Home / opentofu / opentofu
Repository Analysis

opentofu/opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

2.7 Likely human-written View on GitHub
2.7
Adjusted Score
2.7
Raw Score
100%
Time Factor
2026-05-29
Last Push
28,815
Stars
Go
Language
641,236
Lines of Code
4068
Files
1531
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 1HIGH 7MEDIUM 67LOW 1456

Pattern Findings

1531 matches across 10 categories. Click a row to expand file-level details.

Over-Commented Block1420 hits · 1420 pts
SeverityFileLineSnippet
LOWcmd/tofu/version.go21// logGodebugUsage produces extra DEBUG log lines if the Go runtime's metrics
LOWcmd/tofu/provider_source_test.go161 }
LOWcmd/tofu/oci_distribution_test.go21 // This ociCredentialsLookupEnv is the concrete implementation of
LOWcmd/tofu/provider_source.go101// no explicit provider installation configuration in the CLI config.
LOWcmd/tofu/provider_source.go121 // - The "plugins" subdirectory of the CLI config search directory.
LOWcmd/tofu/oci_distribution.go41var ociReposMu sync.Mutex
LOWcmd/tofu/oci_distribution.go121
LOWcmd/tofu/experiments.go1// Copyright (c) The OpenTofu Authors
LOWcmd/tofu/commands.go41// ordered so that we can show them in the typical workflow order, rather
LOWcmd/tofu/registries_disco.go21// newServiceDiscovery returns a newly-created [disco.Disco] object that is
LOWcmd/tofu/main.go301 AutocompleteInstall: "install-autocomplete",
LOWtools/loggraphdiff/loggraphdiff.go1// Copyright (c) The OpenTofu Authors
LOWtools/loggraphdiff/loggraphdiff.go21// module.child.output.a_output - *terraform.NodeApplyableOutput
LOWtools/find-dep-upgrades/main.go1// Copyright (c) The OpenTofu Authors
LOWtools/find-dep-upgrades/main.go61 // so we'll use that here even though the complexity of that package's
LOWtools/find-dep-upgrades/main.go241 }
LOWtools/selected-go-version/selected-go-version.go1// Copyright (c) The OpenTofu Authors
LOWtools/selected-go-version/selected-go-version.go41 }
LOWtools/protobuf-compile/protobuf-compile.go1// Copyright (c) The OpenTofu Authors
LOWtools/find-pkg-importer/main.go1// Copyright (c) The OpenTofu Authors
LOWinternal/encryption/plan.go21 //
LOWinternal/encryption/state.go21 //
LOWinternal/encryption/state.go41 //
LOWinternal/encryption/base.go41}
LOWinternal/encryption/base.go61 //
LOWinternal/encryption/keyprovider/config.go21
LOWinternal/encryption/keyprovider/descriptor.go1// Copyright (c) The OpenTofu Authors
LOWinternal/encryption/keyprovider/meta.go1// Copyright (c) The OpenTofu Authors
LOWinternal/encryption/keyprovider/keyprovider.go1// Copyright (c) The OpenTofu Authors
LOW…rnal/encryption/keyprovider/openbao/compliance_test.go21// By default the tests in here behave like unit tests, running against a
LOWinternal/encryption/method/config.go1// Copyright (c) The OpenTofu Authors
LOWinternal/encryption/method/method.go1// Copyright (c) The OpenTofu Authors
LOWinternal/tracing/context_probe.go21// primary motivation, but could potentially be used for other
LOWinternal/tracing/context_probe.go81// FunctionsReported returns an interable sequence of all of the functions
LOWinternal/tracing/utils.go121}
LOWinternal/tracing/data.go21// differs when the span is not recording.
LOWinternal/tracing/init.go41better based on experience with this experiment.
LOWinternal/tracing/init.go61const traceStateEnvVar = "TRACESTATE"
LOWinternal/tracing/init.go81// standard OTLP exporter environment variables:
LOWinternal/tracing/traceattrs/opentofu.go1// Copyright (c) The OpenTofu Authors
LOWinternal/tracing/traceattrs/opentofu.go21// creating import cycles.
LOWinternal/tracing/traceattrs/opentofu.go41// [OpenTofuProviderAddress] to indicate which provider the version number is
LOWinternal/tracing/traceattrs/opentofu.go61func OpenTofuModuleCallName(name string) attribute.KeyValue {
LOWinternal/tracing/traceattrs/generic.go21// it's easier to keep our version selections consistent.
