tfsec

tfsec is a static analysis security scanner for your Terraform code. Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks mean detection and remediation can take place as quickly and efficiently as possible. tfsec takes a developer-first approach to scanning your Terraform templates; using static analysis and deep integration with the official HCL parser it ensures that security issues can be detected before your infrastructure changes take effect. Checks for misconfigurations across all major (and some minor) cloud providers. Applies (and embellishes) user-defined Rego policies. Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit. Configurable (via CLI flags and/or config file). Very fast, capable of quickly scanning huge repositories. Plugins for popular IDEs available (JetBrains, VSCode and Vim).

Features

Hundreds of built-in rules
Scans modules (local and remote)
Evaluates HCL expressions as well as literal values
Evaluates Terraform functions
Evaluates relationships between Terraform resources
Compatible with the Terraform CDK

Project Samples

Project Activity

See All Activity >

License

MIT License

Follow tfsec

tfsec Web Site

Other Useful Business Software

Secure File Transfer for Windows with Cerberus by Redwood

Protect and share files over FTP/S, SFTP, HTTPS and SCP with the #1 rated Windows file transfer server.

Cerberus supports unlimited users and connections on a single IP, with built-in encryption, 2FA, and a browser-based web client — all deployable in under 15 minutes with a 25-day free trial.

Try for Free

Rate This Project

User Reviews

Be the first to post a review of tfsec!

Additional Project Details

Operating Systems

Linux

Programming Language

Related Categories

Go Vulnerability Scanners, Go Static Code Analysis Tool

Registered

2022-03-31

Similar Business Software

Parasoft

"Parasoft delivers an AI‑powered software testing platform that helps organizations continuously release high‑quality software. Our solutions support embedded and enterprise teams by integrating code analysis, testing, virtualization, and coverage into the delivery pipeline to improve security,...

See Software
Aikido Security

Secure your code, cloud, and runtime in one central system. Aikido’s all-in-one security platform is loved by developers and security teams alike with full security visibility, insight in what matters most, and fast/automatic vulnerability fixes. Teams get security done with Aikido thanks...

See Software
Criminal IP ASM

Criminal IP ASM delivers a threat intelligence-powered approach to attack surface management by combining continuous asset discovery with deep threat analysis across IPs, domains, OSINT, and associated infrastructure. Built on Criminal IP’s advanced scanning and enrichment capabilities, it...

See Software
Astra Pentest

Astra’s Pentest is a comprehensive penetration testing solution with an intelligent automated vulnerability scanner coupled with in-depth manual pentesting. On top of 10000+ tests including security checks for all CVEs mentioned in the OWASP top 10, and SANS 25, the automated scanner also...

See Software
Kiuwan Code Security

Kiuwan is an end-to-end application security platform that integrates seamlessly into your development process. Our toolset includes Static Application Security Testing (SAST), Software Composition Analysis (SCA), Software Governance and Code Quality, empowering your team to quickly identify...

See Software
TrustInSoft Analyzer

TrustInSoft Analyzer is a C/C++/Rust source code analyzer powered by formal methods, mathematical & logical reasonings that allow for exhaustive analysis of source code. This analysis can be run without false positives or false negatives, so that every real bug in the code is found. Developers...

See Software