How It Works

LeftSize integrates with GitHub Actions and your cloud provider to deliver infrastructure optimization recommendations as GitHub Issues.

Architecture overview

Your Repository          LeftSize Action           LeftSize API
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ .github/     β”‚        β”‚ Cloud        β”‚        β”‚ Template     β”‚
β”‚ workflows/   │───────>β”‚ Custodian    │───────>β”‚ Engine       β”‚
β”‚ leftsize.yml β”‚  runs  β”‚ Policies     β”‚ submit β”‚              β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ findingsβ””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜
                                                       β”‚
                                                       β”‚ creates
                                                       v
                                                β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                                                β”‚ GitHub       β”‚
                                                β”‚ Issues       β”‚
                                                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

The scan cycle

1. Scheduled trigger

A GitHub Actions workflow runs on a daily cron schedule (randomized per repository to distribute load). You can also trigger scans manually from the Actions tab.

2. Cloud authentication

The workflow authenticates to your cloud provider using OIDC – no stored credentials. GitHub Actions requests a short-lived token that’s valid only for the duration of the scan.

3. Policy execution

The LeftSize Action runs Cloud Custodian policies against your infrastructure. These policies check for:

  • Cost optimization – idle resources, oversized instances, missing discounts
  • Security – unencrypted storage, public access, open network ports
  • Governance – missing ownership tags, compliance gaps
  • Deprecations – outdated service versions, upcoming retirements

Policies are read-only. They query resource metadata and CloudWatch/Azure Monitor metrics but never modify anything.

4. Findings submission

Detected findings are submitted to the LeftSize API along with your installation ID and repository token. The API groups findings by rule and scope (e.g., all idle VMs in a subscription).

5. Issue creation

The template engine renders a GitHub Issue for each group of findings using Handlebars templates. Each issue includes:

  • A title with the category prefix (e.g., [COST], [SECURITY], [DEPRECATION])
  • A list of affected resources with relevant details
  • Estimated monthly savings (for cost optimization findings)
  • Available @leftsize commands for interactive guidance

6. Issue lifecycle

Issues are managed over time:

  • New findings create new issues
  • Recurring findings update existing issues and add recurrence labels
  • Resolved findings (resources cleaned up) are not re-opened
  • Snoozed issues are suppressed until the snooze period expires

What runs where

Component Runs in Has access to
GitHub Actions workflow Your repository’s runner Your cloud provider (via OIDC)
LeftSize Action Your repository’s runner Cloud APIs (read-only), LeftSize API
LeftSize API LeftSize infrastructure GitHub API (to create issues)

Your cloud credentials never leave your GitHub Actions runner. The LeftSize API only receives finding metadata (resource names, types, regions) – not credentials or sensitive data.

Detection methods

LeftSize uses several detection strategies:

Metrics-based detection

For resources like VMs, databases, and Lambda functions, LeftSize queries CloudWatch or Azure Monitor metrics over a time window (typically 14-30 days). A resource is flagged as idle when key metrics are consistently at or near zero.

Configuration-based detection

For resources like unattached disks, unused IP addresses, and missing encryption, LeftSize checks resource configuration directly. These checks don’t require metrics data.

Age-based filtering

To avoid false positives on newly created resources, most policies include an age filter. A resource must exist for a minimum period (typically 14-30 days) before it’s flagged.

Cost estimation

Where possible, LeftSize estimates monthly savings based on the resource type, size, and pricing tier. These estimates use public pricing data and may not reflect negotiated discounts or reserved instance pricing.

Reports and statistics

In addition to scanning, the LeftSize Action supports a stats mode that generates reports summarizing your scan activity, fix ratio, and cost savings over time. Reports are available in three types (summary, detailed, executive) and can be generated on demand or on a schedule.

Stats mode does not scan your cloud infrastructure – it fetches aggregated data from the LeftSize API. See the Reports guide for setup instructions and examples.

Plans and limits

Free Pro
Repositories 3 Unlimited
Rules 41 (22 AWS + 19 Azure) All 107
Categories Cost, Governance, Deprecations All categories including Security
@leftsize commands On free-tier rules On all rules
Price $0 $29/month or $290/year

See the rules catalog for which rules are included in each plan.

Related Articles

Getting Started Install LeftSize, connect your cloud accounts, and run your first scan in minutes. Rules Full catalog of 107 rules across AWS and Azure covering cost optimization, security, governance, and deprecations. Reports Generate summary, detailed, and executive reports for scan activity, fix rates, and cost savings.

Β© 2026 LeftSize. Cloud cost optimization for GitHub teams.

Need help?

Can't find what you're looking for? Send us a message and we'll get back to you.

↡ to select Β· ↑↓ to navigate Β· esc to close