Digger is an open source Terraform and OpenTofu CI/CD orchestrator that adds plan, apply, and drift detection workflows to your existing GitHub Actions or GitLab CI pipeline without routing state files through a third-party service.
The Problem
Running Terraform in CI/CD requires coordination: only one plan or apply should run against a state file at a time, cost estimates should appear on pull requests, and sensitive variable values should not be logged in CI output. Terraform Cloud solves this but adds cost and routes your state files through HashiCorp's servers. Self-managed solutions involve fragile custom CI scripts.
How Digger Solves It
Digger adds a comment-driven IaC workflow to your existing CI system. When a pull request modifies Terraform files, Digger runs a plan and posts the output as a PR comment. When the PR is merged, Digger triggers apply. State locking prevents concurrent modifications. Everything runs inside your own GitHub Actions or GitLab CI runners without sending state to a third-party service. Apache-2.0 licensed.
Key Features
- Comment-driven Terraform workflow: run plans and applies via PR comments (digger plan, digger apply)
- State locking via DynamoDB or GCS to prevent concurrent apply conflicts
- Cost estimation using Infracost integration for pull request cost previews
- Drift detection: periodic checks that infrastructure matches the declared Terraform configuration
- Works with GitHub Actions, GitLab CI, Azure DevOps, and any CI system that supports custom runners
- Apache-2.0 licensed; self-host with no state file routing through third-party servers
Who It's For
Digger is best for DevOps and platform engineering teams that want GitOps-style Terraform workflows in their existing CI/CD system without the cost or vendor dependency of Terraform Cloud or Spacelift.
Compared to Terraform Cloud
Unlike Terraform Cloud, Digger runs entirely within your existing CI/CD infrastructure and does not route Terraform state through HashiCorp's servers. Terraform Cloud offers a more polished workspace UI and native Sentinel policy checks; Digger gives complete data ownership and runs alongside your existing GitHub Actions or GitLab CI configuration.
