{"id":21261397,"url":"https://github.com/dflook/terraform-check","last_synced_at":"2026-01-16T20:01:04.975Z","repository":{"id":61301419,"uuid":"277396147","full_name":"dflook/terraform-check","owner":"dflook","description":"GitHub action to check if there are terraform changes to apply","archived":false,"fork":false,"pushed_at":"2026-01-13T13:53:49.000Z","size":76,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-13T16:35:37.719Z","etag":null,"topics":["actions","devops","github-action","github-actions","terraform"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dflook.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["dflook"]}},"created_at":"2020-07-05T22:50:33.000Z","updated_at":"2026-01-13T13:53:50.000Z","dependencies_parsed_at":"2023-02-18T01:31:21.781Z","dependency_job_id":"ca8a1dec-9d05-49ef-b70a-f82540edf9fe","html_url":"https://github.com/dflook/terraform-check","commit_stats":{"total_commits":57,"total_committers":1,"mean_commits":57.0,"dds":0.0,"last_synced_commit":"b3954b2ee8ffc248053022538adda3750a220073"},"previous_names":[],"tags_count":331,"template":false,"template_full_name":null,"purl":"pkg:github/dflook/terraform-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dflook%2Fterraform-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dflook%2Fterraform-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dflook%2Fterraform-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dflook%2Fterraform-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dflook","download_url":"https://codeload.github.com/dflook/terraform-check/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dflook%2Fterraform-check/sbom","scorecard":{"id":276856,"data":{"date":"2025-08-11","repo":{"name":"github.com/dflook/terraform-check","commit":"93c8d2728960fef31972893225f01674e831e8e0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":5,"reason":"7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-17T14:41:18.182Z","repository_id":61301419,"created_at":"2025-08-17T14:41:18.182Z","updated_at":"2025-08-17T14:41:18.182Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28482214,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","devops","github-action","github-actions","terraform"],"created_at":"2024-11-21T04:29:25.275Z","updated_at":"2026-01-16T20:01:04.944Z","avatar_url":"https://github.com/dflook.png","language":null,"funding_links":["https://github.com/sponsors/dflook"],"categories":[],"sub_categories":[],"readme":"# terraform-check action\n\nThis is one of a suite of Terraform related actions - find them at [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions).\n\nCheck for drift in Terraform managed resources.\nThis action runs the terraform plan command, and fails the build if any changes are required.\nThis is intended to run on a schedule to notify if manual changes to your infrastructure have been made.\n\n## Inputs\n\n* `path`\n\n  Path to the Terraform root module to check\n\n  - Type: string\n  - Optional\n  - Default: The action workspace\n\n* `workspace`\n\n  Terraform workspace to run the plan in\n\n  - Type: string\n  - Optional\n  - Default: `default`\n\n* `variables`\n\n  Variables to set for the terraform plan. This should be valid Terraform syntax - like a [variable definition file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files).\n\n  Variables set here override any given in `var_file`s.\n\n  ```yaml\n  with:\n    variables: |\n      image_id = \"${{ secrets.AMI_ID }}\"\n      availability_zone_names = [\n        \"us-east-1a\",\n        \"us-west-1c\",\n      ]\n  ```\n\n  - Type: string\n  - Optional\n\n* `var_file`\n\n  List of tfvars files to use, one per line.\n  Paths should be relative to the GitHub Actions workspace\n\n  ```yaml\n  with:\n    var_file: |\n      common.tfvars\n      prod.tfvars\n  ```\n\n  - Type: string\n  - Optional\n\n* `backend_config`\n\n  List of Terraform backend config values, one per line.\n\n  ```yaml\n  with:\n    backend_config: token=${{ secrets.BACKEND_TOKEN }}\n  ```\n\n  - Type: string\n  - Optional\n\n* `backend_config_file`\n\n  List of Terraform backend config files to use, one per line.\n  Paths should be relative to the GitHub Actions workspace\n\n  ```yaml\n  with:\n    backend_config_file: prod.backend.tfvars\n  ```\n\n  - Type: string\n  - Optional\n\n* `parallelism`\n\n  Limit the number of concurrent operations\n\n  - Type: number\n  - Optional\n  - Default: The Terraform default (10).\n\n## Outputs\n\n* `failure-reason`\n\n  When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'.