DEV.co
Open-Source Testing · terraform-compliance

cli

terraform-compliance is an open-source BDD test framework that validates Terraform infrastructure-as-code against security and compliance policies before deployment. It uses human-readable Gherkin syntax to define negative tests, catching policy violations early in the CI/CD pipeline.

Source: GitHub — github.com/terraform-compliance/cli
1.5k
GitHub stars
159
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryterraform-compliance/cli
Ownerterraform-compliance
Primary languagePython
LicenseMIT — OSI-approved
Stars1.5k
Forks159
Open issues97
Latest release1.15.1 (2026-05-08)
Last updated2026-05-08
Sourcehttps://github.com/terraform-compliance/cli

What cli is

A Python-based framework that parses Terraform plans and validates them against feature files written in Gherkin. It integrates into CI/CD pipelines and Git hooks, supports Docker deployment, and focuses on policy enforcement rather than functional testing of infrastructure changes.

Quickstart

Get the cli source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/terraform-compliance/cli.gitcd cli# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-deployment compliance validation

Run terraform-compliance in CI/CD pipelines to ensure all Terraform changes comply with security policies before reaching production, enforcing standards like encryption, IAM configurations, and resource tagging.

Security policy enforcement across teams

Maintain centralized compliance test suites in a separate repository, allowing security teams to define policies that all infrastructure changes must pass, enabling separation of duties between dev and security.

Negative testing for infrastructure-as-code

Define what must NOT exist or what configurations are forbidden in Terraform code (e.g., no unencrypted S3 buckets, no overly permissive security groups), catching anti-patterns before they're deployed.

Implementation considerations

  • Requires Terraform plan output in JSON or HCL format; integration point is typically post-plan stage in CI/CD pipelines.
  • Feature files (Gherkin syntax) must be written and maintained by teams familiar with BDD principles; learning curve exists for non-BDD organizations.
  • Performance can be optimized via optional faster_parsing pip flag; verify performance meets pipeline SLAs before deployment in CI/CD.
  • Policies are version-controlled alongside test files; document policy ownership and review process to prevent drift between security intent and implementation.
  • Docker image available (eerkunt/terraform-compliance) for containerized environments; validate image provenance and update frequency for your security posture.

When to avoid it — and what to weigh

  • Functional testing of infrastructure behavior — This tool is designed for policy compliance, not for testing whether provisioned infrastructure actually works. Use Terraform testing frameworks or infrastructure testing tools (Inspec, Terratest) for functional validation.
  • Dynamic infrastructure changes requiring real-time validation — terraform-compliance validates against Terraform plans; it cannot monitor live infrastructure drift or perform continuous compliance scanning of already-deployed resources.
  • Complex multi-cloud policy engines — While it supports multiple cloud providers through Terraform, it is not a replacement for enterprise policy engines like HashiCorp Sentinel or cloud-native compliance platforms that offer fine-grained, real-time enforcement.
  • Organizations requiring commercial support and SLAs — This is community-maintained open-source software with no formal commercial support, vendor guarantees, or SLAs. Organizations needing enterprise-grade support should evaluate Sentinel or commercial alternatives.

License & commercial use

MIT License. Permissive open-source license permitting use, modification, and distribution in commercial and proprietary contexts, with attribution required and no liability guarantees.

MIT license permits commercial use without restriction. However, this is community-maintained open-source software with no commercial support, SLA, or indemnification. Organizations using it in production should review their risk tolerance for unsupported software and consider commercial alternatives (Sentinel, OPA/Conftest, or vendor platforms) if formal support is required.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool is designed to enforce security policies in code; it does not itself guarantee code security. Ensure feature file repositories and Terraform plans are access-controlled. terraform-compliance processes sensitive Terraform state and plan files; validate that it does not log or expose sensitive values. No indication of security audits or vulnerability disclosure process in README; review GitHub for security issues before production use.

Alternatives to consider

HashiCorp Sentinel

Enterprise policy-as-code engine with fine-grained control, commercial support, and integration into Terraform Cloud/Enterprise. Higher cost; requires Terraform Premium tier or above.

OPA/Conftest

General-purpose policy engine supporting multiple IaC tools (Terraform, CloudFormation, Kubernetes) with Rego language. Steeper learning curve than Gherkin; broader use case coverage.

Checkov (Bridgewater/CloudSploit derivative)

Cloud security scanning tool supporting Terraform, CloudFormation, Kubernetes, and container images. Broader vulnerability scanning vs. policy-focused approach of terraform-compliance; integrates with multiple tools.

Software development agency

Build on cli with DEV.co software developers

terraform-compliance enables security teams to define and enforce compliance policies on Terraform code before deployment. Evaluate if this open-source tool fits your policy needs, or discuss enterprise alternatives with our DevOps and Cloud specialists.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cli FAQ

Can terraform-compliance monitor live infrastructure or only Terraform code?
It validates Terraform plans and code before deployment. It does not monitor live infrastructure or detect drift after resources are provisioned. Use tools like Inspec, AWS Config, or cloud-native compliance services for runtime validation.
Is terraform-compliance suitable for enterprise deployments?
Yes, for policy enforcement in CI/CD pipelines. However, it lacks commercial support, SLA, and security certifications. Organizations requiring compliance certifications (SOC2, ISO27001) should verify terraform-compliance fits their audit requirements or combine it with commercial tools.
What is the learning curve for teams unfamiliar with Gherkin/BDD?
Moderate. Gherkin syntax is human-readable, but effective policy definition requires understanding of both Terraform resource properties and BDD principles. Recommend hands-on workshops and documented examples.
How does terraform-compliance handle sensitive data in Terraform plans?
Unknown. Terraform plans can contain sensitive values (passwords, API keys). Validate through code review and testing that terraform-compliance does not log or expose sensitive data, and ensure plan files are treated as secrets in your CI/CD pipeline.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like cli. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source testing and beyond.

Strengthen Your Infrastructure Policy Enforcement

terraform-compliance enables security teams to define and enforce compliance policies on Terraform code before deployment. Evaluate if this open-source tool fits your policy needs, or discuss enterprise alternatives with our DevOps and Cloud specialists.