Live mode shows real scan results generated by the TerraGuard CI pipeline. To populate it:

Fork or clone this repo and add your ANTHROPIC_API_KEY secret in Settings → Secrets
Create a branch and edit a .tf file in examples/terraform/ — e.g. open SSH to 0.0.0.0/0
Open a pull request — the security-regression workflow scans, triages, and gates
Merge to main — the baseline-capture workflow updates docs/data/dashboard.json
Dashboard auto-deploys — switch to LIVE to see real posture data here

TerraGuard · Terraform security regression pipeline

Catch Terraform security
regressions before they ship.

Misconfigured S3 buckets, open security groups, unencrypted RDS — infrastructure drift slips past code review and reaches production, where it becomes a compliance incident. TerraGuard scans every pull request with Checkov, tfsec, and Trivy, scores your posture against CIS & NIST benchmarks, and opens auto-fix PRs via Claude when regressions are found.

15 CIS controls: continuously validated against AWS Foundations v1.5
Pre-merge: regressions caught in CI — not in production audits
Auto-fix PRs: AI-triaged remediations opened automatically

—

Posture

— Last scanned —

Last 30 days

Regressions

—

caught & gated

Auto-Fixed

—

via Claude PRs

Controls Tested

—

CIS + NIST

Mean Fix Time

—

hrs to remediate

Posture score timeline

Posture score Regression event

Regression frequency — last 12 months

Benchmark coverage

CIS Control	Description	Status

Top violated (30d)	Count

Recent pipeline runs

When	Branch	Score	Delta	Regressions	Auto-Fixed

How it works

Code Push

→

GitHub Actions

→

Scan (Checkov · tfsec · Trivy)

→

AI Triage

→

Auto-Fix PR

→

Dashboard