\n  If the job fails for any other reason this will not be set.\n  This can be used with the Actions expression syntax to conditionally run a step when there are changes to apply.\n\n  - Type: string\n\n## Environment Variables\n\n* `GITHUB_DOT_COM_TOKEN`\n\n  This is used to specify a token for GitHub.com when the action is running on a GitHub Enterprise instance.\n  This is only used for downloading OpenTofu binaries from GitHub.com.\n  If this is not set, an unauthenticated request will be made to GitHub.com to download the binary, which may be rate limited.\n\n  - Type: string\n  - Optional\n\n* `TERRAFORM_CLOUD_TOKENS`\n\n  API tokens for cloud hosts, of the form `\u003chost\u003e=\u003ctoken\u003e`. Multiple tokens may be specified, one per line.\n  These tokens may be used with the `remote` backend and for fetching required modules from the registry.\n\n  e.g:\n\n  ```yaml\n  env:\n    TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}\n  ```\n\n  With other registries:\n\n  ```yaml\n  env:\n    TERRAFORM_CLOUD_TOKENS: |\n      app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}\n      terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}\n  ```\n\n  - Type: string\n  - Optional\n\n* `TERRAFORM_SSH_KEY`\n\n  A SSH private key that Terraform will use to fetch git/mercurial module sources.\n\n  This should be in PEM format.\n\n  For example:\n\n  ```yaml\n  env:\n    TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}\n  ```\n\n  - Type: string\n  - Optional\n\n* `TERRAFORM_HTTP_CREDENTIALS`\n\n  Credentials that will be used for fetching modules sources with `git::http://`, `git::https://`, `http://` \u0026 `https://` schemes.\n\n  Credentials have the format `\u003chost\u003e=\u003cusername\u003e:\u003cpassword\u003e`. Multiple credentials may be specified, one per line.\n\n  Each credential is evaluated in order, and the first matching credentials are used.\n\n  Credentials that are used by git (`git::http://`, `git::https://`) allow a path after the hostname.\n  Paths are ignored by `http://` \u0026 `https://` schemes.\n  For git module sources, a credential matches if each mentioned path segment is an exact match.\n\n  For example:\n\n  ```yaml\n  env:\n    TERRAFORM_HTTP_CREDENTIALS: |\n      example.com=dflook:${{ secrets.HTTPS_PASSWORD }}\n      github.com/dflook/terraform-github-actions.git=dflook-actions:${{ secrets.ACTIONS_PAT }}\n      github.com/dflook=dflook:${{ secrets.DFLOOK_PAT }}\n      github.com=graham:${{ secrets.GITHUB_PAT }}  \n  ```\n\n  - Type: string\n  - Optional\n\n* `TERRAFORM_PRE_RUN`\n\n  A set of commands that will be ran prior to `terraform init`. This can be used to customise the environment before running Terraform.\n\n  The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use.\n\n  The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`.\n\n  For example:\n\n  ```yaml\n  env:\n    TERRAFORM_PRE_RUN: |\n      # Install latest Azure CLI\n      curl -skL https://aka.ms/InstallAzureCLIDeb | bash\n\n      # Install postgres client\n      apt-get install -y --no-install-recommends postgresql-client\n  ```\n\n  - Type: string\n  - Optional\n\n## Example usage\n\nThis example workflow runs every morning and will fail if there has been\nunexpected changes to your infrastructure.\n\n```yaml\nname: Check for infrastructure drift\n\non:\n  schedule:\n    - cron:  \"0 8 * * *\"\n\njobs:\n  check_drift:\n    runs-on: ubuntu-latest\n    name: Check for drift of Terraform configuration\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Check\n        uses: dflook/terraform-check@v2\n        with:\n          path: my-terraform-configuration\n```\n\nThis example executes a run step only if there are changes to apply.\n\n```yaml\nname: Check for infrastructure drift\n\non:\n  schedule:\n    - cron:  \"0 8 * * *\"\n\njobs:\n  check_drift:\n    runs-on: ubuntu-latest\n    name: Check for drift of Terraform configuration\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Check\n        uses: dflook/terraform-check@v2\n        id: check\n        with:\n          path: my-terraform-configuration\n\n      - name: Changes detected\n        if: ${{ failure() \u0026\u0026 steps.check.outputs.failure-reason == 'changes-to-apply' }}\n        run: echo \"There are outstanding changes to apply\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdflook%2Fterraform-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdflook%2Fterraform-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdflook%2Fterraform-check/lists"}