I built a Terraform security scanner that lives inside GitHub PRs

alejny — Tue, 16 Jun 2026 06:30:15 +0000

The problem

IAM wildcards and public S3 buckets keep slipping through
Terraform code review. Tools like Checkov and tfsec exist
but they live in CI, require config files, and developers
ignore the output because it's not where they're working.

What I built

TerraWatch is a GitHub App that scans every pull request
that touches .tf files automatically. If it finds a security
issue it blocks the merge and posts the exact code fix as a
PR comment.

The developer sees something like this in their PR:

⚠️ PUBLIC_S3_BUCKET - main.tf (Line 6)
Severity: HIGH
Risk: S3 bucket allows public read access.
Fix:

acl = "public-read"
acl = "private"
block_public_acls = true
restrict_public_buckets = true

They copy the fix, push, and the merge unblocks automatically.

How it's different

No YAML, no CI config - installs in 2 minutes via GitHub App
Fixes are hardcoded diffs, not AI generated
Nothing auto-applied - you review every fix
No Checkov dependency - own lightweight rules engine
Only reads changed .tf files in the PR, never your full codebase

29 rules covering

S3 public access, IAM wildcards, open ports (SSH/RDP/MySQL/Postgres),
unencrypted EBS/RDS, public databases, hardcoded secrets,
EKS public endpoints, CloudTrail disabled, IMDSv1, and more.

Try it

Free during beta - terrawatch.dev

Also launching on Product Hunt today if you want to show some support!

DEV Community: alejny

I built a Terraform security scanner that lives inside GitHub PRs