Home / hashicorp / terraform
Repository Analysis

hashicorp/terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.

2.4 Likely human-written View on GitHub
2.4
Adjusted Score
2.4
Raw Score
100%
Time Factor
2026-05-29
Last Push
48,475
Stars
Go
Language
723,795
Lines of Code
4690
Files
1392
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 11HIGH 5MEDIUM 99LOW 1277

Pattern Findings

1392 matches across 11 categories. Click a row to expand file-level details.

Over-Commented Block1249 hits · 1249 pts
SeverityFileLineSnippet
LOWtelemetry.go21// then we'll enable an experimental OTLP trace exporter.
LOWtelemetry.go41// a CLI tool and so we don't assume we're running in an environment with
LOWprovider_source.go81 return getproviders.MultiSource(searchRules), diags
LOWprovider_source.go101 // following e.g. the XDG base directory specification on Unix systems,
LOWexperiments.go1// Copyright IBM Corp. 2014, 2026
LOWmain.go161 }
LOWmain.go301 Autocomplete: true,
LOWtools/loggraphdiff/loggraphdiff.go1// Copyright IBM Corp. 2014, 2026
LOWtools/protobuf-compile/protobuf-compile.go1// Copyright IBM Corp. 2014, 2026
LOWinternal/terraform/context_apply_test.go2281 if actual != expected {
LOWinternal/terraform/context_apply_test.go5641 // Attributes: map[string]*ResourceAttrDiff{},
LOWinternal/terraform/context_apply_test.go7261 //
LOWinternal/terraform/context_apply_test.go12901////////////////////////////////////////////////////////////////////////////////
LOWinternal/terraform/node_resource_apply_instance.go421// maybeTainted takes the resource addr, new value, planned change, and possible
LOWinternal/terraform/context_import.go41 // LegacyID stores the ID from the command line arguments when using the
LOWinternal/terraform/transform_reference.go21//
LOWinternal/terraform/transform_reference.go61 GraphNodeReferencer
LOWinternal/terraform/transform_reference.go81 AttachDataResourceDependsOn(deps []addrs.ConfigResource)
LOWinternal/terraform/transform_reference.go361 // the ReferenceMap generates all possible keys, so any warning
LOWinternal/terraform/transform_reference.go521
LOWinternal/terraform/config_graph_build_test.go261func TestBuildConfigWithGraph_childProviderGrandchildCount(t *testing.T) {
LOWinternal/terraform/context_apply.go21
LOWinternal/terraform/context_apply.go41 SetVariables InputValues
LOWinternal/terraform/context_apply.go61 return &ApplyOpts{
LOWinternal/terraform/context_apply.go241 // also depends on some cleanup which happens during the apply walk. It
LOWinternal/terraform/node_resource_plan_instance.go221 // Otherwise, just mark the resource as deferred without trying to
LOWinternal/terraform/node_resource_plan_instance.go441 } else if !deferrals.ShouldDeferResourceInstanceChanges(n.Addr, n.Dependencies) {
LOWinternal/terraform/node_resource_plan_instance.go501 )
LOWinternal/terraform/evaluate_placeholder.go21// only what we know to be true for all possible final module instances
LOWinternal/terraform/evaluate_placeholder.go41 Operation walkOperation
LOWinternal/terraform/evaluate_placeholder.go181
LOWinternal/terraform/node_module_variable.go121
LOWinternal/terraform/node_module_variable.go381 // absolutely nothing in common cty.DynamicVal is the ultimate fallback,
LOWinternal/terraform/context_plan2_test.go861`})
LOWinternal/terraform/transform_variable_validation.go21 // variableValidationRules returns the information required to validate
LOWinternal/terraform/transform_variable_validation.go41// Correct behavior requires both of the input variable node types to
LOWinternal/terraform/context_eval.go21 // the same purpose as [PlanOpts.ExternalProviders].
