tfsec is a fast, static analysis tool that scans Terraform code to detect potential security misconfigurations across multiple cloud providers.
Tfsec is now part of Trivy
tfsec is primarily used by DevOps engineers, security professionals, and developers to identify and remediate security risks in Terraform infrastructure as code before deployment. It integrates easily into CI pipelines to automate security checks, ensuring cloud environments are configured securely and compliant with best practices.
tfsec is now part of the Trivy project, which consolidates multiple security scanning tools; users are encouraged to migrate to Trivy for broader language support and integrations. While tfsec remains available, active development focus has shifted to Trivy. Integrating tfsec early in CI/CD pipelines is recommended to catch misconfigurations before deployment.
Install via Docker: pull the tfsec/tfsec image from Docker Hub
Install via Homebrew: brew install tfsec
Install via Chocolatey: choco install tfsec
Install via AUR for Arch Linux: install tfsec-bin package
Use the VSCode extension from the Visual Studio Marketplace
Use the JetBrains plugin available in JetBrains plugin repository
Use the Vim plugin from the aquasecurity GitHub repositorytfsec <directory>
Scan the specified directory containing Terraform code for security misconfigurations
tfsec --format json <directory>
Run a scan and output results in JSON format
tfsec --config-file <file>
Run a scan using a specified configuration file to customize rules and behavior
tfsec --exclude <rule_id>
Exclude specific rules from the scan results