In this section of the IaC Scanning Tools Guide, we will be looking at tfsec and discussing the benefits, key features, and looking at some real world examples. You can explore the other parts of this guide below.
Jump to section:
- What is an IaC scan tool?
- What is Checkov?
- What is Terrascan?
- Comparing Checkov vs. tfsec vs. Terrascan
What is tfsec?
tfsec is a security scanner for your Terraform code. It performs static analysis of your code and detects potential misconfigurations that could lead to security risks. It supports multiple cloud providers, such as AWS, Azure, and GCP, and has hundreds of built-in rules. It also allows you to define your own custom rules using Rego policies or JSON/YAML custom policies. You can run tfsec locally or in your CI pipelines, and get developer-friendly output in various formats. tfsec is an open-source project backed by Aqua Security that aims to help you secure code in your IaC.
Benefits and Key Features of using tfsec
Some benefits and key features of using tfsec are:
How to get started with tfsec
How to install tfsec?
There are several ways to install tfsec on your system. You can use a package manager such as brew (for macOS or Linux), choco (for Windows), or scoop (for Windows). You can also download the binary for your system from the releases page on GitHub. Alternatively, you can install tfsec with Go using the command:
If you don't want to install tfsec on your system, you can also run it in a Docker container using the command:
If you follow along with our GitHub repo using Codespaces, it will be installed for you.
How to use tfsec?
To use tfsec, you simply need to run it on a directory that contains your Terraform code. For example:
By default, tfsec will use a lovely output format that shows the severity, description, location, and resolution of each problem. You can change the output format using the --format flag.
This will output the results in JSON format. You can also use other formats such as csv, checkstyle, junit, sarif, text, markdown, html, and gif.
You can also customize the behavior of tfsec using various flags or a configuration file. For example, you can exclude certain checks using the --exclude flag. You can also enable or disable colors, force exit codes, ignore warnings or errors, set custom paths for modules or policies, and more. For a full list of flags you can run tfsec -h
Example use cases of tfsec
Use case 1: Scan your Terraform code for security issues before applying it
One of the most common use cases of tfsec is to scan your Terraform code for security issues before applying it to your cloud environment. This way, you can catch and fix any problems before they cause any damage or expose any vulnerabilities.
Let’s scan the same folder we scanned with checkov. Run the following commands:
This will scan all the Terraform files in the current directory and print out a report of any issues found. For example:
As you can see, tfsec provides a clear and concise output that shows the location, severity, and description of each issue. It also provides a link to the documentation page where you can learn more about the issue and how to fix it.
Use case 2: Scan your Kubernetes manifests
Unfortunately, tfsec does not support scanning Kubernetes manifests. It was built specifically to scan Terraform files.
tfsec Custom Policies
Similar to checkov, you can create custom checks in tfsec either using YAML or JSON or using Rego. Let’s create a check similar to the one we did with checkov. We shouldn’t allow an S3 bucket’s ACL to be public-read when it is tagged with the key Scope and the value of PCI.
Custom checks are defined as JSON files or YAML files which sit in the .tfsec folder in the root check path. Any file with the suffix tfchecks.json or tfchecks.yaml will be parsed and the checks included during the run.
Check the pci_policy_tfchecks.yaml in the .tfsec folder in our repo. Below is the content:
Use the normal command to run:
And examine the output: