TerraWatch - Terraform security that lives inside the pull request
by•
TerraWatch scans every Terraform PR, blocks the merge if it finds security issues, and posts the exact code fix in the PR comment. No YAML. No CLI. No Checkov. 2 minute setup. 29 AWS rules. Free during beta.
- Hardcoded diffs, not AI generated
- Nothing auto-applied, you review every fix
- Only reads changed .tf files, never your full codebase
Replies
Hey everyone! I'm Alejandro, and I built TerraWatch from scratch over the past few weeks.
The problem: IAM wildcards and public S3 buckets keep slipping through Terraform code review because existing tools (Checkov, tfsec) require CI config and don't live where developers actually work, in the PR.
TerraWatch installs as a GitHub App, scans every PR that touches .tf files, blocks the merge if it finds issues, and posts the exact code diff to fix each problem as a bot comment. The developer copies the fix, pushes, and the merge unblocks automatically.
Would love feedback from anyone using Terraform in production. What rules would you want to see added?