a deterministic safety net for cloud infra

Catch the apply that destroys your infrastructure.

bumper reads your Terraform plan and flags the changes that would expose or destroy your AWS, GCP, or Azure account — before terraform apply runs. A single static Go binary. The verdict is 100% deterministic.

$curl -fsSL https://get.bumper.sh | sh
Star on GitHubSee it work
single static binary no API key, no account stands alone if AI is absent
the terminal

One command. The whole verdict.

A real bumper --explain plan.json run on a plan that opens and destroys production. Every finding gets a plain-English line and a one-line fix.

bumper --explain plan.json
$ terraform show -json plan.tfplan > plan.json$ bumper --explain plan.json bumper v1.0.0 scanning plan.json 112 rules ai: claude CRITICAL aws_db_instance.prod will be DESTROYED rule AWS_RDS_DESTROY_NO_FINAL_SNAPSHOT plan delete → (no replacement) why This apply deletes your production database. skip_final_snapshot is true, so there is no backup — the data is gone the moment apply runs. fix Set skip_final_snapshot = false and a final_snapshot_identifier. CRITICAL aws_security_group.api opens 5432/tcp to 0.0.0.0/0 rule AWS_SG_PUBLIC_INGRESS plan create → ingress tcp/5432 from 0.0.0.0/0 why PostgreSQL would be reachable from the entire internet. Any host could attempt to connect directly to your database. fix Restrict cidr_blocks to your VPC CIDR or a bastion SG. HIGH google_storage_bucket.assets encryption config removed rule GCP_STORAGE_ENCRYPTION_REMOVED plan update → default_kms_key_name removed why Objects written after this apply fall back to Google-managed keys instead of your CMEK. fix Re-add encryption.default_kms_key_name to the bucket.  ──────────────────────────────────────────────── 3 findings 2 critical 1 high 0 medium verdict BLOCK — destructive & critical changes present $ echo $?1
exit 1 — safe to block a merge ondeterministic — same plan, same verdict, every time
the agent guardrail

Your AI agent can no longer
silently destroy your infrastructure.

Initialize bumper inside Claude Code, Codex, opencode, auggie or gemini and it installs a pre-apply hook. The agent cannot run terraform apply without piping the plan through bumper first.

agent session · pre-apply hook
claude-code · session 0xC4F1terraform apply -auto-approve  pre-apply hook → bumper --gate plan.json bumper 2 CRITICAL findings — apply BLOCKEDaws_db_instance.prod destroy without final snapshotaws_security_group.api 5432/tcp exposed to 0.0.0.0/0  The agent cannot run terraform apply on its own. Critical findings require an explicit human decision.  agent → you "I tried to apply, but bumper stopped me. 2 critical findings, including destroying the prod database. How do you want to proceed?"  ⏸ apply paused — awaiting your decision
acknowledgeignorefix & re-run

Critical and destructive findings are a hard stop — the agent waits for an explicit human decision before it can proceed. Lower severities are surfaced but overridable, so the gate stays useful instead of becoming noise. bumper gates; it doesn't hold apply hostage.

why it's different

Three things most plan scanners miss.

01

It reads the transition, not the result.

Most scanners check the config you'd end up with. bumper reads the plan's create / delete / replacemoves — so it catches “this apply will destroy your production database,” not just “this bucket is misconfigured.”

02

Zero-setup AI enrichment.

Every finding can be translated into plain English by an AI CLI you already have — claude, gemini, codex, opencode, auggie. No API key. No vendor account. No new dependency to install.

03

The deterministic core stands alone.

The verdict never depends on a model. It's 100% deterministic — the same plan always yields the same result — so you can safely block a merge on it. AI is optional polish, never a requirement.

try it — no install

Search the rule catalog, right here.

The same corpus bumper search indexes — 112 enforced rules plus ~2,600 advisory entries federated from Trivy, Checkov, KICS and Prowler. Below is a real run; under it, the same search live in your browser — click any result to get the full record.

bumper search "s3 public"
$ bumper search "s3 public"  47 matches 17 enforced · 30 advisory  enforced · fires on your plan  high AZURE_STORAGE_CONTAINER_PUBLIC Storage container allows anonymous publ… high GCP_STORAGE_BUCKET_PUBLIC_ACL Cloud Storage ACL grants public access … high AWS_S3_BUCKET_PUBLIC_ACL S3 bucket uses a public canned ACL high AWS_S3_ACL_PUBLIC S3 bucket ACL grants public access high AWS_S3_PUBLIC_ACCESS_BLOCK_WEAK S3 Block Public Access is not fully ena… … and 12 more  advisory · knowledge, not enforced  prowler S3 bucket is not publicly listable by Everyone or a… trivy S3 buckets should each define an aws_s3_bucket_publ… kics S3 Bucket Allows Public Policy checkov Ensure that S3 bucket has a Public Access block prowler S3 bucket is not publicly accessible to Everyone or… … and 25 more
now run your own
$
try
must-fix · enforced 6— these fire on a plan and can block a merge
advisory · knowledge 9— federated guidance, round-robined across sources
enforced = executable bumper rule · advisory = knowledge-only catalog entryclick a row to get its full record · full corpus via the hosted Advisor ↓
the hosted advisor

A knowledge MCP your agent can phone for best practice.

bumper's scanner is offline and deterministic — that never changes. The Advisor is the optional other half: a hosted Model Context Protocol server your AI tools can query for remediation guidance across AWS, GCP and Azure.

A free, hosted knowledge MCP

Point your editor or agent at the Advisor and it can semantically search every rule we know — 2,596+ entries from Trivy, Checkov, KICS and Prowler, merged with bumper's enforced set. Hosted on our box, free to use, no account.

Lookup, never upload

The Advisor answers questions about best practice — it never sees your plan, state, or code. scan, verify and guard stay 100% local on your machine; only the knowledge lookup is remote.

Always current

The catalog refreshes server-side as the upstream sources publish new rules — so the guidance keeps improving without you shipping a new binary or pulling a multi-megabyte database.

Same contract as local

The hosted search_rules tool returns the exact shape the offline binary does — the local index is lexical BM25; the Advisor adds real vector + hybrid semantic ranking. Swap one for the other with a single config line.

Open core. The binary is Apache-2.0 and runs without any of this. The Advisor is a free convenience, not a dependency.
~/.config/agent/mcp.json
# one line wires the hosted Advisor into any MCP client
{
  "mcpServers": {
    "bumper-advisor": {
      "type": "http",
      "url": "https://advisor.bumper.sh/mcp"
    }
  }
}

# or let bumper write it for you:
$ bumper init --advisor
the rule set
112
enforced rules
hand-written, versioned, and each one mapped to a concrete fix.
20critical
57high
32medium
3low
network exposureIAM & resource policiesTLS in transitencryption at restEC2 / ECR / EKS hardeningGKE & Cloud SQLAzure storage & SQLdestruction & recovery
AWS · GCP · Azure today. The engine is provider-agnostic — every rule is the same declarative CEL across all three clouds.
continuous integration

Drop it into the pull request.

One step in your workflow. The check runs on every plan and reports where developers already look.

SARIF to the Security tab

Findings upload as SARIF, so they appear inline in GitHub's Security tab — annotated on the exact line of Terraform.

One sticky PR comment

A single comment, updated in place on every push. No thread spam, no walls of duplicate output.

Fails on high+

Exits non-zero when a high or critical finding is present, so the check blocks the merge — configurable per repo.

.github/workflows/bumper.yml
# fail the PR before a destructive apply ever merges
name: bumper
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: gnana997/bumper@v1
        with:
          plan-json: plan.json
          fail-severity: high  # high + critical block the merge