Cette page est affichée en anglais. Une traduction française est en cours.
SkillsApr 16, 2026·3 min de lecture

tfsec — Static Security Scanner for Terraform Code

Catch security misconfigurations in Terraform before they reach production. tfsec scans HCL files for hundreds of cloud security rules across AWS, Azure, and GCP with zero configuration.

Script Depot
Script Depot · Community
Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
tfsec Terraform Security
Commande d'installation directe
npx -y tokrepo@latest install b9dd698f-3939-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

TL;DR
tfsec scans Terraform files for security misconfigurations across AWS, Azure, and GCP with zero configuration needed.
§01

What it is

tfsec is a static analysis security scanner for Terraform HCL files. It checks for hundreds of built-in security rules covering AWS, Azure, and GCP resources. It runs with zero configuration and flags issues like unencrypted storage, overly permissive IAM policies, and missing logging before you deploy.

It targets Terraform users and DevOps teams who want fast, automated security checks integrated into their development workflow and CI pipelines.

§02

How it saves time or tokens

tfsec runs in seconds against your Terraform codebase and provides clear, actionable output. Each finding includes the rule ID, severity, affected resource, and a link to documentation explaining the fix. No cloud credentials or deployed infrastructure needed.

§03

How to use

  1. Install tfsec:
brew install tfsec
# Or via Go:
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
  1. Scan your Terraform directory:
tfsec ./terraform
  1. Review findings and fix flagged resources.
§04

Example

# Install
brew install tfsec

# Scan current directory
tfsec .

# Scan specific directory with severity filter
tfsec ./infra --minimum-severity HIGH

# Output as JSON for CI
tfsec ./infra -f json

# Exclude specific rules
tfsec . --exclude aws-s3-enable-versioning
§05

Related on TokRepo

Key considerations

When evaluating tfsec for your workflow, consider the following factors. First, assess whether your team has the technical prerequisites to adopt this tool effectively. Second, evaluate the maintenance burden against the productivity gains. Third, check community activity and documentation quality to ensure long-term viability. Integration with your existing toolchain matters more than feature count alone. Start with a small pilot project before rolling out across the organization. Monitor resource usage during the initial adoption phase to identify bottlenecks early. Document your configuration decisions so team members can onboard independently.

§06

Common pitfalls

  • tfsec has been absorbed into Trivy by Aqua Security; new users should consider using Trivy's Terraform scanning instead.
  • Variable values from tfvars files are not always resolved; some findings may be false positives for dynamically set values.
  • Custom modules with complex variable passing may not be fully analyzed; run tfsec at the module level for better coverage.

Questions fréquentes

Is tfsec still maintained?+

tfsec's functionality has been integrated into Trivy by Aqua Security. The standalone tfsec tool still works but new development focuses on Trivy. For new projects, consider using Trivy for Terraform scanning.

How does tfsec differ from Checkov?+

tfsec is Terraform-specific with a focus on speed and simplicity. Checkov covers multiple IaC formats (Terraform, CloudFormation, Kubernetes). tfsec may find Terraform-specific issues that Checkov misses and vice versa.

Can I run tfsec in GitHub Actions?+

Yes. tfsec provides an official GitHub Action. Add it to your workflow YAML and it scans on every pull request, posting results as PR comments or failing the check if issues are found.

How do I suppress false positives?+

Add 'tfsec:ignore:RULE_ID' as a comment above the flagged resource in your Terraform file. This suppresses the specific finding while keeping other checks active.

Does tfsec support custom rules?+

Yes. tfsec supports custom rules defined in JSON or YAML. Place them in a .tfsec directory and they are picked up automatically during scans.

Sources citées (3)
En lien sur TokRepo
Security toolsDevOps toolsFeatured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

Gosec — Security Scanner for Go Source Code

A static analysis tool that inspects Go source code for security vulnerabilities by scanning the AST for patterns like SQL injection, hardcoded credentials, insecure crypto usage, and other common security issues.

Skills
Script Depot

Terrascan — Static Analysis for Infrastructure as Code Security

Terrascan detects security vulnerabilities and compliance violations across Terraform, Kubernetes, Helm, CloudFormation, and Dockerfiles before you deploy, with over 500 built-in policies based on industry benchmarks.

Skills
AI Open Source

Checkov — Static Security Scanning for IaC and Containers

Checkov is a Bridgecrew static-analysis tool that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and more for misconfigurations and policy violations before anything is deployed.

Skills
Script Depot

Bandit — Python Security Linter for Finding Vulnerabilities

Bandit is a static analysis tool designed to find common security issues in Python code, scanning for hardcoded passwords, SQL injection, unsafe deserialization, and more.

Skills
Script Depot
Accueil🔍Rechercher👤Moi