HighPR-scope Plug & play

Require a plan artifact and policy checks in CI

CI must run fmt/validate, produce and upload a plan artifact (e.g., terraform plan -out plan.bin), run policy-as-code (e.g., tfsec/checkov/conftest), and gate apply on manual approval for prod.

Add to Mesrai Open workspace

Why this matters

Automated, reproducible plans and policy checks reduce risk before apply.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

steps:
- run: terraform apply -auto-approve

Prefer

steps:
- run: terraform fmt -check && terraform validate
- run: terraform plan -out plan.bin
- run: tfsec . && checkov -d .
- upload-artifact: plan.bin
- environment: prod
 run: terraform apply plan.bin # requires manual approval

More snippets

Good

terraform plan -out plan.bin
# upload artifact

Bad

terraform apply -auto-approve

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret