Troubleshooting

Common issues and how to resolve them.

Scan workflow fails

Authentication error (Azure)

Symptom: The Azure Login step fails with “AADSTS700016” or “federated credential” errors.

Causes and fixes:

1. Federated credential doesn’t match – Verify the Organization, Repository, and Branch in the federated credential match your workflow exactly. The repository must be in the format org/repo (case-sensitive).

2. Wrong secret values – Double-check that AZURE_CLIENT_ID_MAIN contains the Application (client) ID, not the Object ID. Verify AZURE_TENANT_ID is the Directory (tenant) ID.

3. App Registration deleted or disabled – Confirm the App Registration still exists in Azure AD.

Authentication error (AWS)

Symptom: The AWS Login step fails with “Not authorized to perform sts:AssumeRoleWithWebIdentity”.

Causes and fixes:

1. Trust policy too restrictive – Ensure the IAM role’s trust policy includes your repository. The sub condition should match repo:YOUR_ORG/YOUR_REPO:*.

2. OIDC provider missing – Verify the GitHub Actions OIDC provider exists in your AWS account under IAM > Identity providers.

3. Wrong role ARN – Confirm AWS_ROLE_ARN_MAIN contains the full ARN (e.g., arn:aws:iam::123456789012:role/leftsize-scanner).

No findings after successful scan

Possible reasons:

• Your infrastructure is well-optimized (no issues found).
• The scan ran against an empty or very small environment.
• Metrics data hasn’t accumulated yet – many rules require 14-30 days of CloudWatch/Monitor data. If you recently deployed resources, wait and re-scan.
• Check the findings-count output in the workflow summary. If it shows 0, no issues were detected.

Workflow shows “findings-submitted: false”

The LeftSize API couldn’t be reached or returned an error. Check:

1. LEFTSIZE_INSTALLATION_ID and LEFTSIZE_REPOSITORY_TOKEN secrets are set correctly
2. The LeftSize API is reachable (try manually triggering the workflow)
3. You haven’t exceeded the repository limit (Free plan: 3 repositories)

Issue-related problems

No issues created after scan

Issues are only created when findings are detected. Check the workflow run logs for the findings-count output. If findings were submitted but no issues appeared:

• Check the repository’s Issues tab (issues might have different labels than expected)
• Verify Issues are enabled on the repository (Settings > General > Features > Issues)

Duplicate issues

LeftSize deduplicates issues by rule and scope. If you see duplicates, it may be because:

• The same resources appear in different scopes (e.g., different subscriptions or regions)
• A previous issue was manually deleted instead of being resolved through the normal lifecycle

Commands not responding

If @leftsize commands don’t get a response:

1. Verify the issue was created by LeftSize (check the issue body for the LeftSize footer)
2. Commands only work on LeftSize-created issues
3. Allow a few seconds for the response – command processing is asynchronous
4. Check that the command syntax is correct (see Commands)

Plan and billing

“Repository limit exceeded” error

Free plan accounts are limited to 3 repositories. To scan additional repositories, upgrade to the Pro plan.

Guidance commands show upgrade prompt

On the Free plan, guidance commands (@leftsize explain, howto, etc.) are only available for free-tier rules. If you use a guidance command on a Pro rule, you’ll see an upgrade prompt. See Rules for which rules are included in the Free plan.

Getting help

If your issue isn’t covered here:

1. Check the FAQ
2. Open an issue in this repository
3. Contact us at support@leftsize.com