TTerramantle
Get Started Free
Registry Protocol v1 · Terraform · OpenTofu · Coder

Your modules have dependencies. Do you know them?
The private Terraform registry that maps every consumer.

Git is not a registry. You've always known that. Why does your Terraform/OpenTofu stack still treat it like one?

Terramantle gives authors insight, dependency management, and supply chain scanning they need to see what's consumed across your stack before they land in production environments with no complexity.

registry.terramantle.dev/acme · Dependency graph

Git refs aren't version constraints

Force-push silently changes what consumers receive.

Secrets end up in CI runners

One leaked credential exposes your entire module distribution path.

Nobody knows what modules already exist

Teams rebuild what's already there because discovery is grep.

Feature Set · What you get

A no fuss artefact registry without a platform migration.

You're ready for Terramantle if you're managing 3+ modules across 1+ repos, want CI trust instead of long-lived secrets, and want signals your team actually sees.

Team workflows

CI Publishing without secrets

No long-lived credentials. CI proves identity at publish time via OIDC - nothing to rotate, nothing to leak.

Security

Supply Chain Scanning

Review provider source code before it reaches your network. CVEs and malware caught before consumption.

Operational clarity

Dependency Graph

Know what breaks before you deprecate. See every module consumer before making a change.

Reproducibility

Immutable releases & versioning

What you published is what gets consumed - forever. No silent drift from force-pushes.

Access control

Access control that scales

No more credential sprawl across runners. Scoped tokens, RBAC, and audit logs that grow with you.

No vendor lock-in, no hidden costs

No Vendor lock-in, no runners, deploy anywhere

Keep your Github Actions or Gitlab CI workflows the same. No Terramantle agents or runners with hidden limits and costs

State Insight

Not just remote state locking

State storage built for insight, discovery and safe day to day management.

Configure Terraform or OpenTofu's with standard HTTP backends. Your state is securely stored, versioned, and analysed - secret detection, public endpoint discovery run automatically on every push.

A simple click to force unlock a state file, no need to provide access to individuals to perform this action, keeping state files safe and secure.

# All of the value to the left by simply configuring a Terraform backend;

terraform {
backend "http" {
address = "https://registry.terramantle.dev/state/acme/prod"
username = "terramantle-bot"
lock_address = "https://registry.terramantle.dev/state/acme/prod.lock"
unlock_address = "https://registry.terramantle.dev/state/acme/prod.lock"
}
}

# Works with any Terraform or OpenTofu version.
Supply chain

Scan provider source code before the binaries touch production.

Your infrastructure credentials pass through every provider you run. Think about that. Unvetted source code directly accessing your cloud environments!

Those providers are Go executables - compiled by strangers, distributed as Terraform plugins, pulling in dozens of transitive dependencies you've never seen or know about.

Mitigate unvetted source code reaching your production environments: scanning source code, going beyond standard CVE detection with AI models to inspect intent, and blocking malware before any binary is built and shipped to your environments.

# Provider allow list enforcement

terraform {
required_providers {
aws = {
source = "registry.terramantle.dev/acme/aws"
version = "~> 5.0"
}
}
}

# Scanned: ✓ CVEs: 0 Malware: clean SBOM: generated
# Policy Gate: PASS - approved for production consumption

AI-assisted analysis inspects provider source for execution intent, obfuscation, and known malware patterns beyond what signature scanning catches.

Self-hosting

Start free in the cloud. Self-host when you need control.

Run it yourself on Kubernetes or Docker when you need to own the infrastructure, enforce air-gap workflows, and operate disconnected registries for sensitive and regulated environments.

Scales by design

Highly Available by design, S3-backed object storage, so the service itself stays lightweight, easy to move, and simple to operate.

Mirror into disconnected environments

Open standards and cryptography bring providers and modules into regulated environments with proof they haven't been tampered with. No pointing engineers at public registries and trusting one person to vet what comes back.

Familiar to engineers

Engineers keep using the same cli native tool behaviour and registry URLs they know, with no one-off wrapper to learn for self-hosted use.

Kubernetes or Docker DeploymentRun on Kubernetes (Rancher, OpenShift, Tanzu), Docker Compose, or any Linux host
↓ artefacts, metadata, and mirrored content
S3-compatible object storageModules, providers, and mirrored artefacts in MinIO, SeaweedFS, Ceph, or AWS S3
Metadata indexRelease metadata, registry index, audit logs, and versioning data
OIDC + Internal AuthStandalone authentication or integrate with Keycloak, Azure Entra, Okta, and other IDPs
Pricing

Free for solo engineers. Add governance and provenance as you grow.

Start free with the full feature set. Upgrade as your team grows or when you need provider registry access, deeper audit retention, and OPA enforcement. Self-host anytime with Kubernetes and air-gapped networks.