LOWinternal/terraform/context_eval.go101 // use a placeholder graph walker here, which'll refer to the
LOWinternal/terraform/node_resource_abstract_instance.go881 // If the prior state is tainted then we'll proceed below like
LOWinternal/terraform/node_resource_abstract_instance.go1081 }
LOWinternal/terraform/node_resource_abstract_instance.go1141 }
LOWinternal/terraform/node_resource_abstract_instance.go1281
LOWinternal/terraform/node_resource_abstract_instance.go1801// change. If the states don't match then we record a Read change so that the
LOWinternal/terraform/node_resource_abstract_instance.go1881 // But, if we are in a check block then we don't want this data block to
LOWinternal/terraform/node_resource_abstract_instance.go1981 // proposedNewState.
LOWinternal/terraform/node_resource_abstract_instance.go2761 schema.Body,
LOWinternal/terraform/node_resource_abstract_instance.go2801 // elements in a set that differ only by unknown values: after
LOWinternal/terraform/node_resource_abstract_instance.go2821 // check above so that we also catch anything that became unknown after
LOWinternal/terraform/node_resource_abstract_instance.go3041// that we must replace rather than update an existing remote object.
LOWinternal/terraform/eval_variable.go141 Summary: "Invalid value for input variable",
LOWinternal/terraform/eval_variable.go281 //
LOWinternal/terraform/eval_variable.go341 // Terraform would treat error messages specified using JSON
LOWinternal/terraform/node_variable_validation.go21// A node of this type should always depend on another node that's responsible
LOWinternal/terraform/node_variable_validation.go61// this node contributes to the value for the input variable that it's
LOWinternal/terraform/context_input.go21// configurations.
LOWinternal/terraform/transform_destroy_edge_test.go221 }
LOWinternal/terraform/transform_destroy_edge_test.go301}
LOWinternal/terraform/transform_config.go21
LOWinternal/terraform/context_apply_deferred_test.go141 wantActions: map[string]plans.Action{},
LOWinternal/terraform/node_resource_plan_orphan.go221 // If this is a resource instance inside a module instance that's no
1189 more matches not shown…
Self-Referential Comments57 hits · 157 pts
SeverityFileLineSnippet
MEDIUM…urcebundle/foo/non-empty-stack/empty-module/nothing.tf1# This module is intentionally empty, since it's called from stack
MEDIUMinternal/depsfile/locks_file.go135 Bytes: []byte("# This file is maintained automatically by \"terraform init\".\n"),
MEDIUMinternal/depsfile/locks_file_test.go248 wantContent := `# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/providers_lock_test.go47 expected := `# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/providers_lock_test.go63 expected := `# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/providers_lock_test.go80 expected := `# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/init_test.go3189# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/init_test.go3216# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/init_test.go3229# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/init_test.go3242# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/init_test.go3256# This file is maintained automatically by "terraform init".
MEDIUM…and/testdata/state-store-unchanged/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…nd/testdata/state-store-to-backend/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…mand/testdata/plan-out-state-store/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…tdata/provider-schemas-state-store/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ase/config-state-file-and-lockfile/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…oad-prerelease/state-and-lock-file/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…oad/config-state-file-and-lockfile/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…te-store-changed/provider-upgraded/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…/state-store-changed/provider-used/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…tate-store-changed/provider-config/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…stdata/state-push-state-store-good/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…and/testdata/providers-lock/append/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/init_test.go487 expectedLockFileContent := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go242 expectedLockFileContent := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go263 priorLockFile := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go319 priorLockFile := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go369 expectedLockFileContent := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go513 expectedLockFileContent := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go533 priorLockFile := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go588 priorLockFile := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUMinternal/command/e2etest/provider_plugin_test.go637 expectedLockFileContent := fmt.Sprintf(`# This file is maintained automatically by "terraform init".
