{"id":48689,"date":"2025-03-05T03:03:15","date_gmt":"2025-03-05T03:03:15","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48689"},"modified":"2025-03-05T03:03:15","modified_gmt":"2025-03-05T03:03:15","slug":"terraform-tutorials-tfsec-for-security-scanning","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/terraform-tutorials-tfsec-for-security-scanning\/","title":{"rendered":"Terraform Tutorials: TFSec for Security Scanning"},"content":{"rendered":"\n

Comprehensive Guide to TFSec: Terraform Security Scannin<\/strong>g<\/h3>\n\n\n\n
\n\n\n\n

1. What is TFSec?<\/strong><\/h2>\n\n\n\n

TFSec<\/strong> is a static analysis security scanner<\/strong> designed to identify security vulnerabilities in Terraform Infrastructure-as-Code (IaC)<\/strong> configurations before they are applied to cloud environments.<\/p>\n\n\n\n

TFSec helps DevSecOps teams shift left<\/strong> by detecting misconfigurations, enforcing best security practices, and ensuring compliance with security policies.<\/p>\n\n\n\n

TFSec works by analyzing Terraform configuration files (.tf<\/code> and .tfvars<\/code>) without requiring access to cloud provider APIs<\/strong>, making it a fast and efficient security tool.<\/p>\n\n\n\n

\n\n\n\n

2. TFSec Features<\/strong><\/h2>\n\n\n\n

TFSec is a feature-rich tool designed for Terraform security scanning. Here are its key features<\/strong>:<\/p>\n\n\n\n

\u2714 Deep Security Analysis<\/strong> – Detects insecure configurations in Terraform files before deployment.
\u2714 Supports Multiple Cloud Providers<\/strong> – Works with AWS, Azure, GCP, Kubernetes, and DigitalOcean<\/strong>.
\u2714 Built-in Compliance Policies<\/strong> – Checks against CIS Benchmarks, NIST, PCI-DSS, and ISO27001<\/strong>.
\u2714 Custom Rule Support<\/strong> – Allows organizations to create custom security policies.
\u2714 Automatic Module Discovery<\/strong> – Scans Terraform modules automatically.
\u2714 Context-Aware Scanning<\/strong> – Detects dynamic issues such as publicly exposed resources, weak IAM permissions, and unencrypted data storage<\/strong>.
\u2714 Fast & Offline Execution<\/strong> – Does not require Terraform state files or cloud API access.
\u2714 CI\/CD Integration<\/strong> – Works with GitHub Actions, GitLab CI\/CD, Jenkins, CircleCI, and Azure DevOps<\/strong>.
\u2714 Flexible Output Formats<\/strong> – Generates reports in JSON, CSV, SARIF, and JUnit<\/strong> for security reporting.<\/p>\n\n\n\n

\n\n\n\n

3. TFSec Benefits<\/strong><\/h2>\n\n\n\n

Using TFSec in a DevOps or SecOps workflow offers several advantages<\/strong>:<\/p>\n\n\n\n

\u2705 Security Benefits<\/strong><\/h3>\n\n\n\n
    \n
  • Prevents misconfigurations<\/strong> before they reach production.<\/li>\n\n\n\n
  • Enforces cloud security best practices<\/strong> (e.g., encrypting S3 buckets, restricting IAM policies).<\/li>\n\n\n\n
  • Identifies public exposure risks<\/strong> (e.g., open security groups, unencrypted databases).<\/li>\n\n\n\n
  • Improves compliance<\/strong> with CIS, NIST, SOC 2, PCI-DSS, and ISO27001 standards.<\/li>\n<\/ul>\n\n\n\n

    \u2705 Operational Benefits<\/strong><\/h3>\n\n\n\n
      \n
    • Faster security reviews<\/strong> \u2013 Detects issues in Terraform code early in the development process.<\/li>\n\n\n\n
    • Lightweight and fast<\/strong> \u2013 Runs without requiring Terraform state or cloud access.<\/li>\n\n\n\n
    • Easy CI\/CD integration<\/strong> \u2013 Automates security checks in GitHub Actions, GitLab CI, Jenkins, etc.<\/li>\n\n\n\n
    • Custom security checks<\/strong> \u2013 Organizations can define their own security policies.<\/li>\n<\/ul>\n\n\n\n
      \n\n\n\n

