Overview

CI/CD Integration

Run CloudBurn scans in GitHub Actions, GitLab CI, and other CI/CD pipelines.

CloudBurn is designed to fit into CI/CD pipelines as a cost optimization quality gate. Run it on pull requests to catch cost issues before they reach production.

How it fits into your pipeline

GitHub Actions

Add this workflow to .github/workflows/cloudburn.yml:

name: CloudBurn Cost Check
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '24'
      - run: npx cloudburn scan --exit-code

Using npx avoids a separate install step — it downloads and runs CloudBurn in one command.

This runs on every pull request and fails if CloudBurn finds any cost issues.

To scan a specific path:

      - run: npx cloudburn scan --exit-code ./infrastructure

To only fail on specific services:

      - run: npx cloudburn scan --exit-code --service ebs,ec2

GitLab CI

Add to your .gitlab-ci.yml:

cloudburn-scan:
  image: node:24
  stage: test
  script:
    - npx cloudburn scan --exit-code
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

JSON output for CI annotations

Use JSON output to capture structured results for reporting or annotations:

npx cloudburn --format json scan --exit-code ./iac

In GitHub Actions with output capture:

      - name: Run CloudBurn scan
        id: scan
        run: |
          npx cloudburn --format json scan --exit-code ./iac > cloudburn-results.json || true
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: cloudburn-results
          path: cloudburn-results.json

Discovery scans in CI

Running discovery scans in CI requires AWS credentials. Use your CI provider's secret management to inject them.

GitHub Actions with OIDC (recommended):

name: CloudBurn Discovery
on:
  schedule:
    - cron: '0 8 * * 1'  # Weekly on Monday

permissions:
  id-token: write
  contents: read

jobs:
  discover:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '24'
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/CloudBurnReadOnly
          aws-region: us-east-1
      - run: npx cloudburn discover --exit-code

What's next

Exit CodesReference for all exit codes and error output
Output FormatsUse JSON output for custom CI reporting
cloudburn scanFull scan command reference
Output FormatsResource Explorer Setup