Skip to main content

GitHub App

The Infracost GitHub App is an automated integration meaning that Infracost runs on our infrastructure and we keep it up to date. Infracost is trusted by thousands of companies around the world, including many of the Fortune 500. We are SOC 2 Type II certified.

1. Install the Infracost GitHub App2. Get pull request comments
Install the GitHub App into any GitHub organizationInfracost automatically leaves a comment on every pull request

Benefits

There are two key benefits of using the GitHub App over manual CI/CD integrations:

  1. You can add Infracost to multiple repos with one click, no need to install or update CLI versions in your CI/CD pipeline.
  2. Infracost runs faster as only changed folders are run based on the GitHub App events.

Usage

  1. Go to Infracost Cloud to sign up or log in to start your free trial (no credit card is needed).

  2. Every Infracost user has a default organization for personal use. Create a new organization for your company using the organization dropdown at the top of the page.

    Create new organization

  3. Click on Org Settings > Integrations > GitHub and follow the wizard to select the repos you want to give Infracost access to.

  4. If you use private modules:

    • For private git modules, add your private SSH key (RSA format is recommended) and/or Git HTTPS credentials so Infracost can clone the repos in the same way that Terraform does.

    • For private registry modules, see this page and set the required Terraform registry token and host in the integration settings page in Infracost Cloud.

  5. If you need to customize how Infracost runs, add an infracost.yml or infracost.yml.tmpl config file in the Repo > my repo > Settings tab, or to the root of your repo. The GitHub App will automatically use that file if it's present. The app will also apply any usage values defined in the infracost-usage.yml usage file at the root of the repo.

  6. Open a test pull request and wait for Infracost to leave a pull request comment. The Infracost Cloud dashboard should also show the cost estimate too.

  7. When the pull request is merged the Infracost Cloud dashboard will show you the time it was merged, who approved it, who merged it, and any labels associated with it on GitHub.

GitHub Enterprise

Our automated GitHub App integration works with both GitHub Enterprise Cloud and GitHub Enterprise Server. Directly integrating Infracost Cloud to GitHub Enterprise means you'll get the latest features, the fastest cost estimates and the most robust solution.

GitHub Enterprise Cloud

Follow the same usage steps as the regular GitHub App above.

Incoming traffic to GitHub

If you use the GitHub Enterprise "Enable IP allow list", the Infracost GitHub App will automatically add the required IP address to your GitHub organization's IP allow list. If you need to do that manually, please allow incoming traffic from 3.133.40.66 to your GitHub instance port 443 (or whatever port you use); this is the IP address used by Infracost Cloud services to call the integration.

Outgoing traffic from GitHub

If you have restricted out-going traffic from your instance, you need to allow traffic to be sent to dashboard.api.infracost.io:443 too. If you can only do that by IP address (and not domains), you should whitelist 52.223.24.69, and 76.223.127.201.

GitHub Enterprise Server

Email us at hello@infracost.io to enable GitHub Enterprise Server in your Infracost Cloud account. This requires a meeting with your server admin so we can install the Infracost GitHub App in your GitHub organization.

Infracost Cloud optionally supports mTLS with GitHub Enterprise Server by using client certificates. If a client's GitHub Enterprise Server requires such a certificate, they have the option to supply Infracost with one. This certificate is securely stored and encrypted at rest. For each request sent to the client's GitHub Enterprise Server, Infracost Cloud will use this certificate. When Infracost Cloud instantiates its ephemeral isolated runners they use this certificate when scanning the code to provide cost estimates and when posting comments to the pull requests.

How the GitHub App works

The GitHub App needs read access to code repos so it can run the CLI against them, and write access to pull requests so it can post the cost estimate comment. You can select the repos you would like to give access to the App.

Each time a pull request is opened or a new commit is pushed to open pull requests, the Infracost GitHub App shows the cost difference between the most recent commit of the pull request branch, and the merge base of the base branch. The merge base is the latest common commit of the pull request base and target branch. This mirrors GitHub's pull request diff logic and shows only the cost of 'what a pull request introduces'.

Disable pull request comments

From the Org Settings > Integrations > GitHub App page, you can disable pull request comments so cost estimates, guardrails and tagging policies are only shown in Infracost Cloud. This enables you to test these features without impacting engineering workflows.

GitHub Actions to App migration

  1. Follow the usage docs to install the app. You can do this from the same Infracost organization you use already, and going into the Org Settings > Integrations page.
  2. Test it by sending a pull request.
  3. Remove all Infracost steps from your GitHub Actions.