Your first PR review

What DriftGuard analyses on every Terraform PR and how to read the results.

What triggers a review

DriftGuard listens for pull_request events with actions opened, synchronize, and reopened. Any PR that modifies a .tf or .tofu file triggers the pipeline. Non-Terraform PRs are skipped silently.

The PR comment anatomy

Risk score0–100 weighted by severity. ≥70 posts a failing check run that can block merge.

Cost delta+€124/mo — monthly delta from Infracost. Threshold configured in driftguard.yml.

Security findingsCheckov results mapped to DORA / NIS2 / ISO 27001 controls. Severity: critical → low.

Drift alertResources present in plan but missing from live state (or vice-versa) flagged as drift.

Memory recallTop-3 similar past incidents with similarity score. Links to the original PR.

AI reviewClaude summarises the full diff intent, blast radius, and suggested fixes.

GitHub Check Run

After posting the comment, DriftGuard creates a Check Run on the head commit — used as a required status check for branch protection rules.

✓ successRisk < 40 — safe to merge
◦ neutralRisk 40–70 — warnings, team decision
✗ failureRisk ≥ 70 — blocked. Configure branch protection to enforce.

Enable branch protection: Settings → Branches → Require status checks → DriftGuard.

Turnaround time

P50 latency is ~18s. P99 is ~90s for large monorepos with multiple Terraform directories. The bottleneck is terraform init + plan — we run up to 3 directories in parallel.

Configure policies →Drift detection →