      4. How to Install TFSec?<\/strong><\/h2>\n\n\n\n

      TFSec supports multiple installation methods across various operating systems.<\/p>\n\n\n\n

      \ud83d\udd39 Install TFSec on macOS<\/strong><\/h3>\n\n\n
      brew install tfsec\n<\/code><\/span><\/pre>\n\n\n
      \ud83d\udd39 Install TFSec on Linux<\/strong><\/h3>\n\n\n
      curl -s https:\/\/raw.githubusercontent.com\/aquasecurity\/tfsec\/master\/scripts\/install_linux.sh | bash<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
      \ud83d\udd39 Install TFSec on Windows<\/strong><\/h3>\n\n\n
      choco install tfsec\n<\/code><\/span><\/pre>\n\n\n
      \ud83d\udd39 Install via Docker<\/strong><\/h3>\n\n\n
      docker run --rm -v \"$(pwd):\/src\"<\/span> aquasec\/tfsec \/src\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
      \ud83d\udd39 Install via Go (for developers)<\/strong><\/h3>\n\n\n
      go install github.com\/aquasecurity\/tfsec\/cmd\/tfsec@latest\n<\/code><\/span><\/pre>\n\n\n
      After installation, verify TFSec is working:<\/p>\n\n\n
      tfsec --version\n<\/code><\/span><\/pre>\n\n\n
      \n\n\n\n
      5. How to Use TFSec?<\/strong><\/h2>\n\n\n\n
      Once installed, TFSec is easy to use<\/strong>. Navigate to your Terraform project directory and run:<\/p>\n\n\n
      tfsec .\n<\/code><\/span><\/pre>\n\n\n
      \ud83d\udd39 Example Output<\/strong><\/h3>\n\n\n
      [HIGH]<\/span> AWS<\/span> S3<\/span> bucket<\/span> allows<\/span> public<\/span> access<\/span> (aws-s3-enable-bucket-logging<\/span>)<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
      [aws_s3_bucket.public]<\/p>\n\n\n\n
      .\/s3.tf:15 14 | resource “aws_s3_bucket” “public” { 15 | acl = “public-read” 16 | } Fix: Change `acl` to “private” or “log-delivery-write”<\/p>\n\n\n\n
      Common TFSec Commands<\/strong><\/h3>\n\n\n\n
      Command<\/th>Description<\/th><\/tr><\/thead>
      tfsec .<\/code><\/td>Scan current Terraform directory.<\/td><\/tr>
      tfsec --exclude aws-s3-enable-bucket-logging<\/code><\/td>Ignore specific checks.<\/td><\/tr>
      tfsec --soft-fail<\/code><\/td>Run without failing CI pipelines.<\/td><\/tr>
      tfsec --format json<\/code><\/td>Output results in JSON format.<\/td><\/tr>
      tfsec --minimum-severity HIGH<\/code><\/td>Show only HIGH severity issues.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
      \n\n\n\n
      6. Working with TFSec Locally<\/strong><\/h2>\n\n\n\n
      To scan a Terraform project locally<\/strong>, follow these steps:<\/p>\n\n\n\n
      Step 1: Initialize Terraform (Optional)<\/strong><\/h3>\n\n\n
      terraform init\n<\/code><\/span><\/pre>\n\n\n
      Step 2: Run TFSec<\/strong><\/h3>\n\n\n
      tfsec .\n<\/code><\/span><\/pre>\n\n\n
      Step 3: Fix Security Issues<\/strong><\/h3>\n\n\n\n
        \n
      • Modify Terraform files based on TFSec suggestions.<\/li>\n\n\n\n
      • Run tfsec .<\/code> again to confirm issues are resolved.<\/li>\n<\/ul>\n\n\n\n
        Step 4: Automate with Git Pre-Commit Hook<\/strong><\/h3>\n\n\n\n
        To prevent insecure Terraform code from being committed:<\/p>\n\n\n\n
          \n
        1. Install pre-commit<\/code>: pip install pre-commit<\/code><\/li>\n\n\n\n
        2. Add .pre-commit-config.yaml<\/code>: repos: - repo: https:\/\/github.com\/aquasecurity\/tfsec rev: v1.28.0 hooks: - id: tfsec<\/code><\/li>\n\n\n\n
        3. Install pre-commit hooks: pre-commit install<\/code><\/li>\n<\/ol>\n\n\n\n
          \n\n\n\n
          7. Using TFSec in SecOps Pipelines<\/strong><\/h2>\n\n\n\n
          TFSec integrates with CI\/CD pipelines to enforce security compliance.<\/p>\n\n\n\n
          GitHub Actions<\/strong><\/h3>\n\n\n
          jobs:\n  security:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - name: Run TFSec\n        uses: aquasecurity\/tfsec-action@main\n<\/code><\/span><\/pre>\n\n\n
          GitLab CI\/CD<\/strong><\/h3>\n\n\n
          stages:\n  - security\n\nsecurity:\n  image: aquasec\/tfsec:latest\n  script:\n    - tfsec .\n<\/code><\/span><\/pre>\n\n\n
          Jenkins Pipeline<\/strong><\/h3>\n\n\n
          pipeline {\n    agent any\n    stages {\n        stage('Security Scan'<\/span>) {\n            steps {\n                sh 'tfsec .'<\/span>\n            }\n        }\n    }\n}\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
          \n\n\n\n
          8. TFSec Custom Checks<\/strong><\/h2>\n\n\n\n
          TFSec allows custom security rules to be defined using Rego policies<\/strong>.<\/p>\n\n\n\n
          Example: Custom Check for Public S3 Buckets<\/strong><\/h3>\n\n\n\n
            \n
          1. Create a custom rule file<\/strong> (custom.rego<\/code>): package tfsec.custom deny[msg] { input.resource_type == \"aws_s3_bucket\" input.values.acl == \"public-read\" msg = \"S3 buckets should not be public!\" }<\/code><\/li>\n\n\n\n
          2. Run TFSec with Custom Rules<\/strong> tfsec --config-file custom.rego<\/code><\/li>\n<\/ol>\n\n\n\n
            \n\n\n\n
            9. TFSec Alternatives<\/strong><\/h2>\n\n\n\n
            While TFSec is an excellent Terraform security tool, here are some alternatives<\/strong>:<\/p>\n\n\n\n
            Tool<\/th>Description<\/th><\/tr><\/thead>
            Checkov<\/strong><\/td>Static analysis security scanner for Terraform, Kubernetes, and CloudFormation.<\/td><\/tr>
            Terraform Compliance<\/strong><\/td>Policy-as-code framework for Terraform security and compliance enforcement.<\/td><\/tr>
            Terrascan<\/strong><\/td>Security scanner that checks Terraform against compliance frameworks.<\/td><\/tr>
            Snyk Infrastructure as Code<\/strong><\/td>Cloud security scanner with a developer-friendly UI.<\/td><\/tr>
            Kics (Keep Infrastructure as Code Secure)<\/strong><\/td>Security analysis for Terraform, Kubernetes, and CloudFormation.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
            \n\n\n\n
            Conclusion<\/strong><\/h2>\n\n\n\n
            TFSec is a powerful security scanner<\/strong> that helps developers and security teams enforce best practices in Terraform IaC. By integrating TFSec into local development workflows<\/strong> and CI\/CD pipelines<\/strong>, teams can proactively detect and fix security vulnerabilities before infrastructure is deployed.<\/p>\n\n\n\n
            By following this guide, you can install, configure, and use TFSec effectively<\/strong> in your projects. \ud83d\ude80 Happy SecOps!<\/p>\n\n\n\n
            Handling TFSec Scanning in the .terraform<\/code> Directory<\/strong><\/h3>\n\n\n\n
            When running TFSec<\/strong> on a Terraform project, it automatically scans all directories<\/strong>, including the .terraform<\/code> directory, which contains downloaded Terraform modules and providers. This can result in many false positives<\/strong> or security issues in third-party modules that you cannot directly modify.<\/p>\n\n\n\n
            To prevent TFSec from scanning the .terraform<\/code> directory<\/strong> and reduce noise in your results, follow the best practices below:<\/p>\n\n\n\n
            \n\n\n\n
            \ud83d\udd39 Best Approaches to Exclude .terraform<\/code> Directory<\/strong><\/h3>\n\n\n\n
            1\ufe0f\u20e3 Use --exclude-path<\/code> Flag<\/strong><\/h4>\n\n\n\n
            TFSec allows you to ignore specific directories<\/strong> using the --exclude-path<\/code> option.<\/p>\n\n\n
            tfsec<\/span> --exclude-path<\/span> .terraform<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
            This tells TFSec to skip scanning<\/strong> the .terraform<\/code> directory, reducing unnecessary warnings.<\/p>\n\n\n\n
            2\ufe0f\u20e3 Use .tfsecignore<\/code> File<\/strong><\/h4>\n\n\n\n
            You can create a .tfsecignore<\/code><\/strong> file in your Terraform project and exclude specific directories or checks<\/strong>.<\/p>\n\n\n\n
            Example:<\/strong><\/p>\n\n\n
            echo<\/span> \".terraform\/\"<\/span> >> .tfsecignore\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
            Or manually create .tfsecignore<\/code> and add:<\/p>\n\n\n
            .terraform\/\n<\/code><\/span><\/pre>\n\n\n
            This ensures TFSec always ignores<\/strong> the .terraform<\/code> directory for all future scans.<\/p>\n\n\n\n
            3\ufe0f\u20e3 Use --force-all-dirs=false<\/code> Flag<\/strong><\/h4>\n\n\n\n
            By default, TFSec scans all directories<\/strong>, even hidden ones. To disable scanning hidden directories<\/strong>, use:<\/p>\n\n\n
            tfsec --force-all-dirs=false<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
            This stops TFSec from scanning .terraform\/<\/code>, reducing noise from third-party modules.<\/p>\n\n\n\n
            4\ufe0f\u20e3 Ignore Specific Module Directories<\/strong><\/h4>\n\n\n\n
            If your Terraform project uses external modules<\/strong> (like AWS modules from Terraform Registry) and you don’t want to scan them, use:<\/p>\n\n\n
            tfsec --exclude-path .terraform\/modules\n<\/code><\/span><\/pre>\n\n\n
            This prevents scanning only the modules\/<\/code> subdirectory<\/strong> inside .terraform<\/code>, while keeping other checks active.<\/p>\n\n\n\n
            5\ufe0f\u20e3 Use --minimum-severity<\/code> to Filter Results<\/strong><\/h4>\n\n\n\n
            If you want to only see critical security issues<\/strong>, set a minimum severity level:<\/p>\n\n\n
            tfsec --minimum-severity HIGH\n<\/code><\/span><\/pre>\n\n\n
            This filters out low-severity and medium-severity warnings<\/strong>, making results more relevant.<\/p>\n\n\n\n
            \n\n\n\n
            \u2705 Recommended TFSec Configuration for Excluding .terraform<\/code><\/strong><\/h3>\n\n\n\n
            To ensure TFSec ignores irrelevant issues in .terraform\/<\/code><\/strong>, use all the best practices<\/strong> together:<\/p>\n\n\n\n
              \n
            1. Create a .tfsecignore<\/code> file<\/strong>: echo \".terraform\/\" >> .tfsecignore<\/code><\/li>\n\n\n\n
            2. Run TFSec with proper flags<\/strong>: tfsec . --exclude-path .terraform --force-all-dirs=false --minimum-severity HIGH<\/code><\/li>\n\n\n\n
            3. Modify .pre-commit-config.yaml<\/code> (if using pre-commit hooks)<\/strong>: repos: - repo: https:\/\/github.com\/aquasecurity\/tfsec rev: v1.28.0 hooks: - id: tfsec args: [ \"--exclude-path=.terraform\", \"--minimum-severity=HIGH\" ]<\/code><\/li>\n<\/ol>\n\n\n\n
              By applying these best practices<\/strong>, you can: \u2705 Exclude .terraform\/<\/code> from scans.
              \u2705 Reduce false positives<\/strong> from third-party Terraform modules.
              \u2705 Focus on real security risks<\/strong> in your own Terraform code.
              \u2705 Ensure clean security reports<\/strong> without unnecessary warnings.<\/p>\n\n\n\n
              This keeps your TFSec scans efficient and relevant<\/strong> while still enforcing security best practices. \ud83d\ude80<\/p>\n\n\n\n
              Comprehensive Guide to tfsec<\/code> Commands with Examples<\/strong><\/h1>\n\n\n\n
              Introduction to tfsec<\/code><\/strong><\/h2>\n\n\n\n
