tfsec — Static Security Scanner for Terraform Code

Introduction

tfsec is a static analysis security scanner for Terraform code developed by Aqua Security. It inspects HCL files and Terraform plan JSON for security misconfigurations before infrastructure is provisioned. With 350+ built-in rules covering AWS, Azure, GCP, and Kubernetes resources, it catches issues like public S3 buckets, unencrypted databases, and overly permissive security groups during development rather than after deployment.

What tfsec Does

• Scans Terraform HCL files for security misconfigurations without running terraform plan
• Checks 350+ built-in rules across AWS, Azure, GCP, DigitalOcean, and Kubernetes providers
• Resolves Terraform variables, locals, and module references for accurate analysis
• Integrates into CI/CD pipelines with JUnit, JSON, SARIF, and CSV output formats
• Supports custom rules via YAML or Rego policies for organization-specific standards

Architecture Overview

tfsec parses HCL files into an AST, resolves variable references and module sources, then evaluates each resource block against a rule registry. Rules are Go functions that inspect resource attributes and return pass/fail results with severity levels. The scanner follows module references locally and from the Terraform registry. Results include the file, line number, rule ID, severity, and a remediation link. It runs entirely offline with no cloud API calls.

Self-Hosting & Configuration

• Install via Homebrew, apt, Go install, or download prebuilt binaries from GitHub releases
• Run tfsec . in any directory containing .tf files — no configuration required
• Exclude rules with inline comments #tfsec:ignore:aws-s3-enable-versioning or a .tfsec config
• Add custom rules in .tfsec/ directory using YAML definitions or Rego policies
• Integrate with GitHub Actions, GitLab CI, or pre-commit hooks for automated scanning

Key Features

• Zero-config scanning: point at a directory and get results in seconds
• Resolves Terraform expressions, variables, and locals for accurate context-aware checks
• Severity levels (CRITICAL, HIGH, MEDIUM, LOW) help prioritize remediation efforts
• SARIF output integrates with GitHub Advanced Security code scanning alerts
• Supports scanning Terraform plan JSON for post-plan validation in CI pipelines

Comparison with Similar Tools

• Checkov — Python-based with broader IaC support; tfsec is faster and Terraform-focused
• Trivy — tfsec is now integrated into Trivy; standalone tfsec is simpler for Terraform-only
• Terrascan — OPA-based policies; tfsec has more Terraform-specific built-in rules
• Snyk IaC — commercial SaaS; tfsec is fully open source and runs offline

FAQ

Q: Is tfsec still maintained separately from Trivy? A: tfsec's rule engine is now embedded in Trivy, but the standalone tfsec CLI is still maintained for users who want a focused Terraform scanner.

Q: Does tfsec need Terraform installed? A: No. tfsec parses HCL directly and does not invoke terraform init or terraform plan.

Q: Can I suppress false positives? A: Yes. Add #tfsec:ignore:RULE_ID as an inline comment above the resource, or use a .tfsec/config.yml to exclude rules globally.

Q: Does it support Terraform modules? A: Yes. tfsec resolves local modules and public registry modules to analyze the full resource graph.

Sources

• https://github.com/aquasecurity/tfsec
• https://aquasecurity.github.io/tfsec/