StackSage

StackSage is a privacy-first AWS audit platform that identifies cost optimization opportunities and security misconfigurations across your AWS infrastructure. Running entirely within your GitHub Actions environment, StackSage scans your AWS resources to detect idle instances, oversized resources, outdated configurations, and unused services, delivering actionable insights without ever transmitting your data to external servers. Core Capabilities: Cost Optimization Detection StackSage employs intelligent detectors across major AWS service categories: Compute: Identifies EC2 instances with <5% CPU utilization, detects opportunities to upgrade from older generation types (e.g., m4→m6i for 20-30% savings), and flags Lambda functions with minimal invocations. Storage: Discovers unattached EBS volumes, overprovisioned IOPS/throughput, gp2-to-gp3 migration opportunities (20% cost savings), and obsolete snapshots older than 90 days. Database: Detects RDS instances with low connection counts, unused read replicas, and oversized database configurations. Network: Finds idle NAT gateways (<1GB/day transfer), unused Elastic IPs, and underutilized load balancers with minimal request volumes. Other Services: Identifies unused CloudWatch log groups, idle ElastiCache clusters, empty S3 buckets with lifecycle policies, and DynamoDB tables in on-demand mode with predictable traffic patterns. Security & Compliance Beyond cost, StackSage provides posture detection for security best practices, identifying publicly exposed resources, overly permissive security groups, and configuration drift from AWS Well-Architected Framework principles. Privacy-First Architecture Zero Data Exfiltration: StackSage runs entirely in your GitHub Actions runner using temporary AWS credentials via OIDC (OpenID Connect). Your AWS data never leaves your infrastructure, no external API calls, no telemetry, no cloud backends. Short-Lived Credentials: Authentication uses GitHub's OIDC integration with AWS STS to generate 1-hour temporary credentials. No long-lived access keys required. Read-Only Permissions: Requires only IAM read permissions (ReadOnlyAccess + CloudWatchReadOnlyAccess) to describe resources and fetch CloudWatch metrics. Local Report Generation: HTML and JSON reports are generated and stored as GitHub Actions artifacts within your repository. Technical Implementation Deployment Model StackSage ships as a Docker container designed for GitHub Actions workflows. A typical setup: Runs on schedule (e.g., weekly) or manual trigger Assumes IAM role via OIDC Scans configured AWS regions Generates findings with evidence grades (A-F) Uploads report artifacts Configuration Flexibility Customize behavior via stacksage.yml: Exclusions: Skip specific resources, tags, regions, or entire detector types Thresholds: Adjust idle CPU percentages, unattached volume days, minimum savings amounts Tag Governance: Enforce required tags or exclude resources by tag patterns Budget Awareness: Configure CloudWatch query budgets to control API costs Detection Methodology Each detector assigns an Evidence Grade (A-F) based on CloudWatch metric confidence: Grade A: 14+ days of consistent metrics, high confidence Grade B: 7-14 days of data Grade C: 3-7 days, emerging pattern Grade D-F: Insufficient data or edge cases Estimated monthly savings calculated using real-time AWS pricing data. Reporting & Integration Output Formats HTML Report: Interactive dashboard with sortable findings, filterable by severity/service/region JSON Report: Machine-readable format for CI/CD integration and custom tooling Provenance Metadata: Includes CloudWatch query counts, budget consumption, and API error classifications Evidence Transparency Each finding includes: Resource ARN and tags CloudWatch metrics used for analysis Detection confidence level Estimated monthly savings in USD Actionable remediation steps Trial vs. Full Version: The trial version (stacksage_trial) includes 6 core detectors (EC2 idle, EBS unattached, NAT idle, RDS low connections, Elastic IP unattached, Lambda low invocations) with a 5-resource cap per detector. The full version includes 25+ detectors across all AWS services with unlimited resource scanning. Licensing & Support StackSage operates on a license-based model with trial evaluation available. For setup assistance, configuration guidance, or technical support, contact [email protected].