The problem
IAM wildcards and public S3 buckets keep slipping through
Terraform code review. Tools like Checkov and tfsec exist
but they live in CI, require config files, and developers
ignore the output because it's not where they're working.
What I built
TerraWatch is a GitHub App that scans every pull request
that touches .tf files automatically. If it finds a security
issue it blocks the merge and posts the exact code fix as a
PR comment.
The developer sees something like this in their PR:
⚠️ PUBLIC_S3_BUCKET - main.tf (Line 6)
Severity: HIGH
Risk: S3 bucket allows public read access.
Fix:
- acl = "public-read"
- acl = "private"
- block_public_acls = true
- restrict_public_buckets = true
They copy the fix, push, and the merge unblocks automatically.
How it's different
- No YAML, no CI config - installs in 2 minutes via GitHub App
- Fixes are hardcoded diffs, not AI generated
- Nothing auto-applied - you review every fix
- No Checkov dependency - own lightweight rules engine
- Only reads changed .tf files in the PR, never your full codebase
29 rules covering
S3 public access, IAM wildcards, open ports (SSH/RDP/MySQL/Postgres),
unencrypted EBS/RDS, public databases, hardcoded secrets,
EKS public endpoints, CloudTrail disabled, IMDSv1, and more.
Try it
Free during beta - terrawatch.dev
Also launching on Product Hunt today if you want to show some support!
Top comments (0)