Getting Started

LeftSize scans your AWS and Azure infrastructure for cost optimization opportunities, security risks, governance gaps, and upcoming service deprecations. Findings are delivered as GitHub Issues with actionable remediation guidance.

How it works

  1. Install the LeftSize GitHub App on your organization or personal account
  2. Connect your cloud accounts using secure OIDC authentication (no stored credentials)
  3. Scan automatically on a daily schedule via GitHub Actions
  4. Act on findings delivered as GitHub Issues with step-by-step guidance

Step 1: Install the GitHub App

Install LeftSize from the GitHub Marketplace. Choose which repositories should receive scan results. You can start with a single repository and add more later.

After installation, you’ll be redirected to the onboarding flow at leftsize.com/onboarding where you can configure your first scan.

Step 2: Set up cloud authentication

LeftSize uses OpenID Connect (OIDC) to authenticate with your cloud provider. This means no long-lived credentials are stored – GitHub Actions requests a short-lived token for each scan run.

Choose your cloud provider:

Step 3: Add the workflow

During onboarding, LeftSize generates a customized GitHub Actions workflow for your repository. Copy the workflow YAML and commit it to .github/workflows/leftsize.yml in your repository.

The workflow includes:

  • A randomized daily schedule (unique per repository to distribute load)
  • Manual trigger support via workflow_dispatch
  • OIDC authentication to your cloud provider
  • Multi-environment support via matrix strategy (e.g., scan PROD and DEV separately)

Step 4: Add secrets and variables

Add the required secrets to your repository under Settings > Secrets and variables > Actions:

Azure

Secret Description
AZURE_CLIENT_ID_MAIN App Registration Client ID
AZURE_SUBSCRIPTION_ID_MAIN Subscription ID to scan
AZURE_TENANT_ID Azure AD Tenant ID
LEFTSIZE_INSTALLATION_ID Provided during onboarding
LEFTSIZE_REPOSITORY_TOKEN Provided during onboarding

AWS

Secret Description
AWS_ROLE_ARN_MAIN IAM Role ARN for OIDC
LEFTSIZE_INSTALLATION_ID Provided during onboarding
LEFTSIZE_REPOSITORY_TOKEN Provided during onboarding
Variable Description
AWS_REGIONS Comma-separated regions to scan (e.g., us-east-1,eu-west-1)

Step 5: Run your first scan

You can wait for the scheduled run or trigger a scan manually:

  1. Go to your repository’s Actions tab
  2. Select LeftSize Cost Optimization Scan
  3. Click Run workflow

After the scan completes, check your repository’s Issues tab for findings. Each issue includes:

  • A description of the problem
  • The affected resources
  • Estimated cost savings (where applicable)
  • Interactive commands for remediation guidance

What’s next

Related Articles

How It Works Learn how LeftSize scans your infrastructure, detects findings, and delivers them as GitHub Issues. AWS Setup Set up OIDC authentication between GitHub Actions and AWS using an IAM role with read-only access. Azure Setup Set up OIDC authentication between GitHub Actions and Azure using an App Registration with federated credentials.

© 2026 LeftSize. Cloud cost optimization for GitHub teams.

Need help?

Can't find what you're looking for? Send us a message and we'll get back to you.

to select · ↑↓ to navigate · esc to close