MEDIUM…rectory-with-state-store-unmanaged/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…iders-mirror-with-broken-lock-file/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…rm-providers-mirror-with-lock-file/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ized-directory-with-state-store-fs/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ests/tests/moved_with_refresh_only/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…sts/tests/basic_json_string_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ence-tests/tests/moved_with_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…nce-tests/tests/replace_within_set/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…uivalence-tests/tests/drift_simple/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ts/tests/drift_relevant_attributes/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…uivalence-tests/tests/moved_simple/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ests/basic_multiline_string_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…nce-tests/tests/replace_within_map/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…-tests/tests/replace_within_object/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…lence-tests/tests/moved_with_drift/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ts/fully_populated_complex_destroy/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ce-tests/tests/replace_within_list/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…e-tests/tests/null_provider_delete/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…e-tests/tests/null_provider_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…-tests/tests/local_provider_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…-tests/tests/local_provider_delete/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…nce-tests/tests/drift_refresh_only/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…sts/fully_populated_complex_update/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUMscripts/changelog.sh166 # Create a new empty version file for the next minor version
MEDIUMscripts/changelog.sh172 # Create a new changes directory for the next minor version
AI Slop Vocabulary39 hits · 114 pts
SeverityFileLineSnippet
MEDIUMinternal/terraform/node_resource_partial_plan.go26// Once deferred actions are more stable and robust in the stacks runtime, it
MEDIUMinternal/terraform/eval_variable.go38 // but we'll check it here too to be robust.
MEDIUMinternal/terraform/eval_variable_test.go104 // metadata is stripped from empty default collections. Essentially, you
MEDIUMinternal/terraform/context.go466 return // should not happen, but we'll be robust
MEDIUMinternal/terraform/context.go470 continue // should not happen, but we'll be robust
MEDIUMinternal/terraform/context_apply_checks_test.go752 // Essentially we make a check block in a child module that depends on a
MEDIUMinternal/terraform/evaluate.go664 // TODO: When deferred actions are more stable and robust in stacks, it
MEDIUMinternal/stacks/stackconfig/parser/walker.go52 // we'll be robust about it nonetheless.
MEDIUM…acks/stackruntime/internal/stackeval/terraform_hook.go132 // Weird, but we'll just tolerate it to be robust.
MEDIUM…s/stackruntime/internal/stackeval/removed_component.go78// Essentially, a removed block can target components across multiple stack
MEDIUM…l/stacks/stackruntime/internal/stackeval/main_apply.go47 // it anyway just to be robust in case there's a bug further up
MEDIUMinternal/repl/session.go176 // but we'll be robust here and just pass through the GoString
MEDIUMinternal/lang/functions.go339 // robust.
MEDIUMinternal/lang/blocktoattr/fixup.go34 // in the presence of poorly-configured test mocks, so we'll be robust
MEDIUMinternal/lang/globalref/analyzer_meta_references.go364 // for all of the relative traversal types, but we'll be robust in
MEDIUMinternal/lang/funcs/datetime.go193 // be robust here.
MEDIUMinternal/configs/experiments.go167 // to return any other error type, but we'll handle it to be robust.
MEDIUMinternal/configs/configschema/validate_traversal.go69 // but we'll handle this with a generic error anyway to be robust.
MEDIUMinternal/configs/configschema/empty_value.go59 // but we'll be robust and return a result nonetheless.
MEDIUMinternal/configs/configload/loader_snapshot.go234 // This function doesn't try to be incredibly robust in supporting
MEDIUMinternal/states/state_test.go357 // happen" case but we'll test to make sure we're robust to
MEDIUMinternal/states/statemgr/filesystem.go127 // TODO: this should use a more robust method of writing state, by first
MEDIUMinternal/states/statemgr/persistent.go83// Some implementations may optionally utilize config schema to persist
MEDIUMinternal/command/meta_providers.go162 // unit tests might not always populate Meta fully and so we'll be robust
MEDIUMinternal/command/cliconfig/cliconfig.go383 // improve on this later using the more-robust merging behavior
MEDIUMinternal/command/views/hook_ui.go115 // bug in the caller but we'll ignore it in order to be robust.
