Skip to main content

Security Feedback on Every PR

Every time you push Terraform, Bicep, or Terragrunt changes, Cloudgeni reviews them automatically. Security issues get flagged with inline comments and suggested fixes—right on the PR.

Automatic

Triggers on every PR. No manual scans needed.

Inline Comments

Feedback on exact lines with code suggestions.

Severity Ratings

Critical → Low so you know what to fix first.

Block Merges

Optional: require passing review to merge.

How It Works

PR Created → Webhook → Analysis → Review Posted
     ↓           ↓          ↓           ↓
  1-2 min    Instant    30 sec    Comments appear

PR Opened

You push IaC changes and open a pull request

Webhook Fires

Your Git provider notifies Cloudgeni instantly

Code Analyzed

500+ security rules check your changes

Review Posted

Findings appear as comments on the PR

What You See

Summary Comment

## Cloudgeni Security Review

**3 issues found:**
- 🔴 1 Critical
- 🟠 1 High
- 🟡 1 Medium

See inline comments for details.

Inline Comments

🔴 Critical: S3 Bucket Public AccessFile: modules/storage/main.tf (line 15)The acl = "public-read" makes this bucket publicly readable. This could expose sensitive data.Suggested Fix:
resource "aws_s3_bucket_public_access_block" "data" {
  bucket                  = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

What Gets Checked

  • Public access enabled
  • Missing encryption
  • Weak IAM policies
  • Open security groups
  • Hardcoded secrets

Severity Levels

LevelWhat It MeansAction
🔴 CriticalImmediate security riskMust fix before merge
🟠 HighSignificant concernShould fix before merge
🟡 MediumModerate riskConsider fixing
🔵 LowMinor issueFix when convenient
InfoFYINo action needed
Configure severity thresholds to only see what matters to your team.

Supported Providers

GitHub

Native GitHub App with PR comments

GitLab

OAuth integration for merge requests

Azure DevOps

PR thread comments

Block Insecure Merges

Add Cloudgeni as a required status check:
  1. SettingsBranches → Edit protection rule
  2. Enable Require status checks to pass
  3. Add cloudgeni/security-review
With required checks, PRs with Critical findings can’t be merged until fixed.

Configuration

What to Review

SettingEffect
AllEverything including Info
Low+Skip Info
Medium+Only Medium, High, Critical
High+Only High and Critical
CriticalOnly Critical

Where to Review

  • All repos (default)
  • Specific repos (include/exclude list)
  • Specific branches (main only, etc.)

Handle False Positives

  1. Find the finding in Cloudgeni
  2. Click Mark as False Positive
  3. Add a reason
  4. Won’t appear in future reviews
Add a comment in your code:
# cloudgeni:ignore:CKV_AWS_19 - Intentional for static website
resource "aws_s3_bucket" "website" {
  bucket = "my-public-website"
}
Create suppression rules by:
  • Check ID
  • Resource type
  • File path pattern

Troubleshooting

ProblemFix
Reviews not appearingCheck webhook delivery in Git provider settings
Delayed reviewsLarge PRs take longer. Check status page.
Permission errorsRe-authorize Cloudgeni app in Git provider
Missing inline commentsSome findings show as general comment if line not in diff

Next Steps

Connect GitHub

Set up in 2 minutes

Custom Policies

Enforce your org’s rules

AI DevOps

Fix issues with AI

CI/CD Integration

Add to your pipeline