Skip to main content

Know what's pinned across
all your Terraform repos

MonPhare scans your organization's Terraform repositories, finds missing version pins, deprecated modules, risky constraints, and cross-repo conflicts -- before they break production.

Get StartedSee Org Scanning
terminal
$ monphare scan --github my-org Scanning 15 repositories... ERR module.vpc No version main.tf:12 ERR module.rds No version database.tf:3 WARN module.eks No upper bound cluster.tf:5 WARN provider.google Too broad providers.tf:8 WARN module.cache Wildcard cache.tf:1 INFO module.vault Exact version vault.tf:1 6 errors, 8 warnings across 15 repos

This is happening across your repos right now

Three teams, same module, three different constraint strategies. Nobody knows until something breaks.

What your Terraform repos actually look like
# team-a: no version pin at all
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
}

# team-b: accepts literally anything
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = ">= 0.0.0"
}

# team-c: frozen since 2022, no security patches
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "= 2.44.0"
}

One command to scan your entire org

Point MonPhare at a GitHub org, GitLab group, Azure DevOps project, or Bitbucket workspace. Get a full constraint audit in seconds.

Scan all repos in your organization
$ monphare scan --github my-org --yes --format text

MonPhare v0.1.1  [FAILED]  6 errors, 8 warnings
Scanned: 47 files, 31 modules, 12 providers across 15 repositories

+------+-----------------------------+-----------------+----------+-------------------+
| Sev  | Resource                    | Issue           | Current  | File              |
+------+-----------------------------+-----------------+----------+-------------------+
| ERR  | module.vpc (team-infra)     | No version      | -        | main.tf:12        |
| ERR  | module.rds (team-backend)   | No version      | -        | database.tf:3     |
| ERR  | module.lambda (team-api)    | No version      | -        | functions.tf:8    |
| ERR  | provider.aws (team-data)    | No version      | -        | providers.tf:1    |
| ERR  | module.s3 (team-platform)   | No version      | -        | storage.tf:15     |
| ERR  | module.iam (team-security)  | No version      | -        | roles.tf:22       |
| WARN | module.eks (team-platform)  | No upper bound  | >= 19.0  | cluster.tf:5      |
| WARN | module.cdn (team-frontend)  | No upper bound  | >= 3.0   | cdn.tf:1          |
| WARN | provider.google (team-ml)   | Too broad       | >= 0.0.0 | providers.tf:8    |
| WARN | module.vpc (team-staging)   | No upper bound  | >= 5.0   | network.tf:3      |
| WARN | provider.azurerm (team-ops) | No upper bound  | >= 3.0   | providers.tf:1    |
| WARN | module.cache (team-backend) | Wildcard        | *        | cache.tf:1        |
| WARN | module.queue (team-api)     | No upper bound  | >= 12.0  | messaging.tf:10   |
| WARN | module.dns (team-platform)  | No upper bound  | >= 2.0   | dns.tf:5          |
| INFO | module.vault (team-sec)     | Exact version   | = 3.8.2  | vault.tf:1        |
| INFO | module.k8s (team-platform)  | Pre-release     | 2.0-rc1  | k8s.tf:12         |
+------+-----------------------------+-----------------+----------+-------------------+

Fix errors to pass.

Works with your Git platform

One token, one command. MonPhare clones, scans, and reports across all your repositories.

GitHub

monphare scan --github my-org

GitLab

monphare scan --gitlab my-group

Azure DevOps

monphare scan --ado my-org/my-project

Bitbucket

monphare scan --bitbucket my-workspace

Define your own deprecation rules

Flag modules with known CVEs, providers below a certain version, or Terraform runtimes past end-of-life. Your security team defines the rules, MonPhare enforces them across every repo.

  • Module deprecations with CVE references
  • Provider version range bans
  • Terraform/OpenTofu runtime version requirements
  • Custom severity per rule (error, warning, info)
  • Suggested replacements in scan output
monphare.yaml
# monphare.yaml -- define what your org considers deprecated
deprecations:
  modules:
    "terraform-aws-modules/vpc/aws":
      - version: "< 3.0.0"
        reason: "Critical security vulnerability in VPC module versions before 3.0"
        severity: error
        replacement: "terraform-aws-modules/vpc/aws >= 5.0.0"

  providers:
    "hashicorp/azurerm":
      versions:
        - version: "< 3.50.0"
          reason: "Multiple CVEs in versions before 3.50.0"
          severity: error
          replacement: ">= 3.50.0"

  runtime:
    terraform:
      - version: "< 1.5.0"
        reason: "End of life, no security patches"
        severity: warning

Visualize your dependency map

See which modules depend on which providers. Understand blast radius before upgrading a shared module.

Export dependency graph
$ monphare graph ./infrastructure --format mermaid

graph TD
    vpc["vpc ~> 5.0"]
    eks["eks ~> 20.0"]
    rds["rds ~> 6.0"]
    lambda["lambda ~> 7.0"]
    aws(("hashicorp/aws >= 5.0, < 6.0"))
    random(("hashicorp/random ~> 3.0"))

    vpc -.-> aws
    eks -.-> aws
    rds -.-> aws
    lambda -.-> aws
    eks --> vpc
DOT (Graphviz)
Mermaid (GitHub / GitLab)
JSON (programmatic)

Drop it into your CI pipeline

Use --strict to fail builds on warnings. Schedule weekly org-wide audits. Pipe JSON output to dashboards or Slack.

0Clean -- no issues
1Warnings (with --strict)
2Errors found
.github/workflows/terraform-audit.yml
# .github/workflows/terraform-audit.yml
name: Weekly Terraform Audit

on:
  schedule:
    - cron: '0 8 * * 1'   # every Monday 8am

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Run org-wide scan
        env:
          MONPHARE_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          monphare scan \
            --github my-org \
            --yes \
            --strict \
            --format json \
            --output audit.json

Find what's wrong before production does

Install in 30 seconds. Scan your first repo in 60.

Get StartedView on GitHub