Introducing Spacelift Plugins: Extensibility Meets Infrastructure as Code

Today, we’re thrilled to announce Spacelift Plugins, a powerful new way to extend your infrastructure workflows by seamlessly integrating the tools your team already relies on.

Infrastructure teams don’t work in isolation. You’re already using security scanners, cost analyzers, compliance checkers, secret managers, and plenty of internal tooling to keep delivery fast and safe. But wiring all of those tools into a clean, reliable pipeline has historically meant custom scripts, CI/CD gymnastics, and a maintenance tax that never really goes away.

We built Plugins to change that.

Modern DevOps and platform teams rely on a growing ecosystem of best-of-breed tools:

• Security scanners like Checkov and Trivy
• Cost analyzers like Infracost
• Compliance checkers like terrascan
• Secret management tools like SOPS
• And countless other specialized tools that matter to your workflow

Until now, integrating them into your infrastructure pipeline meant stitching together brittle integrations or forcing teams into compromises.

Plugins turn that integration problem into a first-class, native capability.

Plugins are first-class extensions that integrate directly into your Spacelift workflows. They allow you to:

• Augment runs with security scanning, cost estimation, compliance checks, and more
• Standardize tooling across your organization without forcing teams into rigid processes
• Build custom integrations that fit your unique requirements
• Leverage community contributions to accelerate your infrastructure operations

Think of Plugins as a native extension point for Spacelift, purpose-built to make your infrastructure pipeline as flexible and powerful as it needs to be.

We’re launching with support for tools infrastructure teams use every day:

Security & Compliance

• Checkov: Scan your infrastructure code for security and compliance issues before deployment.
• terrascan: Detect compliance and security violations across your IaC.
• Trivy: Get comprehensive vulnerability scanning for containers, IaC, and more.
• TruffleHog: Hunt for exposed secrets and credentials in your code.
• Wiz: Get cloud security posture management integrated into your deployment pipeline.

Secrets & Configuration Management

• SOPS: Encrypt and decrypt secrets seamlessly in your infrastructure code.
• Ssm_parameter_store: Integrate AWS Systems Manager Parameter Store directly into your workflows.
• Environment_manager: Manage environment variables and configuration across stacks.
• Envsubst: Get dynamic environment variable substitution for flexible configurations.

Cost & Performance

• Infracost: Get real-time cost estimates for every infrastructure change.
• Opentofu-tracing: Leverage deep insights and tracing for OpenTofu operations.

And there are so many more, with new plugins added by the community regularly.

Each plugin integrates seamlessly into your Spacelift runs, providing insights exactly when you need them, before changes reach production.

The real power of Plugins lies in extensibility. With Spaceforge, our open-source SDK, you can build custom plugins tailored to your organization’s needs. Whether you’re integrating internal tools, proprietary scanners, or creating something entirely new, Spaceforge makes it straightforward.

# Get started building your own plugin
git clone https://github.com/spacelift-io/plugins

Spaceforge provides:

• Clear plugin interfaces that handle Spacelift integration automatically
• Testing frameworks to validate your plugins work correctly
• Documentation and examples to get you started quickly
• Community support from other plugin developers

We’re releasing the plugins repository as open source because we believe the best integrations come from the community. 

Whether you’re:

• Contributing new plugins for tools you love
• Improving existing plugins with bug fixes or features
• Sharing best practices and patterns
• Building internal plugins for your organization

…we want to make it easy. Browse the repository, open issues, submit PRs, and help us build the ecosystem together.

Teams are already putting Plugins to work in practical, helpful ways, like:

Security-first deployments: Chain Checkov, Trivy, and TruffleHog to create a comprehensive security gate. Scan for misconfigurations, vulnerabilities, and exposed secrets, all before infrastructure changes leave your CI/CD pipeline.

Secrets management at scale: Use SOPS to encrypt sensitive values in your code repositories, then decrypt them automatically during Spacelift runs. Combine with ssm_parameter_store to pull additional secrets from AWS at runtime.

Cost-conscious changes: Surface Infracost estimates directly in your pull requests and run summaries, so teams understand the financial impact of infrastructure changes before approval.

Compliance and governance: Integrate Wiz for real-time cloud security posture checks, ensuring every deployment maintains compliance with your organization’s security policies.

Dynamic configuration: Use environment_manager and envsubst to handle complex multi-environment deployments with variable substitution, reducing code duplication across staging, production, and development stacks.

Plugins are available today for all Spacelift customers. To add a plugin to your stack:

1. Navigate to your stack settings.
2. Select the Plugins tab.
3. Choose from available plugins or upload your own.
4. Configure plugin settings for your workflow.

Ready to build your own? Head to the plugins repository to explore Spaceforge and start developing.

Watch the video showing how easy it is to get started using Plugins:

This is just the beginning. We’re working with the community to expand the plugin ecosystem, improve the SDK, and make custom integrations even easier. We can’t wait to see what you build.

Have questions? Want to contribute? Join the conversation in our GitHub Discussions or contact our team.

Try Plugins today and make Spacelift work exactly the way you need it to.

Ready to extend your infrastructure workflows? Get started with Plugins →