Two Kinds of Drift
Before comparing tools, you need to understand that "config drift" means two different things:
- Application config drift — Your
dev.yaml,staging.yaml, andprod.yamlfiles have diverged. Staging is missing a flag that dev has. Production has a database endpoint that staging doesn't. This is the drift that causes "works on my machine" incidents and failed deployments. - Infrastructure drift — Someone changed an AWS security group through the console, or a Terraform resource was modified outside of IaC. Your infrastructure state no longer matches your Terraform code. This is the drift that causes security vulnerabilities and compliance violations.
These are fundamentally different problems that need different tools:
| Drift Type | ConfigDrift | driftctl | Terraform Plan | Checkov |
|---|---|---|---|---|
| Application config drift | ✓ Primary focus | ✗ | ✗ | ✗ |
| Infrastructure state drift | ✗ | ✓ Primary focus | ✓ | ✗ |
| IaC policy violations | ✗ | ✗ | ✗ | ✓ Primary focus |
This comparison covers both drift types because most teams need to address both. But the tools don't overlap — they solve different problems.
Tool 1: ConfigDrift — Application Config Diff and Scan
ConfigDrift — Detect Application Config Drift Across Environments
checkcompares 2+ config files and reports driftscancompares entire environment directories- Severity levels: Info, Warning, Breaking
- Formats: YAML, JSON, TOML, .env
- CI/CD gating with
--output silent
ConfigDrift is a CLI tool that compares your application configuration files across environments. It's designed for the workflow where you have config/dev.yaml, config/staging.yaml, and config/prod.yaml and need to know exactly how they differ before deploying.
Core workflow
# Compare two config files
configdrift check dev.yaml prod.yaml
# ┌──────────────────┬────────┬──────────────────────────┬──────────────────────────┬───────────┐
# │ Key │ Change │ Old Value │ New Value │ Severity │
# ├──────────────────┼────────┼──────────────────────────┼──────────────────────────┼───────────┤
# │ database.host │ ~ │ db.dev.internal │ db.prod.internal │ BREAKING │
# │ new_feature.flag │ + │ (missing) │ enabled │ WARNING │
# │ deprecated.key │ - │ old_value │ (missing) │ INFO │
# │ auth.secret │ ~ │ dev_secret │ prod_secret │ BREAKING │
# └──────────────────┴────────┴──────────────────────────┴──────────────────────────┴───────────┘
# Scan entire directories as environments
configdrift scan ./config/dev ./config/staging ./config/prod --baseline dev
# CI/CD gate — exit 1 if breaking drift found
configdrift check dev.yaml prod.yaml --output silent
# Exit code 0 = safe, 1 = breaking drift detected
# JSON output for programmatic processing
configdrift check dev.yaml prod.yaml --output json
What ConfigDrift gets right
- Application-config focus. Compares YAML, JSON, TOML, and .env files — the config files that define how your application behaves. Not infrastructure state, not IaC code.
- Severity classification. Automatically classifies changes as Breaking (database.host, auth.secret, api_key), Warning (added/removed optional keys), or Info (non-critical value changes). You know at a glance which drift matters.
- Directory-level scanning.
scantreats a directory as an environment, merges all config files within it, and compares against a baseline. No manual file pairing. - CI/CD gating.
--output silentgives you a clean exit code: 0 for no breaking drift, 1 for breaking drift. Drop it into any pipeline. - Offline-first. No network required. All comparison happens locally.
- Multi-format. Handles YAML, JSON, TOML, and .env in the same scan. A directory with mixed config file types works out of the box.
Where ConfigDrift is limited
- Not for infrastructure drift. Doesn't compare Terraform state to cloud resources. Use driftctl for that.
- Not for IaC policy enforcement. Doesn't lint your Terraform code for security or compliance violations. Use Checkov for that.
- No auto-remediation. Detects drift but doesn't fix it. You sync or edit manually.
Tool 2: driftctl — Infrastructure State Drift Detection
driftctl — Detect Infrastructure Drift from IaC
- Compares Terraform state against actual cloud resources
- Supports AWS, GCP, Azure
- Detects unmanaged resources (not in Terraform)
driftctl answers a different question: "Does my cloud infrastructure match my Terraform code?" It scans your cloud account (AWS, GCP, or Azure), enumerates all resources, and compares them against what's defined in your Terraform state. Anything that differs is drift — a resource that was modified outside Terraform, or a resource that exists in the cloud but isn't managed by Terraform at all.
