AI Code Review for Infrastructure as Code

Infrastructure code has its own class of debt

Infrastructure as Code transformed how teams manage cloud resources, container orchestration, and deployment pipelines. Instead of manually configuring servers and clicking through cloud consoles, teams define their infrastructure in declarative files that can be version-controlled, reviewed, and reproduced. Terraform, Pulumi, CloudFormation, Dockerfiles, Kubernetes YAML, and CI/CD pipeline definitions have become as critical to system reliability as the application code they deploy.

But infrastructure code accumulates debt in ways that application developers often do not anticipate. Terraform modules written for the initial deployment grow organically as the infrastructure expands. Configuration that was appropriate for a development environment gets promoted to production without security hardening. Docker images start with a reasonable base but accumulate unnecessary layers, run as root, and include development dependencies in production builds. Kubernetes manifests are copied between services with minor modifications, creating inconsistencies that cause unpredictable behaviour during deployments.

The tooling ecosystem for infrastructure code quality is less mature than for application code. terraform validate checks syntax but not security. tflint catches some patterns but operates within a single module. Hadolint reviews Dockerfiles against best practices but cannot reason about the relationship between Dockerfiles and the Kubernetes manifests that deploy them. The gap between what these tools catch and what a senior infrastructure engineer would catch in a thorough review is where VibeRails operates.

What VibeRails finds in infrastructure codebases

Infrastructure code develops specific categories of debt that reflect the declarative, cross-cutting nature of IaC. VibeRails scans every file – Terraform modules, Dockerfiles, Kubernetes manifests, Helm charts, CI/CD pipeline definitions, and supporting scripts – and surfaces these patterns:

• Hardcoded secrets and credentials – API keys, database passwords, and service account tokens embedded in Terraform variables, Docker build arguments, environment variable definitions, or CI/CD pipeline configurations. VibeRails traces credential usage across all infrastructure files and flags every instance where secrets are stored in code rather than a secrets manager.
• Over-permissive IAM policies – IAM roles and policies that grant broader permissions than required. Wildcard resource ARNs, overly broad action lists, and missing condition constraints that violate the principle of least privilege. VibeRails analyses every IAM policy definition and identifies where permissions exceed what the associated resources actually need.
• Terraform drift and state management issues – modules that reference resources without proper state locking configuration, backends without encryption, and state files that contain sensitive data without appropriate access controls. VibeRails identifies state management risks that create race conditions in team environments.
• Dockerfile anti-patterns – images running as root, multi-stage builds that leak build dependencies into production images, missing health checks, hardcoded package versions that prevent security updates, and layers ordered in ways that invalidate the build cache unnecessarily. VibeRails analyses every Dockerfile against production-readiness criteria.
• Kubernetes manifest complexity – missing resource limits and requests, security contexts that allow privilege escalation, services without network policies, pods without readiness probes, and deployment strategies that risk downtime during rollouts. VibeRails reviews every manifest for operational reliability and security.
• Inconsistent naming and tagging – resources across Terraform modules that follow different naming conventions, inconsistent tagging strategies that break cost allocation and resource management, and variable naming that makes modules difficult to compose. VibeRails identifies naming inconsistencies across the entire infrastructure codebase.
• Unused resources and configuration bloat – Terraform resources that are defined but no longer referenced, variables that are declared but never used, Kubernetes ConfigMaps and Secrets that are not mounted by any pod, and CI/CD pipeline stages that are always skipped. These create confusion and inflate infrastructure costs.

Cross-layer infrastructure analysis

The most valuable findings in infrastructure code reviews come from analysing the relationships between layers. A Dockerfile defines how an application is containerised. A Kubernetes manifest defines how that container is deployed. A Terraform module defines the cluster where that deployment runs. A CI/CD pipeline orchestrates the build and deployment process. Issues often emerge at the boundaries between these layers rather than within any single layer.

VibeRails analyses the full infrastructure codebase as an integrated system. It identifies patterns like Dockerfiles that expose ports that the Kubernetes service definition does not reference, environment variables defined in Terraform that are not propagated through the deployment chain, health check endpoints configured in Kubernetes that do not match the application's actual health check route, and resource limits in manifests that do not align with the instance types provisioned in Terraform.

This cross-layer analysis is something that no single-tool linter can provide. It requires reasoning about how Terraform, Docker, Kubernetes, and CI/CD configurations work together as a system. VibeRails uses AI to build that integrated understanding and surface mismatches that would otherwise only be discovered during deployment failures.

When DevOps teams need a full infrastructure audit

Before cloud migration or provider changes. Moving infrastructure between cloud providers or migrating from manually managed resources to IaC requires understanding every existing configuration. A VibeRails scan identifies hardcoded provider-specific assumptions, missing abstraction layers, and configuration that will not translate cleanly to the new environment.

After security incidents. A security breach involving infrastructure misconfiguration demands a full review of all IaC files. VibeRails identifies every over-permissive policy, exposed secret, and missing security control across the entire infrastructure codebase – not just the specific resource involved in the incident.

During compliance preparation. SOC 2, ISO 27001, and other compliance frameworks require evidence of infrastructure security controls. A VibeRails report provides structured findings that map to compliance requirements, giving auditors evidence of systematic infrastructure review.

When infrastructure complexity exceeds team understanding. If the team cannot confidently explain what every Terraform module does, how the deployment pipeline works end-to-end, or which resources would be affected by a change to a shared module, the infrastructure codebase has outgrown manual review. VibeRails provides the full-codebase analysis that restores visibility.

Local analysis for sensitive infrastructure code

Infrastructure code is among the most sensitive code in any organisation. It defines network boundaries, access controls, secret management, and deployment procedures. Many teams are uncomfortable uploading this material to a new third-party SaaS code review vendor.

VibeRails runs as a desktop application with a BYOK model. It orchestrates your existing Claude Code or Codex CLI installation from your local repository. VibeRails doesn't upload your repository to VibeRails servers; review requests go directly to the AI provider you choose, under your own account. (As always: don't commit secrets to your repo before you scan it.)

Per-developer licensing: $19/mo or $299 for the lifetime licence per developer. Each licence covers one machine. Scan your Terraform modules, Dockerfiles, Kubernetes manifests, and pipeline configurations as often as needed. Start with the free tier – 5 issues per review – and see what VibeRails finds in your infrastructure code today.