Heads-up: We’ve rebranded! Starting from 7th November 2025, the Digger project is now OpenTaco.
The company’s still Digger, same battle-tested engine — just a more apt name and a bigger vision.TL;DR
- Before: Best-in-class Terraform PR automation (a solid improvement upon Atlantis)
- After: The only piece of software you need to run Terraform or OpenTofu in production.
We'll gradually update all our marketing material to reflect the same!
CI/CD for Terraform is tricky. To make life easier, specialized CI systems aka TACOS exist - Terraform Cloud, Spacelift, Atlantis, etc.
But why have 2 CI systems? Why not reuse the async jobs infrastructure (compute, orchestration, logs, etc.) of your existing CI?
Digger runs Terraform natively in your CI. This is:
- Secure, because cloud access secrets aren't shared with a third-party
- Cost-effective, because you are not paying for additional compute just to run your Terraform
- Terraform plan and apply in pull request comments
- Private runners - thanks to the fact that there are no separate runners! Your existing CI's compute environment is used
- Open Policy Agent (OPA) support for RBAC
- PR-level locks (on top of Terraform native state locks, similar to Atlantis) to avoid race conditions across multiple PRs
- Terragrunt, Workspaces, multiple Terraform versions, static analysis via Checkov, plan persistence, ...
- Drift detection
Digger has 2 main components:
- CLI that runs inside your CI and calls Terraform with the right arguments
- Orchestrator - a minimal backend (that can also be self-hosted) that triggers CI jobs in response to events such as PR comments
Digger also stores PR-level locks and plan cache in your cloud account (DynamoDB + S3 on AWS, equivalents in other cloud providers)
- No need to host and maintain a server (although you can)
- Secure by design: jobs run in your CI, so sensitive data stays there
- Scalable compute: jobs can run in parallel
- RBAC and policies via OPA
- Drift detection
- Apply-after-merge workflows
- Web UI (cloud-based)
- Read more about differences with Atlantis in our blog post
- Open source; the orchestrator can be self-hosted
- Unlimited runs and unlimited resources-under-management on all tiers
- Jobs run in your CI, not on a third-party server
- Supports PR automation (apply before merge)
- No duplication of the CI/CD stack
- Secrets not shared with a third-party
-
Production-ready Terraform setup powered by Digger CI/CD - authored by Amit Lavi from Converge Bio
-
"I like Digger more than Terraform Cloud and Atlantis" (Translated from Japanese), includes an example repo
-
How the data ops team at Brevo uses Digger (a part of this podcast, French)
-
"Use Digger to run Terraform in a different GCP project for each environment" (Japanese)
-
"Automatically merging pull requests after terraform apply with Digger" (Japanese)
We love contributions. Check out our contributing guide to get started.
Please pick an existing issue if you’re interested in contributing; otherwise, feel free to create an issue and triage it with the maintainers before creating a PR.
Not sure where to get started? You can:
- Join our Slack, and ask us any questions there.
Digger collects anonymized telemetry. See usage.go for details. You can disable telemetry collection either by setting telemetry: false in digger.yml, or by setting the TELEMETRY env variable to false.
atlas migrate apply --url $DATABASE_URL --allow-dirty
You might need to disable SSL if running the default docker image.
export DATABASE_URL=postgres://postgres:root@localhost:5432/postgres?sslmode=disable
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
