Skip to main content

Risk Levels

DriftWise classifies every Terraform change into one of five risk levels based on its potential impact.

Levels

LevelDescriptionExamples
NoneNo changes detectedEmpty plan, no-op
LowNon-breaking, no security or data implicationsTags, descriptions, scaling parameters
MediumCould have side effects on availability or dependentsConfig changes, timing, instance types
HighSecurity-sensitive or access-control changesIAM mutations, security groups, public exposure, KMS
CriticalData loss or forced resource replacementDatabase deletion, stateful resource destruction or replacement

How Scoring Works

DriftWise uses a two-pass analysis:

  1. Type-level rules — Resource types have baseline risk. For example, deleting any resource flags resource-deletion; replacing a resource in the stateful types map (databases, storage, clusters) flags stateful-resource-destruction.
  2. Attribute-level rules — Specific attribute changes raise or lower the score. For example, cidr_blocks changing to 0.0.0.0/0 triggers the public-ingress flag at High severity.

Rules are built into the analyzer engine. Organizations can override the severity of specific flags using the Policy API.

Callouts

When DriftWise detects a high-risk pattern, it adds a callout:

  • Public ingress — Security group or firewall rule opened to 0.0.0.0/0 or ::/0
  • IAM wildcard permissions — IAM policy with Action: "*" or Resource: "*"
  • Stateful resource destruction — Deletion or forced replacement of databases, storage buckets, or clusters
  • Encryption changes — Modifications to KMS keys or encryption configuration

Policy Overrides

Organizations can customize how risk flags map to severity using the Policy API (PUT /api/v2/orgs/:id/policy). Policy rules use glob patterns to match flags and resource types:

{
  "version": 1,
  "rules": [
    {
      "flag_pattern": "public-ingress",
      "resource_pattern": "aws_lb*",
      "severity": "low",
      "reason": "Load balancers are expected to be public"
    }
  ]
}

Policy overrides change the severity of existing flags — they don't create new detection rules. Maximum 50 rules per organization.