DriftGuard reviews every Terraform & OpenTofu PR — written by humans or AI agents. We catch cost surprises, drift, security misconfigs, and compliance gaps — and remember every failure so your agents stop making the same mistake twice.
Four analysis engines run in parallel — cost delta (Infracost), security (Checkov), live drift (STS), and compliance mapping. Results appear in the PR within 2 seconds.
| Resource | Change | Finding | Cost | Gate |
|---|---|---|---|---|
aws_rds_cluster.prod | db.r5.large→db.r5.4xlarge | Instance resize — 4× cost delta | +€480/mo | ✗ blocked |
aws_s3_bucket.tf-state | Public access block removed | CKV_AWS_19 · NIS2 Art.21 · ISO 27001 A.8.24 | — | ✗ blocked |
aws_security_group.web | Ingress 0.0.0.0/0 on port 22 | CKV_AWS_24 · DORA Art.9 | — | ⚠ warned |
aws_lambda_function.api | 128 MB→256 MB | Memory increase — within threshold | +€2/mo | ✓ allowed |
DriftGuard intercepts, analyses, and gates in under 2 seconds. Before the merge button is even available.
GitHub sends PR events to DriftGuard the instant an agent pushes. No polling.
Cost (Infracost), security (Checkov), drift (STS), and compliance run concurrently — not sequentially.
pgvector cosine search matches the diff against every prior incident. If this pattern broke prod before, it shows up.
A GitHub Check Run blocks the merge button. The agent cannot self-approve. Human review required above risk threshold 70.
DriftGuard is a GitHub App — no sidecar, no agent, no cloud access beyond read-only STS. The review pipeline runs on our infrastructure. Your Terraform never moves.
Any Terraform or OpenTofu PR — written by an engineer or AI agent — triggers DriftGuard. We read terraform plan, infracost output, and security scans.
The change embedding is matched against past failures across your team. If a similar incident exists, the PR comment cites it — with similarity score and link to the original incident.
OPA‑compatible policies enforce allowed actions per environment, resource class, and risk score. Block merges, warn reviewers, or auto‑approve safe changes.
Single high‑signal PR comment: cost delta, drift, security findings, compliance evidence (DORA / NIS2 / ISO 27001) — and citations to past failures.
Merge result and post‑deploy state become new memory. Your agents and engineers get sharper every day.
Every incident — blocked deploy, drift event, policy violation — becomes a 384-d vector. When an AI agent submits a similar pattern weeks later, DriftGuard surfaces the original incident with a similarity score before the merge button is available.
Cost intelligence, live drift detection, security scanning, compliance evidence, semantic memory, and AI-native analysis — all triggered by a PR, all without changing your Terraform workflow.
Infracost-powered monthly cost diff per resource. Threshold-based blocks. No surprises in the AWS bill at the end of the month.
aws_rds_cluster.prod db.r5.large → db.r5.4xlarge +€480/mo · threshold exceeded → BLOCKED
Compares the PR's terraform plan against the real cloud state. Catches manual changes, orphan resources, and out-of-band edits before merge.
aws_security_group.web-sg Ingress 0.0.0.0/0 added via Console → DRIFT DETECTED · 3h ago
Checkov + AI triage. 255 rules mapped to compliance controls. Public S3 buckets, wildcard IAM, missing encryption — flagged with fix suggestions.
aws_s3_bucket.tf-state Public access block removed CKV_AWS_19 · NIS2 Art.21 → BLOCKED
Every blocked deploy and compliance violation embedded and indexed. Open a similar PR — the original incident appears in the comment.
rds.delete.prod recalled cos 0.94 · 2026-04-22 → Same misconfig blocked twice
Each finding mapped to compliance controls. Audit evidence collected on every PR — no extra workflow, no questionnaires.
DORA Art.11 · NIS2 Art.21 ISO 27001 A.8.8 · CIS v8 → Evidence exported automatically
AI agents (Cursor, Devin, Claude Code) write half your IaC. DriftGuard treats them like junior engineers: reviewed, mentored, fast-tracked when safe.
agent.cursor opened PR #847 23 resources · risk 84/100 → 2 critical findings · BLOCKED
Hover each card to see a real example
Measurable guarantees on every Terraform PR — coverage, accuracy, and latency.
Connect your GitHub installation to see live workspace metrics.
GitHub App + repo config. No SDK, no rewrites, no infrastructure changes. Optional CLI for local pre-flight.
# .github/driftguard.yml
# DriftGuard config — committed to your repo
policy:
blast_radius: prod
block:
- aws_rds_cluster.*.delete
- aws_iam_policy.*.resources=*
warn:
- aws_security_group.ingress.0.0.0.0/0
memory:
retention: 365d
cite_in_pr: true # cite past incidents in PR comments
compliance:
frameworks: [DORA, NIS2, ISO27001]
evidence: ./compliance/evidence
cost:
threshold_monthly_usd: 500
block_above: 5000Start free. Add repos as you grow. Cancel anytime.
Self-host the analyzer. Community policies.
Production PR reviews for human and agent contributors.
Self-hosted, air-gapped, regulated environments.
All plans include SOC 2 Type II (Q4 2026) · GDPR-native · EU data residency