AI-narrated plan summaries with risk scoring — posted directly to your PR. Know what's changing. Know what it means. Apply with confidence.
Terraform will perform the following actions: # aws_security_group.api will be updated in-place ~ resource "aws_security_group" "api" { id = "sg-0a1b2c3d4e5f" name = "api-sg" ~ ingress { ~ cidr_blocks = [ - "10.0.0.0/8", + "0.0.0.0/0", ] from_port = 5432 protocol = "tcp" to_port = 5432 } } # aws_db_instance.primary must be replaced -/+ resource "aws_db_instance" "primary" { ~ engine_version = "14.6" -> "15.4" ~ identifier = "prod-db" -> "prod-db-v2" + deletion_protection = true ... allocated_storage = 100 instance_class = "db.t3.large" } # aws_ecs_service.api will be updated in-place ~ resource "aws_ecs_service" "api" { ~ desired_count = 2 -> 4 id = "arn:aws:ecs:..." } Plan: 1 to add, 2 to change, 0 to destroy.
curl (or Python/Node) step into your existing workflow — Atlantis, GitHub Actions, GitLab CI, Jenkins, CircleCI, anywhere. No new tools, no new UI, no migration.DriftWise continuously scans your live cloud infrastructure, compares it to your Terraform state, and turns findings into actionable IaC — not just narratives.
One scan enumerates every resource across AWS, GCP, and Azure using each provider's native inventory API. No per-type allowlist, no missed regions.
Drift doesn't just get described — DriftWise generates the HCL patch to bring state and reality back in sync. Every suggestion is validated against Terraform's parser before it's offered, and never auto-applied.
Default classifiers catch the obvious problems. When your org knows better, custom policy rules pattern-match on attributes and rewrite the risk score — no fork, no pull request to us.
Known-benign Terraform plan churn — tags-only edits, default ordering swaps, provider version bumps — is structurally filtered before it ever reaches your PR review queue.
Run drift checks on a cron and post results straight to Slack. Catch manual console changes the morning after they happen — not in next quarter's audit.
An optional in-cluster agent reports live Kubernetes resources to DriftWise, closing the loop between your Helm charts, your Terraform, and what's actually running.
One HTTPS endpoint, one API key — works from Atlantis, GitHub Actions, GitLab CI, Jenkins, CircleCI, Buildkite, Azure Pipelines, or a shell script on a laptop. The GitHub App posts narratives back to the PR where reviewers already live; everywhere else, the response is yours to print, comment, or gate on.
Security-relevant mutations — API key creation and revocation, membership changes, billing events, SSO configuration — are written to an append-only audit log, scoped by org with RLS.
Authenticate via any OIDC provider. SAML 2.0 and SCIM user provisioning are available on Team and Enterprise through our Casdoor-backed identity layer. Email-domain allowlists fail closed — if the list is empty in production, the server refuses to boot.
Your API key is stored per-organization, encrypted with AES-256-GCM before it ever hits the database. The master key lives in a KMS-protected Kubernetes secret, never in the repo. Keys are never logged, redacted from telemetry, and hard-deleted on removal.
Route LLM calls through your own cloud accounts. Plan data goes directly from DriftWise to your provider — no third-party relay.
Use your existing API credits and volume pricing. No markup on LLM usage — you pay your provider directly.
Set your provider and key via PUT /api/v2/orgs/:id/llm-config. DriftWise handles prompt construction and response parsing. Provider errors surface directly — we never silently retry against our own account.
Plan data only. Sensitive values are redacted at the parser, before anything reaches the LLM. Your state files never leave your CI runner.
aws_security_group.web)(sensitive) before the prompt is built*.tfstate)sensitive = true markers nativelyFree: 24 hours · Team: 30 days · Enterprise: unlimited or custom.
Debug records of the exact bytes sent to the model. Auto-deleted after 30 days for every plan.
If you bring your own key, prompts go straight from DriftWise to your provider — never relayed through a third-party model.
Every sensitive path assumes hostile input, fails closed on unexpected state, and is pinned by a regression test. These are in production today — not a roadmap item.
Every tenant query runs inside a Postgres transaction with a scoped session variable. Row-level security rejects cross-org reads at the database, not the application — even if the app layer forgets a WHERE org_id.
User-supplied URLs are validated against a strict HTTPS + public-IP allowlist before any outbound request. Untrusted content sent to LLMs is wrapped in a typed envelope with fenced delimiters, and every call site has a regression test that plants injection sentinels. LLM output is never auto-applied to any system.
Cloud credentials and BYOK keys are AES-256-GCM encrypted at rest; the master key lives in a KMS-protected Kubernetes secret. Emails, UUIDs, JWTs, API keys, and AWS key IDs are stripped from every telemetry event before it leaves the browser.
Annual pricing: Team $1,490/yr (save 17%), +$120/yr per extra seat.
Add DriftWise to any CI pipeline in 5 minutes. Free forever, no card required.