Tfsec – Security Scanner for Terraform code
tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support. This tool will scan the specified directory. If no directory is specified, the current working directory will be used.

Some of the features with this tool are:
- Checks for sensitive data inclusion across all providers
- Checks for violations of AWS, Azure and GCP security best practice recommendations
- Scans modules (currently only local modules are supported)
- Evaluates expressions as well as literal values
- Evaluates Terraform functions e.g.
concat()
The tool is designed for running in a CI pipeline. For this reason it will exit with a non-zero exit code if a potential problem is detected. You may wish to run tfsec as part of your build without coloured output. You can do this using --no-colour
(or -- no - color
for our American friends).
You can output tfsec results as JSON, CSV, Checkstyle, JUnit or just plain old human readable format. Use the --format
flag to specify your desired format. You may also wish to exclude some checks from running. If you’d like to do so, you can simply add new argument -e CHECK1,CHECK2,etc
to your cmd command
Checks are currently limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.
You can read more and download this tool over here: https://github.com/tfsec/tfsec