              tfsec<\/code> is a static analysis security scanner for Terraform configurations. It detects potential security misconfigurations, enforces best practices, and provides remediation suggestions.<\/p>\n\n\n\n
              Basic Usage<\/strong><\/h3>\n\n\n
              tfsec .\n<\/code><\/span><\/pre>\n\n\n
              This scans the current directory (.<\/code>) for Terraform security issues.<\/p>\n\n\n\n
              \n\n\n\n
              Table of tfsec<\/code> Commands and Examples<\/strong><\/h2>\n\n\n\n
              Command<\/strong><\/th>Description<\/strong><\/th>Example Usage<\/strong><\/th><\/tr><\/thead>
              tfsec [directory]<\/code><\/td>Scans the given directory for security issues in Terraform configurations.<\/td>tfsec \/path\/to\/terraform\/code<\/code><\/td><\/tr>
              --code-theme<\/code><\/td>Sets the theme for annotated code output (light<\/code> or dark<\/code>).<\/td>tfsec . --code-theme light<\/code><\/td><\/tr>
              --concise-output<\/code><\/td>Reduces output verbosity by hiding statistics.<\/td>tfsec . --concise-output<\/code><\/td><\/tr>
              --config-file<\/code><\/td>Specifies a configuration file for tfsec<\/code>.<\/td>tfsec . --config-file tfsec-config.json<\/code><\/td><\/tr>
              --config-file-url<\/code><\/td>Downloads a remote configuration file (must be JSON or YAML).<\/td>tfsec . --config-file-url https:\/\/example.com\/tfsec-config.yaml<\/code><\/td><\/tr>
              --custom-check-dir<\/code><\/td>Defines a directory containing custom security checks.<\/td>tfsec . --custom-check-dir \/path\/to\/custom\/rules<\/code><\/td><\/tr>
              --custom-check-url<\/code><\/td>Downloads a custom check file from a remote location (JSON\/YAML).<\/td>tfsec . --custom-check-url https:\/\/example.com\/custom-checks.json<\/code><\/td><\/tr>
              --debug<\/code><\/td>Enables debug logging for detailed troubleshooting.<\/td>tfsec . --debug<\/code><\/td><\/tr>
              --disable-grouping<\/code><\/td>Disables grouping of similar results in output.<\/td>tfsec . --disable-grouping<\/code><\/td><\/tr>
              -e, --exclude<\/code><\/td>Excludes specific rule IDs from scanning.<\/td>tfsec . --exclude AWS001,AWS002<\/code><\/td><\/tr>
              --exclude-downloaded-modules<\/code><\/td>Ignores .terraform<\/code> directory to avoid scanning dependencies.<\/td>tfsec . --exclude-downloaded-modules<\/code><\/td><\/tr>
              -E, --exclude-ignores<\/code><\/td>Ignores rules that were manually marked as ignored.<\/td>tfsec . --exclude-ignores AWS001,AWS002<\/code><\/td><\/tr>
              --exclude-path<\/code><\/td>Excludes specific directories or files from scanning.<\/td>tfsec . --exclude-path .terraform\/modules<\/code><\/td><\/tr>
              --filter-results<\/code><\/td>Filters results to return specific checks only.<\/td>tfsec . --filter-results AWS002,AWS003<\/code><\/td><\/tr>
              --force-all-dirs<\/code><\/td>Scans all directories without searching for .tf<\/code> files.<\/td>tfsec . --force-all-dirs<\/code><\/td><\/tr>
              -f, --format<\/code><\/td>Specifies the output format (json<\/code>, html<\/code>, csv<\/code>, sarif<\/code>, etc.).<\/td>tfsec . --format json<\/code><\/td><\/tr>
              -h, --help<\/code><\/td>Displays the help menu with available commands.<\/td>tfsec --help<\/code><\/td><\/tr>
              --ignore-hcl-errors<\/code><\/td>Ignores errors related to HCL parsing failures.<\/td>tfsec . --ignore-hcl-errors<\/code><\/td><\/tr>
              --include-ignored<\/code><\/td>Displays ignored security issues in the output.<\/td>tfsec . --include-ignored<\/code><\/td><\/tr>
              --include-passed<\/code><\/td>Shows passed checks in the output.<\/td>tfsec . --include-passed<\/code><\/td><\/tr>