Core workflow
# Scan AWS for drift against Terraform state
driftctl scan --tfstate s3://my-tfstate/terraform.tfstate
# Results:
# - 3 resources drifted (changed outside Terraform)
# - 12 unmanaged resources (exist in AWS but not in Terraform)
# - 47 managed resources (in sync)
# Filter by resource type
driftctl scan --tfstate ./terraform.tfstate --filter 'ResourceType=="aws_s3_bucket"'
# Output as JSON
driftctl scan --tfstate ./terraform.tfstate --output json://results.json
What driftctl gets right
- Cloud-native drift detection. Directly compares Terraform state against live cloud resources. No simulation or planning — it checks what's actually deployed.
- Unmanaged resource detection. Finds resources that exist in your cloud account but aren't managed by Terraform. This catches manual console changes, shadow resources, and forgotten infrastructure.
- Multi-cloud. Supports AWS, GCP, and Azure. Compare Terraform state across any supported provider.
- Open source. Apache 2.0 license. Self-host, audit the code, contribute.
- CI/CD integration. Run
driftctl scanin CI and fail on drift. Send alerts to Slack.
Where driftctl falls short for application config drift
- No application config comparison. driftctl only compares cloud resources. It can't diff your
dev.yamlagainstprod.yaml. - Requires Terraform. Only works if your infrastructure is managed by Terraform. Pulumi, CloudFormation, or manual infrastructure isn't supported.
- Cloud credentials required. Must authenticate with AWS/GCP/Azure to scan. No offline mode.
- Performance at scale. Scanning large AWS accounts can take minutes. Not suitable for pre-commit hooks or rapid feedback loops.
Best for: Teams that manage infrastructure with Terraform and need to detect manual changes, unmanaged resources, and state drift. Does not address application config drift — use alongside ConfigDrift for full coverage.
Tool 3: Terraform Plan — State Divergence Detection
Terraform Plan — Show Infrastructure Changes Before Apply
- Shows what Terraform would change to match desired state
- Built into every Terraform workflow
- Requires Terraform state and code
terraform plan is the built-in way to see drift between your Terraform code and your infrastructure state. It compares your current state file against what your code defines, then queries the cloud to find real differences. The output shows what would be added, changed, or destroyed.
Core workflow
# Plan shows drift between code and reality
terraform plan
# Plan: 2 to add, 1 to change, 0 to destroy.
# ──────────────────────────────────────────
# ~ aws_security_group.web
# ingress.0.cidr_blocks.0: "10.0.0.0/8" → "0.0.0.0/0"
# (THIS IS DRIFT — someone widened the security group in the console)
# + aws_s3_bucket.logs (not yet created — defined in code but missing in cloud)
# ──────────────────────────────────────────
What Terraform Plan gets right
- Already in your workflow. You're already running
terraform planbefore every apply. No new tool to install. - Exact change preview. Shows precisely what attributes differ between code and state, and what would change if you apply.
- Zero additional cost. Built into Terraform. Free and open source.
- CI/CD native. GitHub Actions, GitLab CI, and every Terraform workflow runs plan as a standard step.
Where Terraform Plan falls short as a drift detection tool
- Reactive, not proactive.
terraform planonly detects drift when you run it. It doesn't continuously monitor for manual changes. Someone could drift your infrastructure on Monday, and you wouldn't know until your next plan on Wednesday. - No unmanaged resource detection. Plan only checks resources in your Terraform state. It won't find resources that exist in the cloud but aren't managed by Terraform. driftctl catches these.
- Not for application config. Plan compares Terraform code against cloud state. It can't diff your application YAML or JSON config files.
- Requires Terraform state. If your state file is stale or corrupted, plan results are unreliable.
Best for: Every Terraform user. It's already in your workflow. But it's not a dedicated drift detection tool — it's a planning tool that incidentally shows drift. Supplement with driftctl for unmanaged resources and ConfigDrift for application config drift.
