: tfplan.json
    enforcement-level: block
    account-id: ${{ vars.AWS_ACCOUNT_ID }}

Wire in the policy gate this sprint.

One step added to your pipeline. Every Terraform plan evaluated against your org policies. No new rules to write.