LOWinternal/tracing/traceattrs/semconv.go21 // semconv version imported by the "go.opentelemetry.io/otel/sdk/resource",
LOWinternal/addrs/provider.go21// not have an explicit hostname.
LOWinternal/addrs/provider.go41// The this namespace is literally named "builtin", in the hope that users
LOWinternal/addrs/provider.go61//
LOWinternal/addrs/provider.go121 // because existing code expects legacy provider names to pass through
LOWinternal/addrs/provider.go161func MustParseProviderSourceString(str string) Provider {
LOWinternal/addrs/provider.go181// rather than some similar rules defined locally, because the hostname part
LOWinternal/addrs/check_rule_diagnostic.go1// Copyright (c) The OpenTofu Authors
LOWinternal/addrs/check_rule_diagnostic.go21// contain a CheckRule.
LOWinternal/addrs/parse_target.go241 }
LOWinternal/addrs/parse_target.go321 })
LOWinternal/addrs/move_endpoint.go21// addresses in a "moved" statement in the configuration, but it's also
LOWinternal/addrs/move_endpoint.go81 // For our purposes here we'll just do a unify without a base module
LOWinternal/addrs/move_endpoint.go161//
LOWinternal/addrs/unique_key.go1// Copyright (c) The OpenTofu Authors
LOWinternal/addrs/module_source_test.go321
1360 more matches not shown…
Self-Referential Comments34 hits · 98 pts
SeverityFileLineSnippet
MEDIUMwebsite/docker-compose.build-non-main.yml6# This file is meant to be used only in running the `website` GH workflow on non-main branches and PRs that are targetin
MEDIUMinternal/depsfile/locks_file.go148 Bytes: []byte("# This file is maintained automatically by \"tofu init\".\n"),
MEDIUMinternal/depsfile/locks_file_test.go250 wantContent := `# This file is maintained automatically by "tofu init".
MEDIUMinternal/backend/remote-state/azure/meta-test/main.tf3# Create an application and service account
MEDIUMinternal/command/providers_lock_test.go48 expected := `# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/providers_lock_test.go64 expected := `# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/init_test.go2316# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/init_test.go2350# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/init_test.go2363# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/init_test.go2376# This file is maintained automatically by "tofu init".
MEDIUMinternal/command/init_test.go2390# This file is maintained automatically by "tofu init".
MEDIUM…and/testdata/providers-lock/append/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…roviders-mirror-with-bad-lock-file/.terraform.lock.hcl1# This file is maintained automatically by "tofu init".
MEDIUM…fu-providers-mirror-with-lock-file/.terraform.lock.hcl1# This file is maintained automatically by "terraform init".
MEDIUM…ests/tests/moved_with_refresh_only/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…sts/tests/basic_json_string_update/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…ence-tests/tests/moved_with_update/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…nce-tests/tests/replace_within_set/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…uivalence-tests/tests/drift_simple/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…ts/tests/drift_relevant_attributes/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…uivalence-tests/tests/moved_simple/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…ests/basic_multiline_string_update/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…nce-tests/tests/replace_within_map/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…-tests/tests/replace_within_object/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…lence-tests/tests/moved_with_drift/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…ts/fully_populated_complex_destroy/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…ce-tests/tests/replace_within_list/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…e-tests/tests/null_provider_delete/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…-tests/tests/local_provider_update/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…-tests/tests/local_provider_delete/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…nce-tests/tests/drift_refresh_only/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM…sts/fully_populated_complex_update/.terraform.lock.hcl1# This file is maintained automatically by "opentf init".
MEDIUM.github/workflows/nightly.yml68 # Create a staging directory for upload
MEDIUM.github/scripts/compare-release-version.sh19# Create a clean semver tag without the v prefix
AI Slop Vocabulary30 hits · 86 pts
SeverityFileLineSnippet
MEDIUM…rnal/getproviders/package_location_oci_blob_archive.go242 // anyway to be robust since go-getter returns this information regardless.
MEDIUMinternal/getmodules/oci_getter.go444 // but we'll return an error here anyway just to be robust.
MEDIUMinternal/repl/session.go197 // but we'll be robust here and just pass through the GoString
MEDIUMinternal/legacy/tofu/state_filter.go103 // is a bit more robust.
MEDIUMinternal/tofu/eval_variable.go41 // but we'll check it here too to be robust.
