Local-first Terraform & OpenTofu review

See what your plan does before it runs.

Classifies every change as safe, review, dangerous, or irreversible. Produces compliance evidence for SOC 2, ISO 27001, and HIPAA. Runs locally with no accounts, no backend, and No plan upload.

Generate your setup Try the playground →
pip install readtheplan && readtheplan analyze plan.json
pip install readtheplan CLI + GitHub Action Terraform + OpenTofu No plan upload MIT licensed
readtheplan analyze --framework soc2 plan.json
$ readtheplan analyze --framework soc2 plan.json
safe aws_s3_bucket.logs tag update · CC6.1
review aws_security_group.web ingress rule change · CC6.6
dangerous aws_iam_role_policy.app policy replaced · CC6.3
irreversible aws_kms_key.primary key deletion scheduled · CC6.7
4 changes · add --evidence to emit rtp-evidence-soc2.json
Pipeline contract
Deterministic proceed / warn / block output for humans, CI, and coding agents.
Why it matters
Terraform’s plan/apply split only works if the risky changes are easy to see before approval.
Risk tiers

Four tiers. Zero noise.

readtheplan classifies the blast radius of every Terraform and OpenTofu change so reviewers can focus on what can actually break production.

Safe
No-op, tag update, read-only change
Review
Security group rule, minor config drift
Dangerous
Instance replacement, IAM policy change, DB modification
Irreversible
Data deletion, KMS key destruction, RDS termination
Setup generator

Generate the exact review gate you need.

Pick your CI system, framework, threshold, and evidence format. The generated workflow stays local-first and is ready to copy into your repo.

Configure your integration Generated output updates live
Local-first promise No uploads. Runs entirely in your CI.
Artifact names Uses plan.json, readtheplan-evidence.json, and optional readtheplan[sign].
readtheplan analyze --framework soc2 --format json --evidence readtheplan-evidence.json plan.json
Generated GitHub Actions workflow

            


            

              
No plan upload. Review happens where your Terraform already runs.

              

                
                
              

            

          

        

      


      

        

          
Integrations

          
Use the same decision contract in CI, agents, and editors.

          
Every integration returns stable risk output that can block unsafe applies, produce audit evidence, or guide an MCP-compatible coding agent.

        


        

          

            
            
Block unsafe AI auto-approvals

            
Coding agents and agentic CI pipelines skip nuance. The agent-gate subcommand returns a stable proceed / warn / block result your pipeline can trust.

            

              
              
$ readtheplan agent-gate plan.json

              
{

              
  "decision": "block",

              
  "risk": "irreversible",

              
  "reason": "KMS key deletion scheduled"

              
}

            

            Generate a CI gate →
          


          

            
            
MCP integration

            
Run readtheplan as a local MCP server and review plans inline from Claude, Cursor, or another MCP-compatible editor without leaving the repo.

            

              
              
$ readtheplan mcp

              
Listening on stdio

              
Tools: analyze_plan, agent_gate, agent_gate_cloudformation

            

            Open MCP docs →
          


          

            
            
Compliance evidence

            
Emit control-mapped evidence envelopes without building a backend - signed and ready to attach to an audit.

            

              
              
// rtp-evidence-soc2.json

              
"resource": "aws_iam_role_policy.app",

              
"risk": "dangerous",

              
"controls": ["CC6.3", "CC6.1"],

              
"signed": true

            

            Configure evidence →
          

        

      


      

        

          
Comparison

          
Different from linters, policy engines, and SaaS runners.

          
readtheplan reviews the plan diff itself, maps changes to risk tiers, and keeps raw Terraform JSON inside your local workflow.

        


        

          

            
              

                Tool
                Analyzes
                Risk tiers
                Compliance
                Agent gate
                Local-only
              

            
            
              

                readtheplan
                Plan diff
                4 tiers
                SOC2/ISO/HIPAA
                proceed/warn/block
                yes
              

              

                tflint / tfsec
                HCL code
                lint only
                -
                -
                yes
              

              

                checkov
                Code + plan
                pass/fail
                policy checks
                -
                yes
              

              

                Spacelift / env0
                Plan + state
                visual only
                -
                policy gates
                SaaS
              

              

                OPA / Sentinel
                Policy engine
                rule-based
                partial
                policy gates
                yes
              

            
          

        

      


      

        

          
Community

          
Open source, MIT licensed, built in public.

          
readtheplan is free forever. Contributions, questions, and ideas are welcome — no enterprise sales funnel, no pilot form, no vendor lock-in.

        


        

          

            
Contribute

            
Good first issues tagged and ready. Add a resource rule, improve compliance mappings, or fix a classifier bug in ~30 lines of Python.

            Browse good first issues →
          


          

            
Discuss

            
Ask questions, share how you're using readtheplan, or propose features. GitHub Discussions is open and active.

            Join the discussion →
          


          

            
Report security issues

            
Found a vulnerability? Report it privately to the maintainer. 90-day disclosure timeline, credited in the advisory.

            Security policy →
          

        

      


      

        

          
Tools and resources

          
Explore calculators, docs, demos, and the in-browser playground.

        


        

          
            
Terraform risk calculator

            
Estimate blast radius without uploading a plan.

            
          
          
            
SOC 2 cloud control mapper

            
Map AWS resources to CC Trust Service Criteria.

            
          
          
            
Local MCP Terraform reviewer

            
Connect to Claude, Cursor, and other MCP clients.

            
          
          
            
Weekly Terraform / SOC 2 brief

            
Digest of changes that affect compliance posture.

            
          
        

      


      

        

          
Ready for CI

          
Drop it into CI in under a minute.

          
No hosted analyzer, no plan upload, no new approval queue. Just a deterministic gate where Terraform already runs.

        

        Generate your setup