GitHub App (recommended)
The Infracost GitHub App is an automated integration meaning that Infracost runs on our infrastructure and we keep it up to date. Infracost is trusted by thousands of companies around the world, including many of the Fortune 500. We are SOC 2 Type II certified.
1. Install the Infracost GitHub App | 2. Get pull request comments |
---|---|
![]() | ![]() |
Benefits
There are three key benefits of using the GitHub App over manual CI/CD integrations:
- You can add Infracost to multiple repos with one click, no need to install or update CLI versions in your CI/CD pipeline.
- Infracost runs significantly faster as only changed folders are run based on the GitHub App events.
- If you use Infracost Cloud (our SaaS product), all features work without you needing to make any changes to your CI/CD pipelines. If you use CI/CD integrations, you should implement these extra steps.
Usage
Go to Infracost Cloud to sign up or log in to start your free trial (no credit card is needed).
Every Infracost user has a default organization for personal use. Create a new organization for your company using the organization dropdown at the top of the page.
Click on Org Settings > Integrations > GitHub and follow the wizard to select the repos you want to give Infracost access to.
If you use private modules:
For private git modules, add your private SSH key (RSA format is recommended) and/or Git HTTPS credentials so Infracost can clone the repos in the same way that Terraform does.
For private registry modules, see this page and set the required Terraform registry token and host in the integration settings page in Infracost Cloud.
If you need to customize how Infracost runs, add an
infracost.yml
orinfracost.yml.tmpl
config file in the Repo > my repo > Settings tab, or to the root of your repo. The GitHub App will automatically use that file if it's present. The app will also apply any usage values defined in theinfracost-usage.yml
usage file at the root of the repo.Open a test pull request and wait for Infracost to leave a pull request comment. The Infracost Cloud dashboard should also show the cost estimate too.
When the pull request is merged the Infracost Cloud dashboard will show you the time it was merged, who approved it, who merged it, and any labels associated with it on GitHub.
Pull request status
The Infracost GitHub App enables the dashboard to show you the status of pull requests so you can filter on them. You can also filter on the date range that the pull request was last updated, and the base branch that pull requests are being merged into (e.g. main, stage, production).

The pull request status can be:
- open: the pull request is currently open, thus if you want to review the most expensive pull requests that are in-flight, only focus on these.
- closed: the pull request was closed without being merged. These pull requests can probably be ignored altogether as most of the time they're just noise.
- merged: the pull request was merged into the base branch, these can be checked when auditing actual cloud costs to see what happened.
GitHub Enterprise
Our automated GitHub App integration works with both GitHub Enterprise Cloud and GitHub Enterprise Server. Directly integrating Infracost Cloud to GitHub Enterprise means you'll get the latest features, the fastest cost estimates and the most robust solution.
GitHub Enterprise Cloud
Follow the same usage steps as the regular GitHub App above.
Incoming traffic to GitHub
If you use the GitHub Enterprise "Enable IP allow list", the Infracost GitHub App will automatically add the required IP address to your GitHub organization's IP allow list. If you need to do that manually, please allow incoming traffic from 3.133.40.66
to your GitHub instance port 443 (or whatever port you use); this is the IP address used by Infracost Cloud services to call the integration.
Outgoing traffic from GitHub
If you have restricted out-going traffic from your instance, you need to allow traffic to be sent to dashboard.api.infracost.io:443
too. If you can only do that by IP address (and not domains), you should whitelist 13.58.92.216
, 3.142.138.46
and 13.58.157.166
but we recommend you whitelist the domain as these IP addresses are likely to change.
GitHub Enterprise Server
Email us at hello@infracost.io to enable GitHub Enterprise Server in your Infracost Cloud account. This requires a meeting with your server admin so we can install the Infracost GitHub App in your GitHub organization.
Infracost Cloud optionally supports mTLS with GitHub Enterprise Server by using client certificates. If a client's GitHub Enterprise Server requires such a certificate, they have the option to supply Infracost with one. This certificate is securely stored and encrypted at rest. For each request sent to the client's GitHub Enterprise Server, Infracost Cloud will use this certificate. When Infracost Cloud instantiates its ephemeral isolated runners they use this certificate when scanning the code to provide cost estimates and when posting comments to the pull requests.
How the GitHub App works
The GitHub App needs read access to code repos so it can run the CLI against them, and write access to pull requests so it can post the cost estimate comment. You can select the repos you would like to give access to the App.
Each time a pull request is opened or a new commit is pushed to open pull requests, the Infracost GitHub App shows the cost difference between the most recent commit of the pull request branch, and the merge base of the base branch. The merge base is the latest common commit of the pull request base and target branch. This mirrors GitHub's pull request diff logic and shows only the cost of 'what a pull request introduces'.
Disable pull request comments
From the Org Settings > Integrations > GitHub App page, you can disable pull request comments so cost estimates, guardrails and tagging policies are only shown in Infracost Cloud. This enables you to test these features without impacting engineering workflows.