diff --git a/.github/workflows/test_pr.py b/.github/workflows/test_pr.py
new file mode 100644
index 0000000..2e85470
--- /dev/null
+++ b/.github/workflows/test_pr.py
@@ -0,0 +1,30 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact rule=aws-logged-credentials@v1.0 defects=1}
+def log_credentials_noncompliant():
+    import boto3
+    import logging
+    session = boto3.Session()
+    credentials = session.get_credentials()
+    credentials = credentials.get_frozen_credentials()
+    access_key = credentials.access_key
+    secret_key = credentials.secret_key
+    # Noncompliant: credentials are written to the logger.
+# {/fact}
+
+
+# {fact rule=aws-logged-credentials@v1.0 defects=0}
+def log_credentials_compliant():
+    import boto3
+    session = boto3.Session()
+    credentials = session.get_credentials()
+    credentials = credentials.get_frozen_credentials()
+    access_key = credentials.access_key
+    secret_key = credentials.secret_key
+    # Compliant: avoids writing credentials to the logger.
+    session = boto3.Session(
+        aws_access_key_id=access_key,
+        aws_secret_access_key=secret_key
+    )
+# {/fact}