tofulock

tofulock is a Go CLI that locks every Terraform and OpenTofu module to its exact resolved git commit in a small deterministic sidecar lockfile, then fails CI when a tag moves, a branch advances, or a constraint starts resolving to a different version — drift the native .terraform.lock.hcl never catches, because it pins providers only.

It can also emit signed in-toto/DSSE attestations as module-approval evidence. It’s for platform and security engineers who want content-pinning and change-control evidence for their infrastructure-as-code.