CI Publishing without secrets
No long-lived credentials. CI proves identity at publish time via OIDC - nothing to rotate, nothing to leak.
Git is not a registry. You've always known that. Why does your Terraform/OpenTofu stack still treat it like one?
Terramantle gives authors insight, dependency management, and supply chain scanning they need to see what's consumed across your stack before they land in production environments with no complexity.
You're ready for Terramantle if you're managing 3+ modules across 1+ repos, want CI trust instead of long-lived secrets, and want signals your team actually sees.
No long-lived credentials. CI proves identity at publish time via OIDC - nothing to rotate, nothing to leak.
Review provider source code before it reaches your network. CVEs and malware caught before consumption.
Know what breaks before you deprecate. See every module consumer before making a change.
What you published is what gets consumed - forever. No silent drift from force-pushes.
No more credential sprawl across runners. Scoped tokens, RBAC, and audit logs that grow with you.
Keep your Github Actions or Gitlab CI workflows the same. No Terramantle agents or runners with hidden limits and costs
State storage built for insight, discovery and safe day to day management.
Configure Terraform or OpenTofu's with standard HTTP backends. Your state is securely stored, versioned, and analysed - secret detection, public endpoint discovery run automatically on every push.
A simple click to force unlock a state file, no need to provide access to individuals to perform this action, keeping state files safe and secure.
Your infrastructure credentials pass through every provider you run. Think about that. Unvetted source code directly accessing your cloud environments!
Those providers are Go executables - compiled by strangers, distributed as Terraform plugins, pulling in dozens of transitive dependencies you've never seen or know about.
Mitigate unvetted source code reaching your production environments: scanning source code, going beyond standard CVE detection with AI models to inspect intent, and blocking malware before any binary is built and shipped to your environments.
AI-assisted analysis inspects provider source for execution intent, obfuscation, and known malware patterns beyond what signature scanning catches.
Run it yourself on Kubernetes or Docker when you need to own the infrastructure, enforce air-gap workflows, and operate disconnected registries for sensitive and regulated environments.
Highly Available by design, S3-backed object storage, so the service itself stays lightweight, easy to move, and simple to operate.
Open standards and cryptography bring providers and modules into regulated environments with proof they haven't been tampered with. No pointing engineers at public registries and trusting one person to vet what comes back.
Engineers keep using the same cli native tool behaviour and registry URLs they know, with no one-off wrapper to learn for self-hosted use.