Building a DevSecOps Terraform Review Loop with Checkov, Infracost, and AI

Jacky Ho — Tue, 16 Dec 2025 07:22:30 +0000

Introduction

When I design Terraform pipelines, I am rarely satisfied with a simple “terraform plan succeeded.” A green plan tells me that syntax is valid and providers are reachable—but it says nothing about whether I am about to merge a security misconfiguration, introduce unnecessary cost, or miss an architectural concern that will only surface after deployment.

What I want instead is immediate, structured feedback at pull-request time:

Security misconfigurations identified before human review,
Cost impact quantified before merge, and
Actionable guidance delivered directly where engineers already collaborate—the PR itself.

This project is my attempt to codify that expectation into a repeatable DevSecOps pattern for Terraform. The reference implementation uses Amazon EKS purely to keep the example concrete, but the workflow itself is infrastructure-agnostic. Whether the stack provisions VPCs, databases, or serverless components, the same review loop applies.

Why Checkov and Infracost?

Terraform is intentionally declarative and provider-focused. That is its strength—but it also means Terraform has no native awareness of security policy or financial impact.

Security Context with Checkov

Without an external scanner, Terraform will happily apply configurations such as:

security groups open to 0.0.0.0/0,
EKS clusters without secrets encryption etc.

Checkov addresses this gap by scanning Terraform code against predefined and custom policies. Every pull request triggers a scan and produces structured JSON output (checkov.json) containing rule IDs, affected resources, and file locations.

Cost Awareness with Infracost

Cost is the other blind spot in most Terraform workflows. Small configuration changes can translate into significant monthly spend, yet the impact often remains invisible until after deployment.

Infracost analyzes the Terraform plan and produces a machine-readable cost diff (infracost.json). Before merging, reviewers can clearly see estimated monthly deltas and which resources drive them.

Together, Checkov and Infracost ensure that both security and financial considerations enter the review process at the same time as functional correctness.

Where AI Fits

The AI component of this project is intentionally narrow in scope. I did not want a conversational summary or a vague “best practices” bot. Instead, the goal was deterministic, structured assistance.

The AI reviewer ingests three inputs simultaneously:

Checkov findings (checkov.json),
Terraform plan JSON (plan.json),
Infracost cost data (infracost.json).

Using a tightly scoped prompt (llm/review_prompt.md) and a strict response schema (llm/review_schema.json), the model is required to return JSON only. Wherever possible, it includes concrete Terraform HCL snippets that resolve the identified issue.

For example, when Checkov flags a missing EKS encryption configuration (e.g., CKV_AWS_58), the AI response includes the exact encryption_config block that can be pasted directly into the module. Cost deltas above a defined threshold (for example, $20 or 10%) are explicitly highlighted, along with any assumptions made during estimation.

Because the output is structured, it becomes composable. Today it renders as a rich pull-request comment; tomorrow it could just as easily drive Jira tickets, Slack notifications, or even automated patch proposals.

Technical Stack

Terraform modules under /modules
EKS cluster and node groups
S3 backend bucket
GitHub OIDC IAM role
Bootstrap layer (infra/bootstrap): Provisions the S3 backend and IAM role. State keys follow state//terraform.tfstate.
GitHub Actions workflow: .github/workflows/terraform-eks-devsecops.yml, running on a self-hosted Ubuntu runner with Node.js, Python, Terraform, Checkov, and supporting CLI tools.
Authentication: AWS access via GitHub OIDC (aws-actions/configure-aws-credentials@v4).
Artifacts: checkov.json, plan.json, infracost.json, and ai_output.json uploaded for traceability.

Workflow Walkthrough

Format and validate Terraform code with terraform fmt and terraform validate.
Run Checkov and capture policy violations without blocking iteration.
Initialize backend and generate plan, exporting plan.json.
Run Infracost to calculate cost deltas.
Build AI input payload using jq.
Invoke AI reviewer via scripts/call_llm.py.
Post structured PR comment with findings, cost overview, and HCL fixes.
Upload artifacts for auditability.

Repository

Source code available on GitHub Repository:
https://github.com/JackyHOz/Building-a-DevSecOps-Terraform-Review-Loop/

Closing Thoughts

This project demonstrates that Terraform reviews can go far beyond syntax validation. By integrating policy-as-code, cost estimation, and narrowly scoped AI assistance, infrastructure reviews become faster, more informative, and easier to audit.

EKS is simply the demo surface. The real value is the repeatable review loop: security insight, cost visibility, and concrete remediation guidance—delivered before infrastructure ever reaches production.

DEV Community: Jacky Ho