tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support. This tool will scan the specified directory. If no directory is specified, the current working directory will be used.

Some of the features with this tool are:

• Checks for sensitive data inclusion across all providers
• Checks for violations of AWS, Azure and GCP security best practice recommendations
• Scans modules (currently only local modules are supported)
• Evaluates expressions as well as literal values
• Evaluates Terraform functions e.g. concat()

The tool is designed for running in a CI pipeline. For this reason it will exit with a non-zero exit code if a potential problem is detected. You may wish to run tfsec as part of your build without coloured output. You can do this using --no-colour (or -- no - color for our American friends).

You can output tfsec results as JSON, CSV, Checkstyle, JUnit or just plain old human readable format. Use the --format flag to specify your desired format. You may also wish to exclude some checks from running. If you’d like to do so, you can simply add new argument -e CHECK1,CHECK2,etc to your cmd command

Checks are currently limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

You can read more and download this tool over here: https://github.com/tfsec/tfsec