CI/CD 2026-03-10

Detect Configuration Drift in Deployment Pipelines with Diff Checker

Q: How do I diff JSON configs that have been reformatted?

Normalize both files before diffing: jq --sort-keys . staging.json > /tmp/s.json && jq --sort-keys . production.json > /tmp/p.json && diff /tmp/s.json /tmp/p.json. Sorting keys removes false positives from key reordering.

Q: Can I diff Kubernetes resources against a live cluster?

Yes. Use kubectl diff -f k8s/production/ to compare your local manifests against the running cluster state. This shows what kubectl apply would change. Requires cluster access in your runner.

Q: How do I ignore certain lines in the diff (like timestamps)?

Use diff --ignore-matching-lines='pattern' or preprocess files with grep -v 'timestamp' before diffing. For YAML, normalize the file with a script that removes volatile fields before comparison.

Automatically compare Kubernetes manifests, Terraform plans, and environment configs between environments in GitHub Actions. Catch unintended drift before it causes production incidents.

⚙️ Uses: Text Diff Checker — Free

The Problem

Your staging and production Kubernetes configs have drifted apart over weeks of hotfixes. A deployment to production behaves differently than staging because of undocumented config differences. You only discover this at 2 AM during an incident.

Why This Matters

Configuration drift between environments is the root cause of 40% of production incidents (Puppet State of DevOps Report). Automated diff checking in your CI pipeline surfaces drift at PR time — when it's cheap to fix — rather than during a production deployment when it's expensive to diagnose.

Step-by-Step Instructions

Paste your configs into the diff tool below

Use the Text Diff Checker to visually compare staging vs production configs, Terraform plans, or Helm values files. Identify exactly which lines differ before automating the check.

Add a diff step to your deployment workflow

In your workflow, fetch both configs and run diff -u staging.yaml production.yaml. Capture the exit code: 0 means identical, 1 means differences exist. Fail the build or post a PR comment based on this.

Post the diff as a PR comment

Use the GitHub CLI (gh pr comment) to post the diff output as a PR review comment. This makes config changes visible in code review, not just in deployment logs.

Block deployments when critical sections differ

Parse the diff output to detect changes in security-critical sections (resource limits, RBAC rules, network policies). Exit with code 1 to block the deployment and require explicit review.

Try It Now — Text Diff Checker

Open full page →

Text Diff Checker — Live Demo

All processing happens in your browser — no data is sent to any server.

Before & After Example

Problem: config drift discovered during production incident

# Staging deployment works fine
# Production deployment behaves differently

# Later investigation reveals:
$ diff staging/k8s/deployment.yaml production/k8s/deployment.yaml
# Output too long to parse manually
# No automated check was in place
# Drift accumulated over 3 months of hotfixes

Solution: automated config diff in GitHub Actions on every PR

name: Config Drift Check
on:
  pull_request:
    paths:
      - 'k8s/**'
      - 'terraform/**'

jobs:
  drift-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Compare staging vs production manifests
        id: diff
        run: |
          DIFF_OUTPUT=$(diff -u k8s/staging/deployment.yaml k8s/production/deployment.yaml || true)

          if [ -z "$DIFF_OUTPUT" ]; then
            echo "status=identical" >> $GITHUB_OUTPUT
            echo "✓ No config drift detected"
          else
            echo "status=drift_detected" >> $GITHUB_OUTPUT
            echo "⚠️ Config differences found:"
            echo "$DIFF_OUTPUT"
            # Store for PR comment
            echo "$DIFF_OUTPUT" > /tmp/drift-report.txt
          fi

      - name: Post drift report as PR comment
        if: steps.diff.outputs.status == 'drift_detected'
        run: |
          gh pr comment ${{ github.event.pull_request.number }} --body "$(cat <<'EOF'
          ## ⚠️ Config Drift Detected

          Staging and production manifests differ:

          '''diff
          $(cat /tmp/drift-report.txt)
          '''

          Please review and align configurations before merging.
          EOF
          )"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Block deployment on critical drift
        if: steps.diff.outputs.status == 'drift_detected'
        run: exit 1

Frequently Asked Questions

How do I diff JSON configs that have been reformatted?

Normalize both files before diffing: jq --sort-keys . staging.json > /tmp/s.json && jq --sort-keys . production.json > /tmp/p.json && diff /tmp/s.json /tmp/p.json. Sorting keys removes false positives from key reordering.

Can I diff Kubernetes resources against a live cluster?

Yes. Use kubectl diff -f k8s/production/ to compare your local manifests against the running cluster state. This shows what kubectl apply would change. Requires cluster access in your runner.

How do I ignore certain lines in the diff (like timestamps)?

Use diff --ignore-matching-lines='pattern' or preprocess files with grep -v 'timestamp' before diffing. For YAML, normalize the file with a script that removes volatile fields before comparison.

Open the standalone tool for more space, keyboard shortcuts, and additional features.

Open Text Diff Checker →

← All Developer Guides