tfsec is a static analysis tool that scans Terraform code for security vulnerabilities and best practice violations.
This repository uses tfsec along with GitHub Actions to automatically scan Terraform configurations and upload security findings to GitHub Security Code Scanning.
To integrate tfsec into your GitHub workflow, follow these steps:
Create a file .github/workflows/tfsec.yml with the following content:
name: Terraform Security Scan
on:
push:
branches:
- main
pull_request:
jobs:
tfsec:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run tfsec with SARIF output
uses: aquasecurity/[email protected]
with:
sarif_file: tfsec.sarif
- name: Upload SARIF report to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tfsec.sarifAdd this Terraform file with tha name [main.tf]
resource "aws_security_group_rule" "my-rule" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_alb_listener" "my-valid-alb-listener"{
port = "80"
protocol = "HTTPS"
}
resource "aws_alb_listener" "my-wrong-alb-listener"{
port = "80"
protocol = "HTTP"
}
resource "aws_db_security_group" "my-group" {
}
variable "enableEncryption" {
default = false
}
resource "azurerm_managed_disk" "source" {
encryption_settings {
enabled = var.enableEncryption
}
}- Click on the Security tab.
- Under Code scanning,
- Review all your security issues.
If you want to run tfsec locally before pushing changes, install it with:
brew install tfsec # macOS (Homebrew)
# or
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/main/scripts/install_linux.sh | bash # Linux
# or
scoop install tfsec # Windows (Scoop)Then scan your Terraform code:
tfsec .- High/Medium/Low Issues:
tfseccategorizes findings by severity. - Fixing Issues: Follow recommendations provided in the scan output.
- Suppressing False Positives: Use
#tfsec:ignore:<rule-id>comments in your Terraform files.