Make changes with confidence

Always know how a terraform change would impact your infrastructure before deploying
semdiff github PR

Compare Semdiff with terraform plan

We can analyze:
  • Iam semdiff tf
  • Nacl semdiff tf
  • Alb semdiff tf
  • Role assume semdiff tf

Why use semdiff?

  • Spend less time reviewing PRs

    As an SRE, spend more time improving infrastructure and less on PR reviews. Get higher quality PRs, see hidden problems right away, even approve low risk ones automatically.
  • Demystify infrastructure

    As a developer, terraform changes can be daunting. Custom modules, obscure AWS docs, parts of infrastructure you don't even know exist. With Semdiff, you can be sure that what you intended is what you deploy.
  • Prevent outages and data breaches

    Don't get paged at 3 am. Semdiff helps you identify potential risks and vulnerabilities in your infrastructure before they cause problems.


  • Starter

    Ideal for small teams. Includes all analysis features with unlimited analysis runs.
  • Enterprise

    Contact us
    Run semdiff on-prem or in your own cloud. Create custom rules, model changes across multiple separate systems. Includes premium support.


What environments does Semdiff support?

We can currently scan AWS terraform plans. If you have some other bit of infrastructure you want to analyze (Azure? Vault? Kubernetes?) let us know.

How does it work?

Semdiff is a static analyzer. It imports terraform plans into datalog and uses a combination of a high-performance datalog engine and symbolic reasoning to discover all possible ways resources can interact and checks how these interactions would change after the plan was applied - then presents this in an easy to understand diff-like format.

How does Semdiff differ from other IaC security scanners?

Most IaC scanners focus on shallow properties of the resources, for example if encryption is enabled on an EFS volume. Semdiff goes a step further and can reason about how resources affect each other, e.g. to determine who can access what resource by analyzing group memberships, IAM policies, SCPs and so on.

Does it work with my IaC platform?

Semdiff integrates with Terraform Cloud, Atlantis and Env0. We also have a CLI and a REST API endpoint.