Tfsec – Security Scanner For Your Terraform Code
tfsec uses static evaluation of your terraform templates to spot possible stability concerns. Now with terraform v0.12+ support.
Instance Output
Installation
Put in with brew/linuxbrew:
brew put in tfsecInstall with Chocolatey:
choco put in tfsecYou can also get the binary for your method from the releases webpage.
Alternatively, put in with Go:
go get -u github.com/tfsec/tfsec/cmd/tfsecUtilization
tfsec will scan the specified directory. If no listing is specified, the present-day functioning listing will be made use of.
The exit status will be non-zero if tfsec finds problems, usually the exit standing will be zero.
tfsec .Use with Docker
As an choice to putting in and functioning tfsec on your program, you may run tfsec in a Docker container.
To run:
docker operate --rm -it -v "$(pwd):/src" liamg/tfsec /srcUse as GitHub Action
If you want to run tfsec on your repository as a GitHub Motion, you can use https://github.com/triat/terraform-security-scan.
Characteristics
- Checks for delicate knowledge inclusion throughout all suppliers
- Checks for violations of AWS, Azure and GCP protection ideal exercise suggestions
- Scans modules (at present only community modules are supported)
- Evaluates expressions as well as literal values
- Evaluates Terraform features e.g.
concat()
Ignoring Warnings
You may possibly would like to disregard some warnings. If you’d like to do so, you can basically include a remark made up of tfsec:overlook: to the offending line in your templates. If the challenge refers to a block of code, this sort of as a multiline string, you can include the remark on the line above the block, by by itself.
For illustration, to overlook an open up protection group rule:
resource "aws_stability_group_rule" "my-rule"
kind = "ingress"
cidr_blocks = ["0.0.0.0/0"] #tfsec:dismiss:AWS006
…or…
useful resource "aws_stability_team_rule" "my-rule"
kind = "ingress"
#tfsec:disregard:AWS006
cidr_blocks = ["0.0.0.0/0"]
If you’re not guaranteed which line to insert the remark on, just examine the tfsec output for the line range of the found out dilemma.
Disable checks
You could desire to exclude some checks from jogging. If you would like to do so, you can basically include new argument -e Check out1,Test2,etc to your cmd command
tfsec . -e GEN001,GCP001,GCP002Including values from .tfvars
You can consist of values from a tfvars file in the scan, making use of, for illustration: --tfvars-file terraform.tfvars.
Involved Checks
Checks are at the moment restricted to AWS/Azure/GCP assets, but there are also checks which are service provider agnostic.
| Checks |
|---|
| AWS Checks |
| Azure Checks |
| GCP Checks |
| Typical Checks |
Functioning in CI
tfsec is designed for operating in a CI pipeline. For this rationale it will exit with a non-zero exit code if a possible problem is detected. You may possibly want to run tfsec as component of your build without having coloured output. You can do this applying --no-color (or --no-coloration for our American good friends).
Output options
You can output tfsec outcomes as JSON, CSV, Checkstyle, Sarif, JUnit or just plain aged human readable structure. Use the --format flag to specify your desired format.
Github Protection Alerts
If you want to integrate with Github Protection alerts and involve the output of your tfsec checks you can use the tfsec-sarif-motion Github motion to operate the static analysis then add the success to the protection alerts tab.
The alerts produced for tfsec-illustration-task seem like this.
When you click by means of the alerts for the branch, you get extra info about the true issue.
For a lot more facts about adding security alerts, check
Guidance for more mature terraform variations
If you will need to guidance variations of terraform which use HCL v1 (terraform <0.12), you can use v0.1.3 of tfsec, though support is very limited and has fewer checks.