Tool 4: Checkov — IaC Policy Enforcement
Checkov — Static Analysis for IaC Security and Compliance
- Scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile
- 800+ built-in policies (security, compliance, best practices)
- Custom policies via Python or YAML
Checkov is a static analysis tool for infrastructure-as-code. It scans your Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles for policy violations — security misconfigurations, compliance failures, and best-practice deviations. It doesn't detect runtime drift; it catches problems in your code before you deploy.
Core workflow
# Scan Terraform code for policy violations
checkov -d ./terraform
# Check: CKV_AWS_23: "Security Group does not allow outbound traffic to the internet"
# PASSED for resource: aws_security_group.web
#
# Check: CKV_AWS_24: "Security Group does not allow inbound from 0.0.0.0:22"
# FAILED for resource: aws_security_group.ssh
# File: /main.tf:15-22
# Scan a single file
checkov -f main.tf --framework terraform
# Custom policy
checkov -d ./terraform --custom-policy-dir ./policies/
What Checkov gets right
- Pre-deploy policy enforcement. Catches security issues in your IaC code before they become infrastructure drift. Prevention beats detection.
- 800+ policies. Covers AWS, GCP, Azure, Kubernetes, and more. CIS benchmarks, SOC2, HIPAA, and custom policies.
- Multi-framework. Terraform, CloudFormation, Kubernetes, Helm, ArgoCD, Dockerfile. Not limited to one IaC tool.
- Custom policies. Write your own policies in Python or YAML. Enforce team-specific standards.
- CI/CD integration. Pre-commit hooks, GitHub Actions, GitLab CI. Fail the pipeline on policy violations.
Where Checkov falls short for drift detection
- Not a drift detection tool. Checkov analyzes code, not live infrastructure. It can tell you that your Terraform code violates a security policy, but it can't tell you that someone changed a resource in the AWS console after deployment.
- No runtime comparison. Doesn't compare code against actual cloud state. That's driftctl's job.
- No application config comparison. Doesn't diff YAML/JSON/TOML application config files across environments. That's ConfigDrift's job.
- Policy enforcement, not drift reporting. Checkov's output is "policy X failed" — not "environment A drifted from environment B by these specific keys."
Best for: Teams that need IaC security scanning and compliance enforcement before deployment. Not a drift detection tool — use alongside ConfigDrift (application drift) and driftctl (infrastructure drift) for full coverage.
Feature Comparison
| Capability | ConfigDrift | driftctl | Terraform Plan | Checkov |
|---|---|---|---|---|
| App config diff (YAML/JSON/TOML/.env) | ✓ | ✗ | ✗ | ✗ |
| Directory-level environment scan | ✓ | ✗ | ✗ | ✗ |
| Severity classification (Breaking/Warning/Info) | ✓ Auto | ✗ | ~ Plan/apply | ✓ Policy severity |
| Infrastructure state drift detection | ✗ | ✓ | ✓ | ✗ |
| Unmanaged resource detection | ✗ | ✓ | ✗ | ✗ |
| IaC policy enforcement | ✗ | ✗ | ✗ | ✓ 800+ policies |
| Multi-cloud support | ✗ N/A | ✓ AWS/GCP/Azure | ✓ Any TF provider | ✓ AWS/GCP/Azure/K8s |
| CI/CD exit code gating | ✓ --output silent |
✓ | ✓ | ✓ |
| Works offline | ✓ | ✗ | ✗ | ✓ |
| Requires Terraform | ✗ | ✓ | ✓ | ~ Or CloudFormation |
| Open source | ✓ MIT | ✓ Apache 2.0 | ✓ MPL/BSL | ✓ Apache 2.0 |
CI/CD Integration Compared
All four tools can gate your CI/CD pipeline, but they gate on different things:
| CI/CD Gate | ConfigDrift | driftctl | Terraform Plan | Checkov |
|---|---|---|---|---|
| What it gates on | App config drift between envs | Infra state drift from IaC | Code vs. state divergence | IaC policy violations |
| When to run | Before app deploy | Scheduled (daily/weekly) | Before terraform apply | Before terraform apply |
| Execution time | 1–3 seconds | 1–5 minutes | 10–60 seconds | 5–30 seconds |
| Network required | ✗ | ✓ | ✓ | ✗ (code-only scan) |
ConfigDrift CI/CD pipeline
name: Deploy to Production
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install configdrift
# Gate: block deploy if breaking config drift
- name: Config drift check
run: |
configdrift check config/dev.yaml config/prod.yaml --output silent
# Deploy only if no breaking drift
- name: Deploy
run: ./deploy.sh
driftctl scheduled drift scan
name: Infrastructure Drift Scan
on:
schedule:
- cron: '0 9 * * 1-5' # Weekdays at 9am
jobs:
drift-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: curl -s https://raw.githubusercontent.com/snyk/driftctl/main/install.sh | sh
- name: Scan for infrastructure drift
run: |
driftctl scan --tfstate s3://my-tfstate/terraform.tfstate
# Fails if drift detected
Checkov pre-deploy policy check
name: IaC Security Check
on: [push]
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install checkov
- name: Scan Terraform for policy violations
run: |
checkov -d ./terraform --framework terraform --quiet
# Fails if any policy violation found
When to Use Which
Use ConfigDrift when:
You have application config files (YAML, JSON, TOML, .env) that differ across dev, staging, and prod. You need to know exactly which keys drifted, which changes are breaking, and whether it's safe to deploy. Run before every application deployment.
