explaingit

aquasecurity/tfsec

7,001GoAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Tfsec is a command-line security scanner for Terraform configuration files that checks for misconfigurations across AWS, Azure, Google Cloud, and other providers before you deploy, note: now merged into the broader Trivy scanner.

Mindmap

mindmap
  root((tfsec))
    What it does
      Static security scan
      Pre-deploy checks
      Multi-cloud rules
    Cloud Providers
      AWS
      Azure
      Google Cloud
    Integration
      CI pipeline
      GitHub Action
      VS Code plugin
    Tech Stack
      Go
      Terraform
      Docker
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan a Terraform project directory before deploying to AWS to catch open security groups or unencrypted storage buckets.

USE CASE 2

Add tfsec to a CI pipeline so every pull request is automatically checked for cloud security misconfigurations.

USE CASE 3

Use the VS Code or JetBrains plugin to get inline security warnings while writing Terraform configs.

USE CASE 4

Run tfsec as a GitHub Action on infrastructure pull requests to block merges with critical findings.

Tech stack

GoTerraformDocker

Getting it running

Difficulty · easy Time to first run · 5min

tfsec has been merged into Trivy, new security rules and features now ship in Trivy rather than tfsec.

In plain English

Tfsec is a static analysis tool for Terraform, which is a widely used way of writing infrastructure configuration as code files. The tool reads those configuration files and looks for security mistakes before anything is actually deployed to a cloud provider. It does not run your infrastructure, it just checks the written configuration for problems the same way a spell-checker reads text. The tool checks configurations targeting all major cloud providers including AWS, Azure, Google Cloud, and DigitalOcean. It has hundreds of built-in rules covering common misconfigurations such as storage buckets that are publicly readable, security groups that allow traffic from any IP address, or encryption settings that have been left off. It can also evaluate more complex expressions in the configuration files, not just plain values, and it can follow references between different resource definitions to catch issues that span multiple files. You can run tfsec from the command line by pointing it at a directory. It produces output in several formats including plain text, JSON, CSV, and formats compatible with tools that collect security findings. The exit code signals whether any problems were found, which makes it straightforward to add to a continuous integration pipeline so that every code change is checked automatically. Plugins are available for VS Code and JetBrains editors. You can also run it as a Docker container or as a GitHub Action or Azure DevOps task. If a warning is not relevant to your project, you can silence it by adding a comment on the relevant line in the configuration file, and that suppression is tracked in the code rather than in a separate config file. The README notes that tfsec has been merged into Trivy, a broader security scanning tool also maintained by Aqua Security. Tfsec remains available, but new development is happening in Trivy, and the maintainers encourage users to migrate. A migration guide is linked from the repository.

Copy-paste prompts

Prompt 1
Run tfsec against my Terraform project and explain the security findings it reports for my AWS S3 and security group configs.
Prompt 2
Add tfsec as a GitHub Action to my Terraform repo so every pull request is automatically scanned, show me the workflow YAML.
Prompt 3
Tfsec is flagging a false positive in my Terraform config, how do I suppress that specific check with an inline comment?
Prompt 4
I want to migrate from tfsec to Trivy, what is the equivalent Trivy command for the tfsec scan I am currently running?
Open on GitHub → Explain another repo

← aquasecurity on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.