Documentation Index
Fetch the complete documentation index at: https://docs.tryflare.ai/llms.txt
Use this file to discover all available pages before exploring further.
PR Security Check
PR Security Check reviews your Terraform, CloudFormation, and IAM policy changes before merge. When a pull request touches security-sensitive files, Flare analyzes the diff with AI and posts findings as a PR comment with severity scores, plain-English explanations, and specific fix suggestions.
PR Security Check uses a Flare API key, not a connector. Anyone with a GitHub repo can use it — no cloud connection required.
How it works
- A pull request is opened or updated with changes to infrastructure files
- The GitHub Action identifies security-relevant files (
.tf, CloudFormation, IAM policies, etc.)
- The diff is sent to Flare’s API for AI-powered review
- Findings are posted as a PR comment
- The workflow fails if findings meet your configured severity threshold
What Flare looks for
| Category | Examples |
|---|
| Overly broad IAM roles | roles/editor, roles/owner, wildcard * permissions |
| Missing conditions | IAM bindings without org, IP, or time conditions |
| Public access | allUsers, allAuthenticatedUsers, 0.0.0.0/0 ingress |
| Privilege escalation | setIamPolicy, actAs, getAccessToken, sts:AssumeRole grants |
| Secrets in config | Hardcoded credentials, API keys, connection strings |
| Network exposure | Overly permissive firewall rules, missing egress restrictions |
| Missing encryption | Unencrypted storage, disabled audit logging |
| Dangerous defaults | Deletion protection disabled, versioning off |
| Lateral movement | Overly broad cross-account trust policies |
| Compliance gaps | Missing logging, no backup configuration |
Setting up
1. Generate an API key
- Go to Settings at tryflare.ai/settings
- Click Create API key
- Copy the key immediately — it is only shown once
- Add it as a GitHub repository secret named
FLARE_API_KEY
2. Add the workflow
Create .github/workflows/flare.yml in your repository:
name: Security Review
on:
pull_request:
paths:
- '**/*.tf'
- '**/*.tfvars'
- '**/cloudformation/**'
- '**/*-policy.json'
- '**/*-role.json'
jobs:
flare:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: tryflare-ai/pr-security-check@v1
with:
token: ${{ secrets.FLARE_API_KEY }}
fetch-depth: 0 is required. Without it, the action cannot compute the diff between the PR base and head.
Configuration
| Input | Required | Default | Description |
|---|
token | Yes | — | Flare API key (flr_pr_...) |
fail-on | No | critical | Minimum severity to fail: critical, high, medium, low, none |
comment | No | true | Post findings as a PR comment |
paths | No | — | Custom file patterns (comma-separated). Overrides defaults. |
api-url | No | Production URL | Override for self-hosted or staging |
Outputs
| Output | Description |
|---|
findings-count | Total number of security findings |
critical-count | Number of critical-severity findings |
high-count | Number of high-severity findings |
Fail-on threshold
The fail-on input controls when the workflow fails:
| Value | Fails when |
|---|
critical | Any critical finding (default) |
high | Any critical or high finding |
medium | Any critical, high, or medium finding |
low | Any finding at all |
none | Never fails — findings are informational only |
- uses: tryflare-ai/pr-security-check@v1
with:
token: ${{ secrets.FLARE_API_KEY }}
fail-on: high # fail on critical or high
Custom file patterns
Override the default patterns to review additional file types:
- uses: tryflare-ai/pr-security-check@v1
with:
token: ${{ secrets.FLARE_API_KEY }}
paths: '*.tf,*.tfvars,*.sentinel,pulumi/*'
Default file patterns
The action reviews these files by default:
| Pattern | What it matches |
|---|
*.tf, *.tfvars | Terraform configuration |
*-policy.json, *-role.json | IAM policy files |
*.sentinel | HashiCorp Sentinel policies |
cloudformation/ | CloudFormation templates |
iam/ | IAM configuration directories |
k8s/, helm/ | Kubernetes and Helm manifests |
## Flare Security Review
**1 critical** | **2 high** | 3 file(s) analyzed
---
### Critical
#### `infra/iam.tf:23` -- Overly broad IAM role
This binding grants roles/editor to svc-pipeline@..., which includes
write access to all resources in the project.
**Fix:** Replace with a custom role or roles/cloudfunctions.developer.
Priority truncation
For large PRs, Flare prioritizes the most security-relevant files:
- Critical: IAM directories, policy files, role files
- High: Sentinel policies, firewall rules, network configs
- Medium: General Terraform and CloudFormation
- Low: Kubernetes and Helm manifests
If the total diff exceeds the analysis context window, lower-priority files are dropped first. The response includes a files_truncated count so you know if files were skipped.
Rate limits
PR checks share the Flare daily analysis limit (10/day on the free tier). When the limit is reached, the action posts a warning but does not fail the workflow — your PR is not blocked by exhausted quota.
Revoking a key
Go to Settings at tryflare.ai/settings and click Revoke on the key. Any workflows using that key will receive 401 Unauthorized on the next run.
Combining with deploy webhooks
PR Security Check and deploy webhooks serve different moments:
| PR Security Check | Deploy Webhook |
|---|
| When | Before merge | After deploy |
| What | Code diff (IaC files) | Cloud audit logs |
| Needs connector | No | Yes (GCP) |
| Result | PR comment | Dashboard finding |
