Tfsec – Security Scanner for Terraform code

tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support. This tool will scan the specified directory. If no directory is specified, the current working directory will be used.

Tfsec - Security scanner for your Terraform code
Tfsec – Security scanner for your Terraform code

Some of the features with this tool are:

  • Checks for sensitive data inclusion across all providers
  • Checks for violations of AWS, Azure and GCP security best practice recommendations
  • Scans modules (currently only local modules are supported)
  • Evaluates expressions as well as literal values
  • Evaluates Terraform functions e.g. concat()

The tool is designed for running in a CI pipeline. For this reason it will exit with a non-zero exit code if a potential problem is detected. You may wish to run tfsec as part of your build without coloured output. You can do this using --no-colour (or -- no - color for our American friends).

You can output tfsec results as JSON, CSV, Checkstyle, JUnit or just plain old human readable format. Use the --format flag to specify your desired format. You may also wish to exclude some checks from running. If you’d like to do so, you can simply add new argument -e CHECK1,CHECK2,etc to your cmd command

Checks are currently limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments