Verdex reads your Terraform plan and judges the exact diff against guardrails written in real, testable policy code — failing the open security group, the untagged spend, and the public bucket as a check on the pull request.
$ verdex check tfplan.json
✓ require-resource-tags 142 passed
✓ encrypt-ebs-at-rest 38 passed
✕ no-public-s3-buckets 1 failed
aws_s3_bucket.exports is world-readable
→ policy: cis-aws/2.1.5 severity: high
→ fix: set acl = "private" (line 64)
blocked: 1 violation · merge gate closedGating the pipelines at
Verdex evaluates the plan, not the running cloud. Every check happens before apply — where the fix is a one-line edit in review instead of a 2 a.m. incident bridge.
Verdex parses the Terraform or OpenTofu plan and judges the exact diff — what will change, not what already exists. Violations land as a failed check on the pull request, naming the resource, the rule, and the line to fix.
Write guardrails in a typed language with editor autocomplete and unit tests. Commit them to git, review them in a PR, and roll a fix to every pipeline from one merge.
Verdex re-scans live state on a schedule and flags resources that wandered out of policy after apply — the hand-edited console change, the emergency hotfix nobody reverted.
Stop a $4,000-a-month instance class or an untagged 2 TB volume at plan time — long before it shows up on a bill nobody approved.
One policy engine across AWS, Azure, GCP, and 140+ Terraform providers — Kubernetes manifests and Helm releases included.
What changes the day governance moves into CI
Verdex policies are decoupled from any single repo. Publish a rule in one place and it gates every pipeline, every team, and every cloud account on the next plan.
Start from CIS, SOC 2, HIPAA, and PCI baselines, then fork and tune to your controls. Updates to a pack reach every consumer on their next run — no copy-paste drift.
Grant a scoped, time-boxed waiver right in the PR. It records who approved it and why, then auto-expires — so the backlog never fills with permanent exceptions.
Run any new policy in warn-only mode against real plans, measure the blast radius across every repo, then promote it to blocking once you know what breaks.
Every decision — pass, fail, or waiver — is recorded with the plan, the actor, and the commit. Export the lot straight to your evidence store at audit time.
The catalog is open. Enable a pack in one line, or fork any rule and bend it to your own controls.
Fails any S3 bucket exposed by a public-read or public-write ACL, or an open bucket policy.
Demands owner, environment, and cost-center tags on every billable resource before apply.
Requires KMS or CMEK encryption on volumes, databases, and object storage.
Blocks security groups and firewall rules that open a port to the entire internet.
Allow-lists machine families and sizes so a fat-fingered instance never reaches the budget.
Rejects IAM policies that grant Action: * or Resource: * on sensitive services.
“We retired a 30-item manual infra checklist and wrote it as Verdex policies. Reviews that took two days now pass or fail in CI before anyone's awake.”
“A public-read export bucket was one Friday deploy from leaking. Verdex caught it in the plan and the PR never merged. That single block paid for the year.”
“Our guardrails get code-reviewed like features now, with tests, instead of rotting in a wiki page nobody opens. That's the part I didn't know we needed.”
Every plan includes the full policy library, unlimited cloud accounts, and CI evaluation. No per-resource metering, no surprise overage.
For individuals and open-source infrastructure.
For platform teams enforcing at scale.
For regulated, multi-account estates.
No. The default mode evaluates the Terraform or OpenTofu plan file inside your pipeline, so it never touches your live cloud. Drift detection is opt-in and uses a scoped, read-only role you create and control.
Drop the Verdex step into GitHub Actions, GitLab CI, Atlantis, or any runner. It reads the plan JSON, evaluates every policy, and sets the merge gate — typically in under four seconds.
Yes. Policies are a typed language with editor autocomplete and unit tests. Version them in git and roll an update to every repo from a single merge, just like any other code change.
Request a scoped, time-boxed exemption right in the pull request. It records who approved it and why, then auto-expires — so you never quietly accumulate permanent exceptions.
Prebuilt packs map to CIS Benchmarks, SOC 2, HIPAA, and PCI DSS. Fork any pack to match your internal controls, and export the full audit trail to your evidence store.
Connect a repo and watch Verdex catch its first violation before lunch. No credit card, no agents in your cloud, no sales call to start.