StackSage is a privacy-first AWS audit platform that identifies cost optimization opportunities and security misconfigurations across your AWS infrastructure.
Running entirely within your GitHub Actions environment, StackSage scans your AWS resources to detect idle instances, oversized resources, outdated configurations, and unused services, delivering actionable insights without ever transmitting your data to external servers.
Core Capabilities:
Cost Optimization Detection
StackSage employs intelligent detectors across major AWS service categories:
Compute: Identifies EC2 instances with <5% CPU utilization, detects opportunities to upgrade from older generation types (e.g., m4→m6i for 20-30% savings), and flags Lambda functions with minimal invocations.
Storage: Discovers unattached EBS volumes, overprovisioned IOPS/throughput, gp2-to-gp3 migration opportunities (20% cost savings), and obsolete snapshots older than 90 days.
Database: Detects RDS instances with low connection counts, unused read replicas, and oversized database configurations.
Network: Finds idle NAT gateways (<1GB/day transfer), unused Elastic IPs, and underutilized load balancers with minimal request volumes.
Other Services: Identifies unused CloudWatch log groups, idle ElastiCache clusters, empty S3 buckets with lifecycle policies, and DynamoDB tables in on-demand mode with predictable traffic patterns.
Security & Compliance
Beyond cost, StackSage provides posture detection for security best practices, identifying publicly exposed resources, overly permissive security groups, and configuration drift from AWS Well-Architected Framework principles.
Privacy-First Architecture
Zero Data Exfiltration: StackSage runs entirely in your GitHub Actions runner using temporary AWS credentials via OIDC (OpenID Connect). Your AWS data never leaves your infrastructure, no external API calls, no telemetry, no cloud backends.
Short-Lived Credentials: Authentication uses GitHub's OIDC integration with AWS STS to generate 1-hour temporary credentials. No long-lived access keys required.
Read-Only Permissions: Requires only IAM read permissions (ReadOnlyAccess + CloudWatchReadOnlyAccess) to describe resources and fetch CloudWatch metrics.
Local Report Generation: HTML and JSON reports are generated and stored as GitHub Actions artifacts within your repository.
Technical Implementation
Deployment Model
StackSage ships as a Docker container designed for GitHub Actions workflows. A typical setup:
Runs on schedule (e.g., weekly) or manual trigger
Assumes IAM role via OIDC
Scans configured AWS regions
Generates findings with evidence grades (A-F)
Uploads report artifacts
Configuration Flexibility
Customize behavior via stacksage.yml:
Exclusions: Skip specific resources, tags, regions, or entire detector types
Thresholds: Adjust idle CPU percentages, unattached volume days, minimum savings amounts
Tag Governance: Enforce required tags or exclude resources by tag patterns
Budget Awareness: Configure CloudWatch query budgets to control API costs
Detection Methodology
Each detector assigns an Evidence Grade (A-F) based on CloudWatch metric confidence:
Grade A: 14+ days of consistent metrics, high confidence
Grade B: 7-14 days of data
Grade C: 3-7 days, emerging pattern
Grade D-F: Insufficient data or edge cases
Estimated monthly savings calculated using real-time AWS pricing data.
Reporting & Integration
Output Formats
HTML Report: Interactive dashboard with sortable findings, filterable by severity/service/region
JSON Report: Machine-readable format for CI/CD integration and custom tooling
Provenance Metadata: Includes CloudWatch query counts, budget consumption, and API error classifications
Evidence Transparency
Each finding includes:
Resource ARN and tags
CloudWatch metrics used for analysis
Detection confidence level
Estimated monthly savings in USD
Actionable remediation steps
Trial vs. Full Version: The trial version (stacksage_trial) includes 6 core detectors (EC2 idle, EBS unattached, NAT idle, RDS low connections, Elastic IP unattached, Lambda low invocations) with a 5-resource cap per detector. The full version includes 25+ detectors across all AWS services with unlimited resource scanning.
Licensing & Support
StackSage operates on a license-based model with trial evaluation available. For setup assistance, configuration guidance, or technical support, contact
[email protected].
Comments (2)
As someone with a lot of AWS infra this is interesting
@asupkay1124 Thanks! If you are interested for a free trial, do reach out to us at [email protected], I'm personally catering to referrals from peerpush!
Excited to launch StackSage 🚀 We help teams uncover hidden cloud waste, optimize costs, and get clear, actionable insights—using safe, read-only audits. Looking forward to feedback!