              --migrate-ignores<\/code><\/td>Migrates ignore codes to a new ID structure.<\/td>tfsec . --migrate-ignores<\/code><\/td><\/tr>
              -m, --minimum-severity<\/code><\/td>Sets the minimum severity level (LOW<\/code>, MEDIUM<\/code>, HIGH<\/code>, CRITICAL<\/code>).<\/td>tfsec . --minimum-severity HIGH<\/code><\/td><\/tr>
              --no-code<\/code><\/td>Disables inclusion of code snippets in the output.<\/td>tfsec . --no-code<\/code><\/td><\/tr>
              --no-color<\/code><\/td>Disables colored output.<\/td>tfsec . --no-color<\/code><\/td><\/tr>
              --no-ignores<\/code><\/td>Forces tfsec<\/code> to consider ignored checks as active failures.<\/td>tfsec . --no-ignores<\/code><\/td><\/tr>
              --no-module-downloads<\/code><\/td>Prevents downloading of remote modules during scans.<\/td>tfsec . --no-module-downloads<\/code><\/td><\/tr>
              -O, --out<\/code><\/td>Saves output to a file with the specified format.<\/td>tfsec . --format json --out tfsec-results.json<\/code><\/td><\/tr>
              --print-rego-input<\/code><\/td>Displays JSON representation of input for Rego policies.<\/td>tfsec . --print-rego-input<\/code><\/td><\/tr>
              --rego-only<\/code><\/td>Runs only Rego-based security policies.<\/td>tfsec . --rego-only<\/code><\/td><\/tr>
              --rego-policy-dir<\/code><\/td>Specifies the directory containing Rego policies for security analysis.<\/td>tfsec . --rego-policy-dir policies\/<\/code><\/td><\/tr>
              --run-statistics<\/code><\/td>Displays statistical insights about the scan results.<\/td>tfsec . --run-statistics<\/code><\/td><\/tr>
              --single-thread<\/code><\/td>Runs checks using a single thread (useful for debugging).<\/td>tfsec . --single-thread<\/code><\/td><\/tr>
              -s, --soft-fail<\/code><\/td>Runs checks but suppresses error exit codes.<\/td>tfsec . --soft-fail<\/code><\/td><\/tr>
              --tfvars-file<\/code><\/td>Uses a .tfvars<\/code> file to set variables for evaluation.<\/td>tfsec . --tfvars-file terraform.tfvars<\/code><\/td><\/tr>
              --update<\/code><\/td>Updates tfsec<\/code> to the latest version.<\/td>tfsec --update<\/code><\/td><\/tr>
              --var-file<\/code><\/td>Specifies a .tfvars<\/code> file (same as --tfvars-file<\/code>).<\/td>tfsec . --var-file terraform.tfvars<\/code><\/td><\/tr>
              --verbose<\/code><\/td>Enables verbose logging output.<\/td>tfsec . --verbose<\/code><\/td><\/tr>
              -v, --version<\/code><\/td>Displays the current tfsec<\/code> version.<\/td>tfsec --version<\/code><\/td><\/tr>
              -w, --workspace<\/code><\/td>Defines a workspace for ignore rules.<\/td>tfsec . --workspace dev<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              \n\n\n\n
              \ud83d\udd39 Practical Usage Examples<\/strong><\/h2>\n\n\n\n
              1\ufe0f\u20e3 Running a Basic Scan<\/strong><\/h3>\n\n\n
              tfsec .\n<\/code><\/span><\/pre>\n\n\n
                \n
              • Scans the current directory and displays detected security issues.<\/li>\n<\/ul>\n\n\n\n
                2\ufe0f\u20e3 Running a Scan with a Custom Configuration File<\/strong><\/h3>\n\n\n
                tfsec<\/span> . --config-file<\/span> tfsec-config<\/span>.json<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                  \n
                • Uses tfsec-config.json<\/code> for custom security rules.<\/li>\n<\/ul>\n\n\n\n
                  3\ufe0f\u20e3 Excluding Specific Checks<\/strong><\/h3>\n\n\n
                  tfsec . --exclude AWS001,AWS002\n<\/code><\/span><\/pre>\n\n\n
                    \n
                  • Skips AWS001<\/code> and AWS002<\/code> security rules.<\/li>\n<\/ul>\n\n\n\n
                    4\ufe0f\u20e3 Filtering for Specific Checks<\/strong><\/h3>\n\n\n
