Security at Terrateam

Terrateam is built for teams that care about infrastructure security, auditability, and control. From GitHub-based access to policy enforcement and state isolation, security is built into every workflow.

GitHub-Native Identity & Access

Use GitHub org and team membership to control who can plan, apply, and approve. No separate accounts or permission model to manage.

Policy Enforcement

Run OPA or Conftest policies before apply. Block unsafe changes before they happen.

Scoped Secrets and OIDC

Each directory can define its own environment, credentials, and secrets using OIDC or your own vaults.

Security Features

GitHub Identity Integration

Use existing GitHub teams and permissions. No separate user management or SSO to configure.

Policy Enforcement

Run OPA, Conftest, or custom policy checks before any apply. Block non-compliant changes automatically.

Per-directory OIDC

Configure different auth methods per directory. Support for OIDC, static credentials, or custom providers.

Gatekeeper for Policy Exceptions

Require human approval when policy checks fail. Add safety without breaking GitOps flow.

Plan & Apply Tracing

Every plan and apply is logged with user identity, timestamp, and full context. Exportable audit trails.

Security-First Workflow

1. GitHub PR Triggers Plan

Access controlled by GitHub teams

2. Policy Check

OPA/Conftest policies run

3. Approval

Required reviewers based on scope

4. Audit Trail

Full logging of all actions

Security Workflow
I

Built for trust and transparency

Learn how Terrateam helps you meet internal, customer, and regulatory compliance requirements, with full auditability and zero guesswork.

Explore Our Security Practices