{"id":50532014,"url":"https://github.com/pyjeebz/statewatch","last_synced_at":"2026-06-03T14:31:00.379Z","repository":{"id":357249284,"uuid":"1228498004","full_name":"pyjeebz/statewatch","owner":"pyjeebz","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-12T00:28:03.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"dev","last_synced_at":"2026-05-12T02:31:45.996Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pyjeebz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-04T04:39:50.000Z","updated_at":"2026-05-12T00:28:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/pyjeebz/statewatch","commit_stats":null,"previous_names":["pyjeebz/statewatch"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/pyjeebz/statewatch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pyjeebz%2Fstatewatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pyjeebz%2Fstatewatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pyjeebz%2Fstatewatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pyjeebz%2Fstatewatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pyjeebz","download_url":"https://codeload.github.com/pyjeebz/statewatch/tar.gz/refs/heads/dev","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pyjeebz%2Fstatewatch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33870025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-03T14:30:59.491Z","updated_at":"2026-06-03T14:31:00.369Z","avatar_url":"https://github.com/pyjeebz.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# statewatch\n\n**Your infrastructure drifted. statewatch tells you what breaks.**\n\nA dependency-aware drift detector for GCP. It compares live Cloud Asset Inventory state\nagainst your Terraform state, builds a resource dependency graph (including dependencies\nTerraform itself doesn't track), and reports, per drift, **how bad it is** and **what\nelse is affected**.\n\nDetection is commodity — every tool tells you a field changed. The hard question on call\nat 2 AM is *\"what does this break?\"* That's what statewatch answers.\n\n![statewatch scan showing a CRITICAL firewall drift and a MEDIUM subnet drift, each with its DIRECT blast radius](docs/img/scan-showcase.svg)\n\n## Install\n\n```bash\npip install statewatch\n```\n\nPython 3.11+. Apache-2.0.\n\n## Quickstart\n\n```bash\n# 1. Point it at your Terraform state and GCP project (needs roles/cloudasset.viewer)\nstatewatch scan --tfstate ./terraform.tfstate --project my-gcp-project\n\n# 2. See the dependency graph it builds (text | json | dot)\nstatewatch graph --tfstate ./terraform.tfstate --project my-gcp-project --format dot | dot -Tpng \u003e graph.png\n\n# 3. Generate a starter config\nstatewatch init --tfstate ./terraform.tfstate --project my-gcp-project\n```\n\nNo GCP project handy? Add `--stub` to any `scan` for an offline demo against bundled\nsample state. State can also live in GCS: `--tfstate gs://my-bucket/env/prod.tfstate`.\n\n## What statewatch does\n\n- **Severity × impact, not just \"drift detected.\"** Every finding carries a severity\n  (CRITICAL / MEDIUM / LOW) *and* a blast radius — the resources that depend on the\n  drifted one, labelled **DIRECT** (one hop), **INDIRECT** (two hops), or **WATCH**\n  (further, or low-propagation drift). `CRITICAL firewall drift — 2 DIRECT` is a\n  different alert than `drift detected`.\n- **A real dependency graph.** Built automatically from Terraform `depends_on`, from\n  manual edges in `statewatch.yaml`, and — the defensible part — **inferred from resource\n  attributes**: a subnet referenced in an instance's `subnetwork` field, or a firewall\n  that applies to an instance by tag, is a real dependency even when `depends_on` never\n  mentions it. Terraform doesn't track those. statewatch does.\n- **Exit codes for CI.** `0` clean · `1` low/medium drift · `2` critical, or any drift\n  with a significant blast radius. Wire it into a pipeline and the build fails when it\n  should.\n\nResource types in v0.1: `google_compute_instance`, `google_compute_firewall`,\n`google_compute_subnetwork`, `google_container_cluster`.\n\n## Who this is for\n\nstatewatch is for **SRE on-call, incident response, and large-scale Terraform setups** —\nthe engineer staring at drift in infrastructure they didn't write, who needs to triage\nfast, and any setup where implicit dependencies live in attribute fields that Terraform's\nown dependency tree doesn't capture.\n\n**It is not for everyone, and that's deliberate.** If you wrote the Terraform and you're\nthe one running `plan`, you know what depends on what — `terraform plan` is enough and you\ndon't need this. statewatch earns its keep when the person seeing the drift *isn't* the\nperson who wrote the code, or when there are too many simultaneous drift events to triage\nby hand. Underclaiming who it's for is the point.\n\nOne honesty note: statewatch uses **severity as a heuristic proxy for whether drift\npropagates** to dependents. It is not dataflow analysis and doesn't claim to be — the\nterminal output and JSON say so too.\n\n## Why statewatch and not …\n\n| | what it tells you | what it doesn't |\n|---|---|---|\n| `terraform plan` | exactly what *your* config would change | nothing about live drift you didn't cause; only what's in the dependency tree |\n| Terraform Cloud drift detection | a resource drifted | what *else* is affected; implicit attribute-level dependencies |\n| driftctl | unmanaged / drifted resources, broadly | severity, and the downstream blast radius |\n| **statewatch** | what drifted, how bad, **and what depends on it** | it's GCP-only, detection-only (no auto-fix), and intentionally narrow in audience |\n\nstatewatch is a *complement* to `terraform plan`, not a replacement.\n\n## How it works\n\n```\nGCP live state            Terraform state\n(Cloud Asset Inventory)   (local file or gs://)\n        └──────────┬──────────┘\n                   ▼\n        normalize → structural diff\n                   ▼\n      severity classifier   dependency graph\n                   └─────────┬────────┘\n                             ▼\n            impact analyzer (walk predecessors)\n                             ▼\n        severity × impact report  (terminal · JSON · Slack · GitHub PR)\n```\n\nImpact flows *against* dependency edges: when B drifts, the affected resources are B's\ntransitive predecessors (everything that depends on B).\n\n## Running in CI\n\nA GitHub Action ships in this repo (`action.yml`): it runs a scan, upserts a single\nfindings comment on the PR, and fails the check when statewatch exits `2`.\n\n```yaml\n- uses: google-github-actions/auth@v2\n  with: { workload_identity_provider: ..., service_account: ... }\n- uses: pyjeebz/statewatch@v0.1.0\n  with:\n    tfstate: gs://my-bucket/env/prod.tfstate\n    project: my-gcp-project\n```\n\nSlack notifications and `--watch` (continuous, notify-only-on-new-drift) are configured\nvia `statewatch.yaml` — run `statewatch init` to scaffold one.\n\n## Future\n\nstatewatch is the intelligence layer — *what changed and what it breaks*. **v0.2** adds\ndrift attribution: *who* changed it and *when*, by correlating GCP Audit Logs. AWS and\nAzure adapters are open for community contribution behind a stable adapter interface; the\nruntime layer is a separate, later effort.\n\n## Roadmap\n\n- **v0.2** — drift attribution (Audit Logs: actor, method, timestamp). Opt-in.\n- AWS adapter (Config + CloudTrail) and Azure adapter (Resource Graph + Activity Log) —\n  community contributions welcome; see [CONTRIBUTING.md](CONTRIBUTING.md).\n- Tracked, deliberately-deferred items live in [KNOWN_ISSUES.md](KNOWN_ISSUES.md).\n\n## Contributing\n\nThe adapter and per-resource-type seams are designed for external contribution —\n[CONTRIBUTING.md](CONTRIBUTING.md) explains the `CloudAdapter` interface and how to add a\nresource type without touching the engine.\n\n## License\n\nApache-2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpyjeebz%2Fstatewatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpyjeebz%2Fstatewatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpyjeebz%2Fstatewatch/lists"}