Login

u/Status-Direction99

▲ 8 r/aws

How do you actually catch security issues in Terraform PRs when you're doing solo reviews?

The pattern I keep seeing: security groups too open, S3 buckets publicly accessible, encryption disabled on databases, IAM policies wider than they need to be. I catch some of it in manual review, but I know I'm missing things.

Question for the room: what's actually working for you?

  • Are you using any automated tooling? (Checkov, tfsec, something else?)
  • Has anyone tried running infrastructure changes through ChatGPT or Claude to catch gaps before merge?
  • If you haven't automated this, what's the blocker company policy, trust in the output, or just haven't found the right tool?

Curious what's actually practical at the startup/small-team scale where you can't afford enterprise solutions.

reddit.com
u/Status-Direction99 — 7 days ago
▲ 1 r/Terraform+1 crossposts

How do you actually catch security issues in Terraform PRs when you're doing solo reviews?

The pattern I keep seeing: security groups too open, S3 buckets publicly accessible, encryption disabled on databases, IAM policies wider than they need to be. I catch some of it in manual review, but I know I'm missing things.

Question for the room: what's actually working for you?

  • Are you using any automated tooling? (Checkov, tfsec, something else?)
  • Has anyone tried running infrastructure changes through ChatGPT or Claude to catch gaps before merge?
  • If you haven't automated this, what's the blocker company policy, trust in the output, or just haven't found the right tool?

Curious what's actually practical at the startup/small-team scale where you can't afford enterprise solutions.

reddit.com
u/Status-Direction99 — 7 days ago