MEDIUMinternal/tofu/eval_variable_test.go110 // metadata is stripped from empty default collections. Essentially, you
MEDIUMinternal/tofu/context.go365 return // should not happen, but we'll be robust
MEDIUMinternal/tofu/context.go369 continue // should not happen, but we'll be robust
MEDIUMinternal/lang/functions.go95 // robust.
MEDIUMinternal/lang/blocktoattr/fixup.go36 // in the presence of poorly-configured test mocks, so we'll be robust
MEDIUMinternal/lang/globalref/analyzer_meta_references.go366 // for all of the relative traversal types, but we'll be robust in
MEDIUMinternal/lang/exprs/example_test.go172 // NOTE: This is not a robust implementation of "upper", just
MEDIUMinternal/lang/funcs/datetime.go195 // be robust here.
MEDIUMinternal/configs/static_scope.go312 // handle this here just to be robust.
MEDIUMinternal/configs/configschema/validate_traversal.go71 // but we'll handle this with a generic error anyway to be robust.
MEDIUMinternal/configs/configschema/empty_value.go61 // but we'll be robust and return a result nonetheless.
MEDIUMinternal/configs/configload/loader_snapshot.go265 // This function doesn't try to be incredibly robust in supporting
MEDIUMinternal/states/state_test.go410 // happen" case but we'll test to make sure we're robust to
MEDIUMinternal/states/statemgr/filesystem.go194 // TODO: this should use a more robust method of writing state, by first
MEDIUMinternal/states/statemgr/persistent.go84// Some implementations may optionally utilize config schema to persist
MEDIUMinternal/registry/package_extract.go34 // decompressors should all be robust to malicious input anyway.
MEDIUMinternal/command/meta_providers.go139 // unit tests might not always populate Meta fully and so we'll be robust
MEDIUMinternal/command/cliconfig/cliconfig.go441 // improve on this later using the more-robust merging behavior
MEDIUMinternal/command/views/hook_ui.go114 // bug in the caller but we'll ignore it in order to be robust.
MEDIUMinternal/command/clistate/local_state.go68// TODO: this should use a more robust method of writing state, by first
MEDIUMinternal/command/arguments/types.go47// more nuanced set of data to be presented to the view constructors.
MEDIUM…tdata/move-statement-implied/move-statement-implied.tf1# This fixture is useful only in conjunction with a previous run state that
MEDIUM…move-statement-implied/child/move-statement-implied.tf1# This fixture is useful only in conjunction with a previous run state that
MEDIUMinternal/moduletest/status.go35// Essentially, if a test suite has a bunch of failures and passes the overall
LOWscripts/changelog-links.sh12# released items are presented as clickable links, but we can just use the
Verbosity Indicators31 hits · 65 pts
SeverityFileLineSnippet
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf3 ## Step 1: Leave the original encryption method unchanged:
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf8 # Step 2: Add the unencrypted method here:
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf12 ## Step 3: Disable or remove the "enforced" option:
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf15 ## Step 4: Move the original encryption method into the "fallback" block:
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf20 ## Step 5: Reference the unencrypted method as your primary "encryption" method.
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf24 ## Step 6: Run "tofu apply".
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf26 ## Step 7: Remove the "state" block once the migration is complete.
LOW…e/state/examples/encryption/fallback_to_unencrypted.tf28 ## Step 8: Repeat steps 3-7 for plan{} if needed.
LOW…state/examples/encryption/fallback_from_unencrypted.tf9 ## Step 1: Add the unencrypted method:
LOW…state/examples/encryption/fallback_from_unencrypted.tf12 ## Step 2: Add the desired key provider:
LOW…state/examples/encryption/fallback_from_unencrypted.tf17 ## Step 3: Add the desired encryption method:
LOW…state/examples/encryption/fallback_from_unencrypted.tf23 ## Step 4: Link the desired encryption method:
LOW…state/examples/encryption/fallback_from_unencrypted.tf26 ## Step 5: Add the "fallback" block referencing the
LOW…state/examples/encryption/fallback_from_unencrypted.tf32 ## Step 6: Run "tofu apply".
LOW…state/examples/encryption/fallback_from_unencrypted.tf34 ## Step 7: Remove the "fallback" block above and
LOW…state/examples/encryption/fallback_from_unencrypted.tf39 ## Step 8: Repeat steps 4-8 for plan{} if needed.
