explaingit

infiniumtek/terraform-review-agent

Analysis updated 2026-05-18

44PythonAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

A GitHub Action that reviews Terraform pull requests for security issues, cost changes, and style problems, then posts one summary comment.

Mindmap

mindmap
  root((terraform review agent))
    What it does
      Reviews Terraform PRs
      Posts one summary comment
      Runs in GitHub Actions
    Tech stack
      Python
      LangGraph
      Docker container
    Reviewers
      Security scanner
      Cost estimator
      Style checker
    Use cases
      Catch insecure configs
      Track cost changes
      Enforce formatting
    Audience
      DevOps teams
      Platform engineers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Automatically catch insecure Terraform configs like unencrypted storage buckets before they merge.

USE CASE 2

See the monthly cost impact of infrastructure changes directly on the pull request.

USE CASE 3

Enforce consistent Terraform formatting and linting across a team without manual review.

USE CASE 4

Block merges when a change introduces a high or critical severity infrastructure risk.

What is it built with?

PythonLangGraphTerraformDockerPydantictfsecinfracost

How does it compare?

infiniumtek/terraform-review-agentajay150313/agentsre-langchainlorenliu13/claude-code-for-hydrology
Stars444444
LanguagePythonPythonPython
Setup difficultymoderateeasyeasy
Complexity3/52/52/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires an API key for whichever LLM provider you choose (OpenAI, Anthropic, or Google).

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

Terraform is a tool that developers use to define and provision infrastructure, such as servers, databases, and networks, using code files rather than clicking through web interfaces. When a team uses Terraform, they submit changes via pull requests for review before applying them. This project automates part of that review: it is a reusable GitHub Actions workflow that reads the changed Terraform files in a pull request and posts a single comment summarizing what it found. Three specialized reviewers run in parallel each time the workflow triggers. One checks for security misconfigurations using two scanners called tfsec and checkov, which look for things like storage buckets without encryption or resources exposed to the internet. A second reviewer estimates how much the proposed changes would cost per month, using a tool called infracost. The third checks formatting and style consistency using tflint and terraform fmt. Each reviewer hands its raw scanner findings to an AI language model, which rephrases each finding into a plain, actionable sentence. The AI cannot change severity ratings, file references, or rule identifiers, so the set of findings is consistent across runs. All findings from all three reviewers are merged, deduplicated, ranked by severity, and posted as one comment on the pull request. On the next push, that same comment is edited in place rather than creating a new one. Setup requires adding a small workflow YAML file to the repository. The caller specifies which AI provider to use (OpenAI, Anthropic, or Google), which model, and at what severity level a finding should fail the CI check. Cost review is optional and requires a free Infracost API key. All scanner binaries ship inside a prebuilt container image, so there is nothing to install on each run.

Copy-paste prompts

Prompt 1
Write the minimal GitHub Actions workflow YAML to call infiniumtek/terraform-review-agent on pull requests that change .tf files.
Prompt 2
Explain what tfsec and checkov each check for in a Terraform security scan.
Prompt 3
Show me how to set fail-on-severity so my CI check fails only on critical findings.
Prompt 4
Help me add an Infracost API key as a GitHub secret for the cost review agent.
Prompt 5
Explain what the sticky comment behavior means and how it gets edited on new pushes.

Frequently asked questions

What is terraform-review-agent?

A GitHub Action that reviews Terraform pull requests for security issues, cost changes, and style problems, then posts one summary comment.

What language is terraform-review-agent written in?

Mainly Python. The stack also includes Python, LangGraph, Terraform.

What license does terraform-review-agent use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is terraform-review-agent to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is terraform-review-agent for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.