Skip to main content
Back to Projects
open-source Active

DriftGuard

Detect configuration drift across your environments

Go React Docker Kubernetes SQLite
GitHub Documentation

GitHub Stars

DriftGuard detects configuration drift across your dev, staging, and production environments. It compares .env files, Docker Compose configs, and Kubernetes ConfigMaps/Secrets — catching silent mismatches before they cause production incidents.

The Problem

Every team has been there: a deploy fails at 2 AM because someone updated an environment variable in staging but forgot production. Or worse — production silently runs with a dev-key API secret for weeks.

Configuration drift is one of those problems that’s invisible until it’s catastrophic. Manual audits don’t scale, and most teams only discover drift after an incident.

How It Works

DriftGuard takes a declarative approach to environment configuration management:

  1. Scan — Point DriftGuard at your config sources (.env files, Docker Compose, Kubernetes manifests). It builds a unified map of every variable across all environments.

  2. Compare — Variables are compared across environments with context-aware rules. Some differences are expected (like DATABASE_URL varying per env), others are critical (like API_SECRET being the same everywhere).

  3. Report — Results are classified by severity: critical drifts that need immediate attention, warnings worth investigating, and informational differences that are likely intentional.

Key Features

  • Multi-source scanning.env files, Docker Compose environment blocks, Kubernetes ConfigMaps and Secrets
  • Severity classification — Critical, warning, and info levels based on variable patterns and drift type
  • CI/CD integration — Exit codes for pipeline gates: fail the build if critical drift exists
  • Interactive fix mode — Walk through each drift and choose which value should be canonical
  • Watch mode — Monitor file changes and alert on new drift in real-time

Architecture

DriftGuard is written in Go for performance and easy distribution as a single binary. The core scanning engine processes config sources in parallel, building an in-memory graph of all variables and their values per environment.

driftguard/
├── cmd/           # CLI entry points (scan, fix, watch)
├── internal/
│   ├── scanner/   # Source-specific parsers (.env, compose, k8s)
│   ├── engine/    # Comparison and drift detection logic
│   ├── reporter/  # Output formatters (table, JSON, SARIF)
│   └── fixer/     # Interactive resolution workflow
├── pkg/           # Public API for library usage
└── web/           # React dashboard (optional)

The optional React dashboard provides a visual overview for teams who prefer a GUI. It connects to DriftGuard’s built-in HTTP server and shows real-time drift status with history tracking stored in SQLite.

Installation

# Using Go
go install github.com/ozayartunboran/driftguard@latest

# Using Docker
docker run --rm -v $(pwd):/workspace ghcr.io/ozayartunboran/driftguard scan

# Using Homebrew
brew install ozayartunboran/tap/driftguard

Quick Start

# Scan current directory
driftguard scan

# Scan specific environments
driftguard scan --envs dev,staging,production

# Output as JSON for CI/CD
driftguard scan --format json --fail-on critical

# Interactive fix mode
driftguard fix --interactive

Live Demo

driftguard — terminal

Other Projects

saas

CostSentry

Know your AWS costs before the bill arrives

Python FastAPI React PostgreSQL Redis
Details →