                    tfsec . --filter-results AWS003,AWS004\n<\/code><\/span><\/pre>\n\n\n
                      \n
                    • Shows only results matching the specified rules.<\/li>\n<\/ul>\n\n\n\n
                      5\ufe0f\u20e3 Excluding .terraform<\/code> Modules<\/strong><\/h3>\n\n\n
                      tfsec . --exclude-downloaded-modules\n<\/code><\/span><\/pre>\n\n\n
                        \n
                      • Prevents scanning of Terraform dependency modules.<\/li>\n<\/ul>\n\n\n\n
                        6\ufe0f\u20e3 Running tfsec<\/code> with High Severity Threshold<\/strong><\/h3>\n\n\n
                        tfsec . --minimum-severity HIGH\n<\/code><\/span><\/pre>\n\n\n
                          \n
                        • Reports only HIGH and CRITICAL<\/strong> security issues.<\/li>\n<\/ul>\n\n\n\n
                          7\ufe0f\u20e3 Exporting Scan Results to a JSON File<\/strong><\/h3>\n\n\n
                          tfsec<\/span> . --format<\/span> json<\/span> --out<\/span> tfsec-results<\/span>.json<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                            \n
                          • Saves results as a JSON file.<\/li>\n<\/ul>\n\n\n\n
                            8\ufe0f\u20e3 Running tfsec<\/code> in a CI\/CD Pipeline<\/strong><\/h3>\n\n\n
                            jobs:\n  security-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions\/checkout@v4\n      \n      - name: Run tfsec\n        run: |\n          tfsec . --minimum-severity HIGH --format sarif --out tfsec-results.sarif\n<\/code><\/span><\/pre>\n\n\n
                              \n
                            • Integrates tfsec<\/code> into a GitHub Actions pipeline.<\/li>\n\n\n\n
                            • Runs security checks and exports results in SARIF format<\/strong> for GitHub Security Analysis.<\/li>\n<\/ul>\n\n\n\n
                              \n\n\n\n
                              \ud83d\udd39 Conclusion<\/strong><\/h2>\n\n\n\n
                              Using tfsec<\/code> ensures secure, compliant, and well-architected Terraform code<\/strong> by detecting misconfigurations before deployment<\/strong>.<\/p>\n\n\n\n
                              Best Practices for Using tfsec<\/code><\/strong><\/h3>\n\n\n\n
                              \u2705 Run tfsec<\/code> before every Terraform deployment<\/strong>.
                              \u2705 Exclude<\/strong> .terraform\/modules\/<\/code> from scans to avoid third-party module issues.
                              \u2705 Use --minimum-severity HIGH<\/code> to focus on critical risks<\/strong>.
                              \u2705 Save reports (--format json --out<\/code>) for compliance tracking.
                              \u2705 Integrate tfsec<\/code> into CI\/CD pipelines<\/strong> for continuous security.<\/p>\n\n\n\n
                              By following these best practices<\/strong>, you can significantly enhance the security posture<\/strong> of your Terraform infrastructure. \ud83d\ude80<\/p>\n","protected":false},"excerpt":{"rendered":"
                              Comprehensive Guide to TFSec: Terraform Security Scanning 1. What is TFSec? TFSec is a static analysis security scanner designed to identify security vulnerabilities in Terraform Infrastructure-as-Code (IaC) configurations before they… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48689","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48689"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48689\/revisions"}],"predecessor-version":[{"id":48690,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48689\/revisions\/48690"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}