tfscan — Security Scanner for Terraform Code

tfsec is an Aqua Security open source project.

As more and more teams are using infrastructure as code to ensure they have consistent, repeatable deployment of infrastructure, it is becoming increasingly important to guard against mis-configurations creeping into the release.

tfsec uses static analysis of your terraform code to find potential misconfigurations. It scan .tf and .tf.json files to guard against misconfigurations.

tfsec takes a developer-first approach to scanning your Terraform templates; using static analysis and deep integration with the official HCL parser it ensures that security issues can be detected before your infrastructure changes take effect.

It’s easy to integrate into a CI pipeline to implement shift-left approach and catch issues early. Example output,

Tfsec Features

• Checks for misconfigurations across all major (and some minor) cloud providers
• Hundreds of built-in rules
• Scans modules (local and remote)
• Evaluates HCL expressions as well as literal values
• Evaluates Terraform functions e.g. concat()
• Evaluates relationships between Terraform resources