MEDIUMinternal/command/views/hook_ui.go443 // bug in the caller but we'll ignore it in order to be robust.
MEDIUMinternal/command/clistate/local_state.go64// TODO: this should use a more robust method of writing state, by first
MEDIUM…tdata/move-statement-implied/move-statement-implied.tf1# This fixture is useful only in conjunction with a previous run state that
MEDIUM…move-statement-implied/child/move-statement-implied.tf1# This fixture is useful only in conjunction with a previous run state that
MEDIUMinternal/moduletest/status.go33// Essentially, if a test suite has a bunch of failures and passes the overall
MEDIUMinternal/moduletest/mocking/fill.go75// directly to it or to any nested objects. Essentially, this is a "safe"
MEDIUMinternal/moduletest/mocking/values.go88 // the validation, but we want this function to be robust and not panic
MEDIUMinternal/moduletest/mocking/values.go113 // This transform should be robust (in that it should never fail), the
MEDIUMinternal/moduletest/mocking/values.go114 // inner call to generateValue should be robust as well so it should always
MEDIUMinternal/moduletest/mocking/values.go139 // gave us. getMockedDataForPath is robust, so even in an error it
MEDIUMinternal/moduletest/mocking/values.go142 // Now get the replacement value. This function should be robust in
LOWscripts/changelog-links.sh10# released items are presented as clickable links, but we can just use the
MEDIUM.github/workflows/build.yml208 # environment variables defined above. The e2e test harness
Hallucination Indicators11 hits · 110 pts
SeverityFileLineSnippet
CRITICAL…time/internal/stackeval/removed_stack_call_instance.go69 validateStackCallInstanceInputsFn(r.Stack(ctx, phase), r.call.config.config.Inputs, r.call.config.config.DeclRange.ToH
CRITICAL…/stackruntime/internal/stackeval/component_instance.go711 return c.call.config.config.DeclRange.ToHCL().Ptr()
CRITICAL…ternal/stacks/stackruntime/internal/stackeval/stack.go643 Detail: fmt.Sprintf("The `from` attribute resolved to component instance %s, which is already claimed by another
CRITICAL…ternal/stacks/stackruntime/internal/stackeval/stack.go644 Subject: inst.call.config.config.DeclRange.ToHCL().Ptr(),
CRITICAL…ternal/stacks/stackruntime/internal/stackeval/stack.go666 Detail: fmt.Sprintf("The `from` attribute resolved to stack instance %s, which is already claimed by another rem
CRITICAL…ternal/stacks/stackruntime/internal/stackeval/stack.go667 Subject: inst.call.config.config.DeclRange.ToHCL().Ptr(),
CRITICAL…ntime/internal/stackeval/removed_component_instance.go330 return r.call.config.config.DeclRange.ToHCL().Ptr()
CRITICAL…stackruntime/internal/stackeval/stack_call_instance.go117 validateStackCallInstanceInputsFn(c.Stack(ctx, phase), c.call.config.config.Inputs, c.call.config.config.DeclRange.ToH
CRITICAL…/stackruntime/internal/stackeval/removed_stack_call.go141 Subject: rsc.call.config.config.DeclRange.ToHCL().Ptr(),
CRITICALinternal/command/jsonplan/values.go193 r.Addr.Resource.Resource.Mode.String(),
CRITICALinternal/moduletest/graph/node_test_run_cleanup.go88 Subject: n.run.Config.Backend.DeclRange.Ptr(),
Synthetic Comment Markers5 hits · 30 pts
SeverityFileLineSnippet
HIGHinternal/resources/ephemeral/ephemeral_resource_test.go88 // and at least one additional time as requested by the instance.