Use driftctl when:
You manage infrastructure with Terraform and need to detect manual console changes, unmanaged resources, and state drift. Run on a schedule (daily or weekly) to catch infrastructure drift before it causes security incidents.
Use Terraform Plan when:
You're already using Terraform. Plan is your standard pre-apply check. It shows drift as a side effect of the planning process. Not a dedicated drift monitoring tool — supplement with driftctl for continuous detection.
Use Checkov when:
You need to enforce security policies and compliance standards on your IaC code before deployment. Run in CI before every terraform apply to prevent misconfigurations from becoming infrastructure.
The Full Drift Coverage Stack
Most production teams need drift detection at three layers:
# Layer 1: Application config drift (ConfigDrift)
# Run before every application deployment
configdrift check config/dev.yaml config/prod.yaml --output silent
# Layer 2: IaC policy enforcement (Checkov)
# Run before every infrastructure change
checkov -d ./terraform --framework terraform
# Layer 3: Infrastructure state drift (driftctl)
# Run on a schedule to catch manual changes
driftctl scan --tfstate s3://my-tfstate/terraform.tfstate
# Layer 4: Terraform plan (built-in)
# Run before every terraform apply
terraform plan -detailed-exitcode
These tools are complementary, not competing. ConfigDrift catches application config drift that the other three can't see. driftctl catches infrastructure drift that Terraform plan misses (unmanaged resources). Checkov catches policy violations before they become drift. And Terraform plan is your standard pre-apply check.
Cost Comparison
| Cost Factor | ConfigDrift | driftctl | Terraform Plan | Checkov |
|---|---|---|---|---|
| License | MIT (free tier available) | Apache 2.0 (free) | MPL/BSL (free) | Apache 2.0 (free) |
| Paid features | $15/mo unlimited envs | Cloud platform (Snyk) | Terraform Cloud from $0 | Prisma Cloud platform |
| Full suite cost (11 tools) | $49/mo Suite | N/A | N/A | N/A |
Note: ConfigDrift is part of the DevForge Suite — $49/mo covers all 11 CLI tools (ConfigDrift, Envault, APIAuth, DeployDiff, json2sql, DeadCode, APIGhost, SchemaForge, click-to-mcp, DataMorph, API Contract Guardian).
Install ConfigDrift
# Install via pip
pip install git+https://github.com/Coding-Dev-Tools/configdrift.git
# Or via Homebrew (macOS/Linux)
brew tap Coding-Dev-Tools/tap
brew install configdrift
# Or via Scoop (Windows)
scoop bucket add Coding-Dev-Tools https://github.com/Coding-Dev-Tools/scoop-bucket
scoop install configdrift
# Compare your configs
configdrift check dev.yaml prod.yaml
Star ConfigDrift on GitHub
Related Reading
- How to Catch Config Drift Before It Breaks Production — ConfigDrift tutorial
- Block Deployments on Config Drift — CI/CD Gating Tutorial — pipeline integration
- Before You Deploy: Config Drift AND Infrastructure Cost — ConfigDrift + DeployDiff combo
- Environment Variable Management Compared — Envault vs Doppler vs Infisical vs dotenv-vault