Skip to main content


Service that allows triggering of terraform plan/apply commands via webhooks, typically from merge request approvals in Gitlab/Github etc.

Website and documentation can be found at

Attack Surface

The Atlantis web interface is read only, with all configuration performed with environment variables or .yml files stored on the server. It is triggered by an external service (such as github) calling a webhook. Per-repository configuration is performed via an atlantis.yml file stored in the repository's root directory, details of which can be found at

Code Execution Through Merge Requests

Running terraform init and terraform plan on untrusted code can lead to code execution through use of a malicious custom terraform provider. An attacker able to open a merge request on a repository configured with Atlantis would be able to execute arbitrary code on the system running Atlantis, and thus access any credentials etc stored on or accessible from the system.

Alex Kaskasoli put a good article together on the details here: