Overview: Digger is an open-source Infrastructure as Code (IaC) orchestration tool designed to eliminate the need for separate CI systems like Atlantis or Terraform Cloud by running Terraform and OpenTofu directly within your existing CI pipeline. It was originally built to solve the complexity and security risks of managing IaC across multiple environments, where secrets, state, and compute are fragmented. With its rebrand to OpenTaco, Digger now positions itself as the only software needed to run Terraform in production—supporting multi-cloud, multi-tenant, and complex workflows without requiring external compute or shared secrets. Digger is ideal for DevOps teams using GitHub Actions, GitLab CI, or similar platforms who want secure, scalable, and cost-efficient IaC automation without vendor lock-in.
What You Get
- Terraform plan and apply in PR comments - Execute Terraform plans and applies directly from GitHub pull request comments using simple commands like
digger plan or digger apply, eliminating manual CLI access.
- Private runners using existing CI - Leverage your current CI compute environment (e.g., GitHub Actions runners) to run Terraform, keeping secrets and state within your infrastructure without exposing them to third-party services.
- Open Policy Agent (OPA) support for RBAC - Enforce policy-based access control using OPA rules to restrict who can run plan/apply on specific environments or modules.
- PR-level locks - Prevent concurrent Terraform operations across multiple PRs by locking state at the pull request level, similar to Atlantis but integrated natively into your CI.
- Terragrunt and multi-workspace support - Run Terraform with Terragrunt configurations, multiple workspaces, and different Terraform versions within the same pipeline.
- Drift detection - Automatically detect and alert on infrastructure drift by comparing live state with the desired state defined in code.
- Apply-after-merge workflows - Configure Digger to automatically apply changes after a PR is merged, enabling safe, automated deployment pipelines.
- Plan persistence and caching - Cache Terraform plans between runs to reduce execution time and avoid redundant planning steps.
- Web UI (cloud-based) - Visualize infrastructure changes, plan history, and apply statuses through a hosted dashboard for teams without CLI access.
Common Use Cases
- Building a multi-environment SaaS platform - A team uses Digger to manage AWS and GCP resources across dev, staging, and prod environments in a single repository, with PR-level locks preventing conflicts during parallel development.
- Securing IaC in regulated environments - A financial services company avoids Terraform Cloud to comply with data residency rules; Digger runs all plans/apply within their private GitHub Actions runners, keeping secrets in-vault.
- Problem → Solution flow: Manual Terraform runs causing outages - Engineers manually ran
terraform apply on prod, leading to untracked changes. Digger enforces all changes via PRs with automated plan review and apply-after-merge, eliminating human error.
- Team/workflow scenario: DevOps team managing 50+ microservices - Each service has its own Terraform module. Digger runs parallel plans across all PRs using the same CI runners, reducing pipeline bottlenecks and enabling consistent policy enforcement via OPA.
Under The Hood
Digger is a unified infrastructure-as-code platform designed to streamline the management, validation, and execution of IaC workflows within CI/CD pipelines. It emphasizes real-time drift detection, sandboxed execution environments, and seamless GitHub integration to enable safe and policy-driven infrastructure changes.
Architecture
Digger follows a modular monolithic architecture that clearly separates backend services, UI components, and sandboxed execution layers. It leverages well-defined patterns for handling external integrations and task orchestration.
- Modular design with distinct layers for backend, UI, and sandbox execution
- Strong separation of concerns between infrastructure management and policy enforcement
- Use of well-defined service boundaries for CI/CD automation and drift detection
Tech Stack
The system is built using Go for backend services and TypeScript with React for the frontend UI. It integrates modern cloud-native tools and frameworks to support scalable deployment and robust infrastructure workflows.
- Built with Go for backend services and TypeScript/React for frontend UI
- Relies on TanStack ecosystem, WorkOS for authentication, and Lucide React for UI components
- Employs Vite, Docker, and Makefiles for frontend development, containerization, and build automation
- Comprehensive test suite with extensive mocking and integration testing capabilities
Code Quality
Code quality in Digger presents a mixed state with some well-structured modules and consistent patterns, yet lacks full test coverage and stylistic uniformity across the codebase.
- Reasonable error handling practices implemented across multiple modules
- Inconsistent code style and naming conventions observed in some areas
- Limited test coverage despite the presence of integration testing frameworks
- Moderate adherence to coding standards and documentation practices
What Makes It Unique
Digger introduces several innovative capabilities that distinguish it from traditional infrastructure-as-code tools, particularly in sandboxed execution and drift-aware policy enforcement.
- Provides built-in sandboxed environments for safe Terraform plan and apply execution
- Combines drift detection with automated policy enforcement for compliance automation
- Offers deep webhook-based GitHub integration for real-time CI/CD orchestration
- Supports modular multi-environment deployments via Docker and Fly.toml configurations