Terraform security · GitHub native · Zero config

The PR that ships
a vulnerability
never merges.

TerraWatch catches Terraform misconfigurations before they hit AWS, blocks the merge, and posts the exact fix — all inside GitHub.

Connect GitHub — it's free See how it works →

github.com / acme-corp / infra / pull / 247

feat: add S3 bucket for user upload storage

Open

alex-chen wants to merge 3 commits into main from feat/s3-uploads

✓

⟳

All checks passed TerraWatch · Scanning Terraform changes… TerraWatch · 2 critical findings — merge blocked

terrawatch-bot· bot · just now

🔴

[TW-S3-001] CRITICAL — S3 bucket allows public ACL Resource aws_s3_bucket.user_uploads in main.tf:14 — acl = "public-read" exposes every object publicly. Apply the fix below and push.

main.tf · suggested fix

14 acl = "public-read"

14 acl = "private"

16 block_public_acls = true

17 block_public_policy = true

18 restrict_public_buckets = true

Process

PR open to merge blocked
in under 30 seconds

No YAML. No agents. No config files. Install the GitHub App and push.

[PR]

Developer opens a PR

Any pull request touching .tf files triggers TerraWatch automatically via GitHub webhooks. No opt-in, no labels.

[SCAN]

TerraWatch scans the diff

The engine parses every changed Terraform resource and runs all 29 security rules against it. Scan completes in under 30 seconds.

[BLOCK]

Merge is hard-blocked

A required GitHub status check fails. The merge button is locked — no override, no bypass — until every critical finding is resolved.

[FIX]

Bot posts the exact fix

TerraWatch comments the precise change needed — rule ID, severity, file, line, and a copy-paste diff — so fixes take minutes, not days.

Features

Everything your security team
actually needs

Built for teams who ship fast and can't afford a separate security review cycle.

⚡

Zero configuration

Install the GitHub App. That's it. No config files, no YAML, no agents to deploy or maintain. Works on the first PR you open.

💬

Fix in the comment

Every finding includes the precise code change needed — with the file name, line number, and a ready-to-apply before/after diff block.

🔒

Hard merge blocks

Critical findings lock the merge button via required GitHub status checks. There is no override button. Vulnerabilities cannot slip through.

📊

Security dashboard

Track every open finding across all repos — severity breakdown, fix velocity, team trends — in a single engineering-grade dashboard.

📋

29 battle-tested rules

Covering S3, IAM, RDS, EC2, VPC, EKS, Lambda, CloudFront, and more. Every rule was written for real-world AWS + Terraform stacks.

🔐

Privacy by design

TerraWatch never stores your Terraform code. We read the PR diff, scan in memory, and discard it immediately. Your infra stays yours.

Coverage

29 rules. Built for AWS.

Every rule ships on day one. No config, no plugin installs, no rule packs to manage.

Critical

High

Medium

Low

TW-S3-001S3 bucket public ACL

TW-S3-002S3 versioning disabled

TW-IAM-001IAM wildcard permissions

TW-IAM-002Root account API keys

TW-RDS-001RDS publicly accessible

TW-EC2-001Security group 0.0.0.0/0 ingress

TW-KMS-001KMS key rotation disabled

TW-S3-003S3 server-side encryption off

TW-IAM-003IAM password policy weak

TW-RDS-002RDS storage unencrypted

TW-RDS-003RDS automated backup disabled

TW-EC2-002EC2 IMDSv1 enabled

TW-VPC-001VPC flow logs disabled

TW-CF-001CloudFront HTTPS not enforced

TW-ECS-001ECS task definition privileged

TW-S3-004S3 access logging disabled

TW-EC2-003EC2 detailed monitoring off

TW-EKS-001EKS control plane logging off

TW-EKS-002EKS public endpoint enabled

TW-LAMBDA-001Lambda plaintext env secrets

TW-SNS-001SNS topic unencrypted

TW-SQS-001SQS queue unencrypted

TW-ELB-001ELB access logs disabled

TW-CW-001CloudWatch log retention unset

TW-SECRETS-001Hardcoded credentials detected

TW-TAG-001Missing required resource tags

TW-EC2-004EC2 termination protection off

TW-RDS-004RDS minor version upgrade off

TW-BACKUP-001No AWS Backup plan defined

Workflow

The fix lives
in the PR.

No Jira ticket. No Slack thread. No "check the security doc." TerraWatch posts a bot comment with the precise change needed — rule ID, severity, resource name, file location, and a diff that can be applied in 30 seconds.

Developer pushes the fix, TerraWatch re-scans automatically, merge button goes green. Done.

Context switching kills velocity. Keeping the finding and the fix inside the PR — where the work already is — means your team spends time shipping, not triaging.

terrawatch-bot· bot

🔴 [TW-S3-001] CRITICAL · S3 bucket allows public ACL

Resource aws_s3_bucket.user_uploads (main.tf:14)
acl = "public-read" makes every object in this bucket publicly accessible via S3 URL — including objects uploaded in the future. This is a leading cause of data exposure incidents.

Suggested fix

main.tf

12resource "aws_s3_bucket" "user_uploads" {

13 bucket = "acme-user-uploads-prod"

14 acl = "public-read"

14 acl = "private"

15}

17resource "aws_s3_bucket_public_access_block" "user_uploads" {

18 bucket = aws_s3_bucket.user_uploads.id

19 block_public_acls = true

20 block_public_policy = true

21 restrict_public_buckets = true

22}

🟠 [TW-RDS-001] HIGH · RDS instance publicly accessible

Resource aws_db_instance.main (database.tf:8)
publicly_accessible = true exposes the database port to the public internet.

Pricing

Start free. Grow without friction.

No contracts. No seat minimums. Cancel any time.

Free

forever · no credit card

2 repositories
All 29 security rules
PR comments with fix diffs
Hard merge blocks
Community support

Get started free

The PR that ships a vulnerability never merges.

PR open to merge blockedin under 30 seconds

Everything your security teamactually needs