▰▰IaC Bazaar

How we verify

“Verified” is a word most marketplaces wave around. We make it mean something specific and checkable. Every module is graded on a transparent ladder, and we never claim a rung it hasn't earned — in particular, we never call a module live-tested unless it was really applied, verified, and destroyed in a cloud sandbox.

Three independent trust axes

A green badge on one axis never implies the others. We show all three, with the receipts.

Conformance

Does the code hold up to static analysis? fmt + validate, lint, security scanning (Checkov + Trivy at HIGH/CRITICAL), and mocked-plan tests that prove the module’s own validation rules reject bad input.

Provenance

Can you trust the bytes you download? Every version ships a SHA-256 checksum and a cryptographic signature, so you can verify it was published by us and not tampered with in transit.

Functional

Does it actually run? Only modules really applied to a cloud, asserted against, checked for idempotency, and torn down clean earn the "live-tested" mark — with the teardown confirmed.

The verification ladder

Each module climbs as far as the evidence allows. Rungs 0–3 need no cloud account at all; the top two require real infrastructure.

  1. 0
    ParsesNo credentials

    Syntactically valid; types and required arguments check out.

  2. 1
    Static-verifiedNo credentials

    Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

  3. 2
    Plan-validatedNo credentials (mocked provider)

    Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

  4. 3
    Plan-verifiedA real, empty cloud account (no resources created)

    Passed: plans cleanly against a real provider account; no resources created.

  5. 4
    Live-testedAn isolated cloud sandbox (real apply → destroy)

    Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Our honesty commitment

The badge on every module is computed from stored evidence by a pure function — it is impossible for a listing to claim more than the verification that actually ran. Static-only modules are labeled exactly that, and when a provider has no applicable security policies we say so rather than implying a clean pass.

Browse the catalog →