Terraform PR review

Start a risk review

Use a hosted sample for the fastest walkthrough, attach GitHub PR context when available, or upload a Terraform plan JSON file for a real review.

Production workflow

Start from a GitHub PR

Paste a PR URL to fetch changed Terraform files and attach file/patch context to findings. In a private deployment, the webhook can start reviews automatically on PR open and synchronize events.

Webhook endpoint: https://hwnk8hnyk1.execute-api.us-east-1.amazonaws.com/api/v1/github/webhook

Fastest path

Try a hosted sample review

See risk score, graph progress, evidence, remediation, approval gates, and mock GitHub actions without uploading anything sensitive.

Best first demo

Block merge

Security risk review

Public SSH, public RDS, and wildcard IAM policy findings mapped to Terraform evidence.

Expected: Critical risk with public exposure evidence

Outcome: Shows why the PR should not merge until ingress, database exposure, and IAM scope are fixed.

Operational risk

Require operator approval

Production blast radius

Stateful replacement risk with rollback, backup, and approval checklist details.

Expected: High risk from stateful replacements

Outcome: Makes the reviewer check rollback, backups, deletion protection, and maintenance timing before merge.

Cost control

Review budget impact

Cost spike review

Large compute, NAT gateway, cost-center, and policy threshold checks.

Expected: Cost threshold exceeded

Outcome: Explains monthly impact, ownership gaps, and the approval path for expensive infrastructure.

Upload your own plan

Use this path when you already have a Terraform plan JSON file.

Plan privacy

Terraform plans can expose secrets, resource names, provider values, and topology. Hosted samples are safest for a quick trial; uploaded plans are redacted before AI review.

What happens after submit

Validate Terraform plan JSON and summarize changed resources.

Redact secret-like values before reviewer nodes use the artifact.

Run deterministic security, cost, reliability, governance, and compliance checks.

Generate evidence-backed findings, remediations, runbook steps, and a PR comment draft.

Require approval before posting a GitHub comment or committing a suggested patch.

Reviewer trust signals

Evidence before explanation

Rules parse the Terraform plan and attach JSON-path evidence before AI-assisted summaries are generated.

Approval before external writes

GitHub comments and suggested commits are drafted first, then blocked until a reviewer approves them.

Redacted reviewer inputs

Secret-like values, plan internals, and PR patch context are reduced before reviewer nodes use them.

Auditable demo history

Runs keep findings, check status, approval state, policy context, artifacts, and action history.

Private deployment checklist

Cognito or another real identity provider is required for private team use.

GitHub writes stay mocked in the hosted demo and become live only when credentials are configured.

Terraform sandbox execution is disabled here; use a private deployment for repo plan generation.

Infracost is optional, with heuristic estimates clearly labeled when it is not configured.

Generate a plan file

terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json

Runtime safeguards

This hosted environment runs the live review workflow while blocking anonymous users from expensive or external-write actions.

Hosted demo

Frontend

Cloudflare Workers

OpenNext SSR deployment

Live

API

AWS API Gateway + Lambda

hwnk8hnyk1.execute-api.us-east-1.amazonaws.com

Live

Database

Neon / External Postgres

Terraform no longer recreates RDS

Live

Auth

Demo access

No customer login required for samples

Guarded

GitHub writes

Approval gated

Mocked for anonymous visitors

Guarded

AI reviewer input

Redacted evidence

Plan values reduced before summaries

Guarded

Terraform sandbox

Disabled here

Upload or sample plans only

Demo

Cost estimates

Heuristic fallback

Infracost-ready adapter

Demo