LOW…site/docs/language/state/examples/encryption/sample.tf9 ## Step 1: Add the desired key provider:
LOW…site/docs/language/state/examples/encryption/sample.tf13 ## Step 2: Set up your encryption method:
LOW…site/docs/language/state/examples/encryption/sample.tf19 ## Step 3: Link the desired encryption method:
LOW…site/docs/language/state/examples/encryption/sample.tf22 ## Step 4: Run "tofu apply".
LOW…site/docs/language/state/examples/encryption/sample.tf24 ## Step 5: Consider adding the "enforced" option:
LOW…site/docs/language/state/examples/encryption/sample.tf28 ## Step 6: Repeat steps 3-5 for plan{} if needed.
LOWinternal/providercache/installer.go216 // Step 1: Which providers might we need to fetch a new version of?
LOWinternal/providercache/installer.go224 // Step 2: Query the provider source for each of the providers we selected
LOWinternal/providercache/installer.go234 // Step 3: For each provider version we've decided we need to install,
LOWinternal/dag/walk.go453 // Dependencies satisfied! We need to check if any errored
LOWinternal/tofu/context_apply_test.go2879 // Step 1: create the resources and instances
LOWinternal/tofu/context_apply_test.go2914 // Step 2: update with an empty config, to destroy everything
LOWinternal/tofu/transform_targets.go115 // Step 1: Find all excluded targetable nodes, and their descendants
LOWinternal/tofu/transform_targets.go149 // Step 2: Of the targetable nodes that were not excluded, build the graph similarly to -target
LOWinternal/tofu/transform_targets.go168 // Step 3: Add outputs
Synthetic Comment Markers7 hits · 42 pts
SeverityFileLineSnippet
HIGHinternal/configs/parser.go86// have been loaded through this parser, with source filenames (as requested
HIGHinternal/command/jsonformat/plan.go456 buf.WriteString(fmt.Sprintf("[bold] # %s[reset] will be [bold][red]replaced[reset], as requested", dispAddr))
HIGHinternal/command/jsonformat/plan.go547 buf.WriteString(fmt.Sprintf("[bold] # %s[reset] will be [bold][red]replaced[reset], as requested", dispAddr))
HIGHinternal/command/jsonformat/plan_test.go6189 ExpectedOutput: ` # test_instance.example will be replaced, as requested
HIGHinternal/command/jsonformat/plan_test.go6200 ExpectedOutput: ` # test_instance.example will be replaced, as requested
HIGHinternal/command/views/view.go42 // ModuleDeprecationWarnLvl is used to filter out deprecation warnings for outputs and variables as requested by the us
HIGHinternal/command/arguments/view.go29 // ModuleDeprecationWarnLvl is used to filter out deprecation warnings for outputs and variables as requested by the us
Slop Phrases4 hits · 12 pts
SeverityFileLineSnippet
MEDIUMinternal/tofu/context_plugins_test.go26// so the caller can feel free to modify the returned value to further
MEDIUMinternal/tofu/context_plugins_test.go59// callers can feel free to modify it once returned.
MEDIUMinternal/command/testdata/fmt/general_out.tf3# here, but you can also add other _in.tf/_out.tf pairs in the
MEDIUMinternal/command/testdata/fmt/general_in.tf3# here, but you can also add other _in.tf/_out.tf pairs in the
Hallucination Indicators1 hit · 10 pts
SeverityFileLineSnippet
CRITICALinternal/command/jsonplan/values.go212 r.Addr.Resource.Resource.Mode.String(),
Fake / Example Data2 hits · 2 pts
SeverityFileLineSnippet
LOWinternal/backend/remote/testdata/plan-long-line/main.tf3 long_line = "[{'_id':'5c5ab0ed7de45e993ffb9eeb','index':0,'guid':'e734d772-6b5a-4cb0-805c-91cd5e560e20','isActive':f
LOWinternal/cloud/testdata/plan-long-line/main.tf3 long_line = "[{'_id':'5c5ab0ed7de45e993ffb9eeb','index':0,'guid':'e734d772-6b5a-4cb0-805c-91cd5e560e20','isActive':f
Redundant / Tautological Comments1 hit · 2 pts
SeverityFileLineSnippet
LOW…docs/cli/commands/test/examples/module/main.tftest.hcl7 # Check if the webserver returned an HTTP 200 status code:
Hyper-Verbose Identifiers1 hit · 2 pts
SeverityFileLineSnippet
LOWinternal/command/jsonformat/differ/attribute.go77 // function computeChangeForDynamicValues(), but external callers will