tfsec
by aquasecurity
tfsec is a fast, static analysis tool that scans Terraform code to detect potential security misconfigurations across multiple cloud providers.
Tfsec is now part of Trivy
Primary Use Case
tfsec is primarily used by DevOps engineers, security professionals, and developers to identify and remediate security risks in Terraform infrastructure as code before deployment. It integrates easily into CI pipelines to automate security checks, ensuring cloud environments are configured securely and compliant with best practices.
- Static analysis of Terraform code to detect misconfigurations
- Hundreds of built-in security rules covering major and minor cloud providers
- Scans both local and remote Terraform modules
- Evaluates HCL expressions, Terraform functions, and resource relationships
- Compatible with Terraform CDK
- Supports user-defined Rego policies for custom checks
- Multiple output formats including JSON, SARIF, CSV, CheckStyle, JUnit, and text
- Fast scanning performance suitable for large repositories
Installation
- Install via Docker: pull the tfsec/tfsec image from Docker Hub
- Install via Homebrew: brew install tfsec
- Install via Chocolatey: choco install tfsec
- Install via AUR for Arch Linux: install tfsec-bin package
- Use the VSCode extension from the Visual Studio Marketplace
- Use the JetBrains plugin available in JetBrains plugin repository
- Use the Vim plugin from the aquasecurity GitHub repository
Usage
>_ tfsec <directory>Scan the specified directory containing Terraform code for security misconfigurations
>_ tfsec --format json <directory>Run a scan and output results in JSON format
>_ tfsec --config-file <file>Run a scan using a specified configuration file to customize rules and behavior
>_ tfsec --exclude <rule_id>Exclude specific rules from the scan results
- Integrate tfsec scans into CI/CD pipelines to automate early detection of IaC misconfigurations.
- Extend tfsec with custom Rego policies to enforce organization-specific cloud security standards.
- Use tfsec results to inform blue team threat modeling and hardening efforts before deployment.
- Leverage tfsec's multi-cloud support to maintain consistent security posture across hybrid cloud environments.
- Combine tfsec with runtime security tools like Trivy for comprehensive pre- and post-deployment coverage.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about tfsec. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
ProxmoxVE
community-scripts/ProxmoxVE
Proxmox VE Helper-Scripts (Community Edition)
prowler
prowler-cloud/prowler
Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.
aws-cdk
aws/aws-cdk
The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
my-arsenal-of-aws-security-tools
toniblyx/my-arsenal-of-aws-security-tools
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
keda
kedacore/keda
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
DevOps-Guide
Tikam02/DevOps-Guide
DevOps Guide - Development to Production all configurations with basic notes to debug efficiently.