Cora logo
Docs

PR Reviews

Review Terraform plan changes with automated risk scoring and blast radius analysis before merging.

PR Reviews automatically analyze Terraform plans from your CI pipeline and surface potential risks before you merge. Every plan is scored against configurable rules, and you can see exactly which resources will change and what downstream infrastructure they affect.

How it works

  1. Upload a plan - Your CI pipeline runs terraform plan and sends the JSON output to Cora.
  2. Score the changes - Cora evaluates each resource change against your risk rules and calculates a total score.
  3. Analyze blast radius - Cora traces relationships in your infrastructure graph to show which resources depend on the changes.
  4. Generate an AI summary (optional) - If enabled, Cora generates a concise summary that helps reviewers validate intent and impact quickly.
  5. Review and approve - Your team reviews the changes, matched rules, and blast radius before merging.

Risk levels

Every plan receives a risk level based on its total score. Scores are additive - each matching rule contributes its configured points to the total.

LevelScore RangeMeaning
Low0 - 99Routine changes with minimal review needed
Medium100 - 499Changes worth a second look
High500 - 999Significant changes requiring careful review
Critical1000+Major changes that may need multiple approvers

Approval tiers

You can configure approval requirements based on risk score. For example:

  • 0 - 100 points - No additional reviewers required
  • 100 - 500 points - 1 reviewer required
  • 500 - 1000 points - 2 reviewers required
  • 1000+ points - 3 reviewers required

If a plan exceeds the blocking threshold (default: 5000 points), it is marked as blocked and cannot proceed without manual override.

Blast radius

Blast radius shows which resources are affected by the proposed changes - not just the resources being modified, but also the resources that depend on them.

Cora traverses up to 4 hops of relationships to find:

  • Directly affected resources - Resources with an immediate dependency on a changed resource
  • Transitively affected resources - Resources further downstream in the dependency chain

This helps you understand the full impact of a change. For example, deleting a subnet might affect EC2 instances, load balancers, and the services that depend on them.

Cost estimation

When you configure an Infracost API key, Cora displays cost estimates alongside risk scores. Each plan review shows:

  • Monthly Cost - Estimated infrastructure cost after the plan is applied
  • Cost Change - Dollar difference from current cost
  • % Change - Percentage increase or decrease

Cost increases appear in red, decreases in green. You can also create cost-based risk rules to automatically flag expensive changes.

GitHub integration

If your upload includes pull request context and you have linked a GitHub token, Cora can post a summary comment directly on your pull request with:

  • Risk level and total score
  • Required approvers based on your approval tiers
  • Summary of resource changes (creates, updates, deletes, replaces)
  • Matched rules table showing which rules fired and their scores
  • AI summary (if enabled)
  • Link to the full review in Cora

Viewing PR reviews

Visit PR Reviews to see all plan evaluations for your organization. You can:

  • Filter by status - View pending, evaluated, applied, or cancelled plans
  • Filter by workspace - Focus on a specific Terraform workspace
  • Search - Find plans by workspace, repository, or owner
  • View details - Click any plan to see the full evaluation

The detail view includes four tabs:

  • Resource Changes - List or diff view of all resource modifications
  • Graph - Visual representation of the changes in your infrastructure
  • Matched Rules - Table showing which risk rules matched and their scores
  • Blast Radius - Directly and transitively affected resources with relationship paths

Next steps