cli
terraform-compliance is an open-source BDD test framework that validates Terraform infrastructure-as-code against security and compliance policies before deployment. It uses human-readable Gherkin syntax to define negative tests, catching policy violations early in the CI/CD pipeline.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | terraform-compliance/cli |
| Owner | terraform-compliance |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 1.5k |
| Forks | 159 |
| Open issues | 97 |
| Latest release | 1.15.1 (2026-05-08) |
| Last updated | 2026-05-08 |
| Source | https://github.com/terraform-compliance/cli |
What cli is
A Python-based framework that parses Terraform plans and validates them against feature files written in Gherkin. It integrates into CI/CD pipelines and Git hooks, supports Docker deployment, and focuses on policy enforcement rather than functional testing of infrastructure changes.
Get the cli source
Clone the repository and explore it locally.
git clone https://github.com/terraform-compliance/cli.gitcd cli# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Terraform plan output in JSON or HCL format; integration point is typically post-plan stage in CI/CD pipelines.
- Feature files (Gherkin syntax) must be written and maintained by teams familiar with BDD principles; learning curve exists for non-BDD organizations.
- Performance can be optimized via optional faster_parsing pip flag; verify performance meets pipeline SLAs before deployment in CI/CD.
- Policies are version-controlled alongside test files; document policy ownership and review process to prevent drift between security intent and implementation.
- Docker image available (eerkunt/terraform-compliance) for containerized environments; validate image provenance and update frequency for your security posture.
When to avoid it — and what to weigh
- Functional testing of infrastructure behavior — This tool is designed for policy compliance, not for testing whether provisioned infrastructure actually works. Use Terraform testing frameworks or infrastructure testing tools (Inspec, Terratest) for functional validation.
- Dynamic infrastructure changes requiring real-time validation — terraform-compliance validates against Terraform plans; it cannot monitor live infrastructure drift or perform continuous compliance scanning of already-deployed resources.
- Complex multi-cloud policy engines — While it supports multiple cloud providers through Terraform, it is not a replacement for enterprise policy engines like HashiCorp Sentinel or cloud-native compliance platforms that offer fine-grained, real-time enforcement.
- Organizations requiring commercial support and SLAs — This is community-maintained open-source software with no formal commercial support, vendor guarantees, or SLAs. Organizations needing enterprise-grade support should evaluate Sentinel or commercial alternatives.
License & commercial use
MIT License. Permissive open-source license permitting use, modification, and distribution in commercial and proprietary contexts, with attribution required and no liability guarantees.
MIT license permits commercial use without restriction. However, this is community-maintained open-source software with no commercial support, SLA, or indemnification. Organizations using it in production should review their risk tolerance for unsupported software and consider commercial alternatives (Sentinel, OPA/Conftest, or vendor platforms) if formal support is required.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool is designed to enforce security policies in code; it does not itself guarantee code security. Ensure feature file repositories and Terraform plans are access-controlled. terraform-compliance processes sensitive Terraform state and plan files; validate that it does not log or expose sensitive values. No indication of security audits or vulnerability disclosure process in README; review GitHub for security issues before production use.
Alternatives to consider
HashiCorp Sentinel
Enterprise policy-as-code engine with fine-grained control, commercial support, and integration into Terraform Cloud/Enterprise. Higher cost; requires Terraform Premium tier or above.
OPA/Conftest
General-purpose policy engine supporting multiple IaC tools (Terraform, CloudFormation, Kubernetes) with Rego language. Steeper learning curve than Gherkin; broader use case coverage.
Checkov (Bridgewater/CloudSploit derivative)
Cloud security scanning tool supporting Terraform, CloudFormation, Kubernetes, and container images. Broader vulnerability scanning vs. policy-focused approach of terraform-compliance; integrates with multiple tools.
Build on cli with DEV.co software developers
terraform-compliance enables security teams to define and enforce compliance policies on Terraform code before deployment. Evaluate if this open-source tool fits your policy needs, or discuss enterprise alternatives with our DevOps and Cloud specialists.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cli FAQ
Can terraform-compliance monitor live infrastructure or only Terraform code?
Is terraform-compliance suitable for enterprise deployments?
What is the learning curve for teams unfamiliar with Gherkin/BDD?
How does terraform-compliance handle sensitive data in Terraform plans?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like cli. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source testing and beyond.
Strengthen Your Infrastructure Policy Enforcement
terraform-compliance enables security teams to define and enforce compliance policies on Terraform code before deployment. Evaluate if this open-source tool fits your policy needs, or discuss enterprise alternatives with our DevOps and Cloud specialists.