HIGHinternal/configs/parser.go91// have been loaded through this parser, with source filenames (as requested
HIGHinternal/command/jsonformat/plan.go556 buf.WriteString(fmt.Sprintf("[bold] # %s[reset] will be [bold][red]replaced[reset], as requested", dispAddr))
HIGHinternal/command/jsonformat/plan_test.go6757 ExpectedOutput: ` # test_instance.example will be replaced, as requested
HIGHinternal/command/jsonformat/plan_test.go6768 ExpectedOutput: ` # test_instance.example will be replaced, as requested
Slop Phrases6 hits · 15 pts
SeverityFileLineSnippet
MEDIUMinternal/terraform/context_plugins_test.go24// so the caller can feel free to modify the returned value to further
MEDIUMinternal/terraform/context_plugins_test.go60// callers can feel free to modify it once returned.
MEDIUMinternal/command/testdata/fmt/general_out.tf3# here, but you can also add other _in.tf/_out.tf pairs in the
MEDIUMinternal/command/testdata/fmt/general_in.tf3# here, but you can also add other _in.tf/_out.tf pairs in the
LOW.github/workflows/enforce-changelog.yml1# This workflow makes sure contributors don't forget to add a changelog entry or explicitly opt-out of it.
LOW.github/workflows/enforce-changelog.yml1# This workflow makes sure contributors don't forget to add a changelog entry or explicitly opt-out of it.
Verbosity Indicators8 hits · 12 pts
SeverityFileLineSnippet
LOWinternal/terraform/context_apply_test.go2757 // Step 1: create the resources and instances
LOWinternal/terraform/context_apply_test.go2792 // Step 2: update with an empty config, to destroy everything
LOWinternal/providercache/installer.go212 // Step 1: Which providers might we need to fetch a new version of?
LOWinternal/providercache/installer.go292 // Step 2: Query the provider source for each of the providers we selected
LOWinternal/providercache/installer.go353 // Step 3: For each provider version we've decided we need to install,
LOWinternal/dag/walk.go447 // Dependencies satisfied! We need to check if any errored
LOWscripts/changelog.sh94 # We need to check if this is the first RC of the version
LOWscripts/changelog.sh105 # We need to check if this is the first RC of the version
Fake / Example Data12 hits · 12 pts
SeverityFileLineSnippet
LOWinternal/stacks/stackruntime/plan_test.go6704 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6726 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6737 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6748 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6759 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6770 "email": cty.StringVal("user@example.com"),
LOWinternal/stacks/stackruntime/plan_test.go6781 "email": cty.StringVal("user@example.com"),
LOWinternal/plugin6/grpc_provider_test.go3203 data := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod" +
LOWinternal/plugin6/grpc_provider_test.go3203 data := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod" +
LOWinternal/backend/remote/testdata/plan-long-line/main.tf3 long_line = "[{'_id':'5c5ab0ed7de45e993ffb9eeb','index':0,'guid':'e734d772-6b5a-4cb0-805c-91cd5e560e20','isActive':f
LOWinternal/cloud/testdata/plan-long-line/main.tf3 long_line = "[{'_id':'5c5ab0ed7de45e993ffb9eeb','index':0,'guid':'e734d772-6b5a-4cb0-805c-91cd5e560e20','isActive':f
LOWinternal/command/apply_test.go1476 planPath := applyFixturePlanFileWithVariableValue(t, "lorem ipsum")
Redundant / Tautological Comments2 hits · 3 pts
SeverityFileLineSnippet
LOWscripts/changelog.sh56 # Check if we already released this version already
LOWscripts/changelog.sh188 # Check if yq is installed
Hyper-Verbose Identifiers2 hits · 2 pts
SeverityFileLineSnippet
LOWinternal/command/jsonformat/differ/attribute.go88 // function computeChangeForDynamicValues(), but external callers will
LOW.github/workflows/enforce-changelog.yml63 async function createOrUpdateChangelogComment(commentDetails, deleteComment) {
Example Usage Blocks1 hit · 2 pts
SeverityFileLineSnippet
LOWinternal/tfdiags/compare.go13// Example usage: