Pricing

from $0.25 / terraform plan safety check

Terraform Guard

Pre-apply Terraform and OpenTofu safety gate for AI agents and CI pipelines. Checks the exact plan JSON before apply and blocks risky database deletes, stateful replacements, public ingress, force-destroy buckets, and other production-impacting changes.

Pricing

from $0.25 / terraform plan safety check

Rating

0.0

(0)

Developer

Doron Aloni

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

terraform-guard

AI-agent-native Terraform plan safety gate.

terraform-guard checks the JSON output of a Terraform/OpenTofu plan before apply and returns a deterministic verdict:

allow: no dangerous change detected
warn: risky change needs human review
block: likely data loss, exposure, outage, or privilege blast radius

It is designed for the new failure mode: coding agents can now edit infrastructure and may try to run terraform apply. This tool gives agents, CI systems, and humans a machine-readable pre-apply stop sign.

Quick Start

pip install -e ".[dev]"
terraform plan -out=tf.plan
terraform show -json tf.plan > plan.json
terraform-guard check plan.json --pro --format text

Write PR/CI artifacts:

terraform-guard check plan.json --pro \
  --markdown-file terraform-guard.md \
  --sarif-file terraform-guard.sarif \
  --json-file terraform-guard.json

CI-friendly exit codes:

0: allow
1: parse/input error
2: warn when --fail-on warn
3: block

MCP

Run the local MCP server:

$terraform-guard-mcp

MCP tool:

terraform_guard_check_plan(plan_json, ruleset)
terraform_guard_list_rules(ruleset)

Local Pro mode is gated by TFGUARD_LICENSE_KEY. The current offline demo accepts keys beginning with TFG-PRO-; production licensing must replace this with signed offline licenses or marketplace verification.

GitHub Action

This repository includes a root action.yml for GitHub Action distribution:

- run: terraform plan -input=false -out=tf.plan
- run: terraform show -json tf.plan > tfplan.json
- uses: your-org/terraform-guard@v0
  with:
    plan-path: tfplan.json
    pro: "true"
    fail-on: block
    upload-sarif: "true"

Examples:

docs/examples/github-action-plan-gate.yml
docs/examples/github-action-apply-gate.yml
docs/examples/gitlab-ci.yml
docs/examples/atlantis.yaml

The action writes JSON, Markdown, and SARIF reports under terraform-guard-output/.

Apify

This repo includes an Apify Actor scaffold:

.actor/actor.json
.actor/input_schema.json
.actor/output_schema.json
.actor/openapi.json
.actor/pay_per_event.json
Dockerfile

The Actor supports two modes:

normal Actor run: paste planJson, get a dataset/KV result
Standby mode: exposes a Streamable HTTP MCP endpoint at /mcp

Pay-per-event hooks are wired for:

terraform-plan-check
terraform-pro-ruleset

Configure the same events in Apify Console when publishing.

Rules

Free rules:

ID	Severity	Check
TFG001	block	Database delete
TFG002	block	Stateful resource replacement
TFG003	warn	Newly introduced public ingress
TFG004	block	Network delete or replacement

Pro rules:

ID	Severity	Check
TFG005	block	Deletion protection disabled
TFG006	block	Database replacement by broad type match
TFG007	warn	Backup retention reduced
TFG008	warn	Wildcard or broad administrative IAM
TFG009	block	Load balancer removed or replaced
TFG010	block	Force-destroy storage bucket
TFG011	warn	Object storage made public
TFG012	block	Encryption at rest disabled
TFG013	block	Cryptographic key deleted or replaced
TFG014	warn	Database made publicly reachable

Development

pip install -e ".[dev]"
pytest
ruff check .

Privacy

The core scanner runs locally and does not call cloud APIs. Terraform plans can contain sensitive infrastructure metadata, so local CLI/MCP and self-hosted CI should be the primary enterprise deployment path. Hosted Apify runs are best for demo, marketplace discovery, and teams comfortable uploading plan JSON.

Terraform Registry Scraper

crawlerbros/terraform-registry-scraper

Scrape the Terraform Registry - search modules and providers, or fetch details for specific modules/providers. Returns downloads, versions, descriptions, source URLs, and verification status.

Crawler Bros

5.0

Safety Gate Scraper — EU Product Recalls & Safety Alerts

studio-amba/safetygate-scraper

Extract product recalls and safety alerts from the EU Safety Gate (RAPEX) system. Dangerous product notifications covering all non-food consumer products.

Studio Amba

Cicd Cost Optimizer

fiery_dream/cicd-cost-optimizer

Analyze GitHub Actions, GitLab CI, Jenkins, and other CI/CD platforms for cost optimization opportunities. Identify expensive workflows, bottlenecks, and get actionable recommendations. First free CI/CD cost optimization tool.

Cody Churchwell

LinkedIn Easy Apply Bot — Auto-Apply with AI Filters

sunny_spade/linkedin-easy-apply-bot

Automatically applies to LinkedIn Easy Apply jobs matching your profile. Filters by language, role relevance, and Language fluency requirements. Fills all form fields using your profile data. Requires a valid LinkedIn session cookie.

NoCanDo

Automatically Apply to Upwork Jobs

big-brain.io/upwork-application

Pass a job application URL, Upwork login information, and messaging and automatically apply to a job. Pair with an Upwork's scraper to apply within minutes of a job being posted.

Big Brain

189

1.4

Linkedin Jobs Scraper 🚀 (Targeted, Bulk & Easy Apply)

bluephantom/linkedin-jobs-scraper

The ultimate LinkedIn Scraper. Bulk search 100s of cities & companies at once. Filter by 'Easy Apply', 'Remote/Hybrid', and 'Date'. Safe, fast, and 100% public data. Ideal for Lead Gen & Market Analysis.

BluePhantom

Linkedin Easy Apply

giovannibiancia/linkedin-easy-apply

Automatically fills out and submits LinkedIn Easy Apply job applications by reading the resume and intelligently selecting the correct answers.

Giovanni Bianciardi

Google Jobs Scraper — Salary, Apply Links & MCP-Ready

khadinakbar/google-jobs-scraper

Extract job listings from Google Jobs. Returns title, company, location, salary (parsed min/max), full description, apply link, employment type & more.

Khadin Akbar

105

Dataset Result Gate

vittuhy/dataset-result-gate

Conditional pipeline gate. Fails if the previous actor's dataset is empty, succeeds if it has results — stopping unnecessary downstream runs before they start.

Vít Tuhý

LinkedIn Job Listings Scraper

openclawai/linkedin-jobs-scraper-jobspy

Scrape LinkedIn jobs - Search by keyword, location, company, salary, posted-date, remote, easy-apply. Full descriptions, salary range, direct apply URLs. Multi-keyword search, auto-deduplication, pay only for results. No API key