SUPPLY-CHAIN REPORT

hashicorp/terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.

VERDICTCLEAN·93/100

View on GitHub →

STARS

48,152

FORKS

10,287

OPEN ISSUES

1,890

LANGUAGE

LICENSE

NOASSERTION

LAST PUSH

2026-04-17

SIGNALS

Historical supply-chain incidents

No known compromise, backdoor, or wallet-drainer incident in our curated DB.

INFO

Historical security advisories

1 disclosed advisory (0 critical, 1 high) — typically patched in newer releases. Pin to the latest version.

Maintenance activity

Actively maintained. Last push 0 days ago.

Ecosystem trust

48,152 stars. Widely used — supply-chain attacks on popular repos are high-impact but also more likely to be caught fast.

WARN

License

No clear license. Using an unlicensed repo in production carries legal risk.

METHODOLOGY

This report is generated on demand by querying the GitHub API for repository metadata and published security advisories, then cross-referencing our curated database of known supply-chain incidents (xz-utils, event-stream, ua-parser-js, colors.js, tj-actions, Codecov, and more). Results are cached for 24 hours. We do not scan repository code or dependencies — for that, see Snyk or Socket. Verdict: CLEAN ≥80, CAUTION 50–79, COMPROMISED<50.

SCAN A DEPLOYED SITE

Repo looks clean but the live deployment might still be exposing headers, CORS, or SSL misconfigurations.

SCAN A URL →

SCANNING hashicorp/terraform...