RSS

TerraWatch,GitHub App that scans Terraform PRs and posts exact fix in comment

alejny1 pts0 comments

TerraWatch — Terraform Security for GitHub PRs

Terraform security · GitHub native · Zero config

The PR that ships

a vulnerability

never merges.

TerraWatch catches Terraform misconfigurations before they hit AWS, blocks the merge, and posts the exact fix — all inside GitHub.

Connect GitHub — it's free

See how it works →

No AI-generated fixes<br>Nothing auto-applied<br>No Checkov dependency<br>Only scans PR diffs — never your full codebase

github.com / acme-corp / infra / pull / 247

feat: add S3 bucket for user upload storage

Open

alex-chen wants to merge 3 commits into main from feat/s3-uploads

All checks passed<br>TerraWatch · Scanning Terraform changes…<br>TerraWatch · 2 critical findings — merge blocked

Merge pull request

TW

terrawatch-bot· bot · just now

🔴

[TW-S3-001] CRITICAL — S3 bucket allows public ACL<br>Resource aws_s3_bucket.user_uploads in main.tf:14 — acl = "public-read" exposes every object publicly. Apply the fix below and push.

main.tf · suggested fix

14 acl = "public-read"

14 acl = "private"

15

16 block_public_acls = true

17 block_public_policy = true

18 restrict_public_buckets = true

29Security rules

Scan time

0Zero config

100%GitHub native

Process

PR open to merge blocked<br>in under 30 seconds

No YAML. No agents. No config files. Install the GitHub App and push.

01

[PR]

Developer opens a PR

Any pull request touching .tf files triggers TerraWatch automatically via GitHub webhooks. No opt-in, no labels.

02

[SCAN]

TerraWatch scans the diff

The engine parses every changed Terraform resource and runs all 29 security rules against it. Scan completes in under 30 seconds.

03

[BLOCK]

Merge is hard-blocked

A required GitHub status check fails. The merge button is locked — no override, no bypass — until every critical finding is resolved.

04

[FIX]

Bot posts the exact fix

TerraWatch comments the precise change needed — rule ID, severity, file, line, and a copy-paste diff — so fixes take minutes, not days.

Features

Everything your security team<br>actually needs

Built for teams who ship fast and can't afford a separate security review cycle.

Zero configuration

Install the GitHub App. That's it. No config files, no YAML, no agents to deploy or maintain. Works on the first PR you open.

💬

Fix in the comment

Every finding includes the precise code change needed — with the file name, line number, and a ready-to-apply before/after diff block.

🔒

Hard merge blocks

Critical findings lock the merge button via required GitHub status checks. There is no override button. Vulnerabilities cannot slip through.

📊

Security dashboard

Track every open finding across all repos — severity breakdown, fix velocity, team trends — in a single engineering-grade dashboard.

📋

29 battle-tested rules

Covering S3, IAM, RDS, EC2, VPC, EKS, Lambda, CloudFront, and more. Every rule was written for real-world AWS + Terraform stacks.

🔐

Privacy by design

TerraWatch never stores your Terraform code. We read the PR diff, scan in memory, and discard it immediately. Your infra stays yours.

Coverage

29 rules. Built for AWS.

Every rule ships on day one. No config, no plugin installs, no rule packs to manage.

Critical

High

Medium

Low

TW-S3-001S3 bucket public ACL

TW-S3-002S3 versioning disabled

TW-IAM-001IAM wildcard permissions

TW-IAM-002Root account API keys

TW-RDS-001RDS publicly accessible

TW-EC2-001Security group 0.0.0.0/0 ingress

TW-KMS-001KMS key rotation disabled

TW-S3-003S3 server-side encryption off

TW-IAM-003IAM password policy weak

TW-RDS-002RDS storage unencrypted

TW-RDS-003RDS automated backup disabled

TW-EC2-002EC2 IMDSv1 enabled

TW-VPC-001VPC flow logs disabled

TW-CF-001CloudFront HTTPS not enforced

TW-ECS-001ECS task definition privileged

TW-S3-004S3 access logging disabled

TW-EC2-003EC2 detailed monitoring off

TW-EKS-001EKS control plane logging off

TW-EKS-002EKS public endpoint enabled

TW-LAMBDA-001Lambda plaintext env secrets

TW-SNS-001SNS topic unencrypted

TW-SQS-001SQS queue unencrypted

TW-ELB-001ELB access logs disabled

TW-CW-001CloudWatch log retention unset

TW-SECRETS-001Hardcoded credentials detected

TW-TAG-001Missing required resource tags

TW-EC2-004EC2 termination protection off

TW-RDS-004RDS minor version upgrade off

TW-BACKUP-001No AWS Backup plan defined

Workflow

The fix lives<br>in the PR.

No Jira ticket. No Slack thread. No "check the security doc."<br>TerraWatch posts a bot comment with the precise change needed —<br>rule ID, severity, resource name, file location, and a diff that<br>can be applied in 30 seconds.

Developer pushes the fix, TerraWatch re-scans automatically,<br>merge button goes green. Done.

🎯<br>Context switching kills velocity. Keeping the finding and the fix inside the PR — where the work already is — means your team spends time shipping, not triaging.

TW

terrawatch-bot· bot

🔴 [TW-S3-001] CRITICAL · S3 bucket allows public ACL

Resource aws_s3_bucket.user_uploads (main.tf:14)

acl = "public-read" makes every object...

terrawatch github merge terraform security public

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.