Open in app

Sign in

Write

Sign in

How to use tfsec

Pranit Pawar
3 min readJun 9, 2022

--

What is tfsec

Tfsec is a static code analysis tool for Terraform. We can use tfsec to increase our security posture. Tfsec scans all Terraform files and then provides suggestions for improving the security posture of our infrastructure. You can run tfsec on your local and GitHub actions.

1. Run tfsec locally

To run tfsec locally, you need to install tfsec in your system. To install tfsec using brew, use the below command

brew install tfsec

After that in your root directory run tfsec using the below command

tfsec

In the terminal, you can see all tfsec reported errors

2. Run tfsec in GitHub action

To run tfsec in GitHub action, You can follow below steps

Step 1

Create tfsec.yml file in .github/workflows/ directory file in directory

GitHub workflow path

Step 2

Add the below code in the tfsec.yml file

name: tfsec
on:
 push:
 branches:
 - main
pull_request:
jobs:
 tfsec:
 name: Terraform Security Scan and PR Commenter
 runs-on: ubuntu-latest
steps:
 - name: Clone repo
 uses: actions/checkout@master
- name: Pull Request Commenter
 if: ${{ github.event_name == 'pull_request' }}
 uses: aquasecurity/tfsec-pr-commenter-action@v1.0.2
 with:
 github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Terraform security scan
 uses: aquasecurity/tfsec-action@v1.0.0
 with:
 format: json

Code Explanation

Github action explanation

1. aquasecurity/tfsec-pr-commenter-action

2. aquasecurity/tfsec-action

Commit the changes. Now your project is ready to do static code analysis of terraform

code with the help of tfsec.

If you want to ignore some checks from GitHub action, then you have two ways

1. Using ignore messages

You can put the ignore message above the resource creation blog,

so that tfsec understands you know the pros and cons of the resource.

And the particular error for that resource will be ignored.

2. Ignore a few checks globally

We also can ignore some tfsec checks globally. If we mention that checks

in workflow/tfsec.yml file as additional arguments, it will ignore that checks

for that repository.

Important Note

If you are familiar with tfsec, last time tfsec upgraded its major version along with

its rule-id and documentation. Possibly your existing tfsec GitHub action checks might be

not working properly or you might see lots of error messages or previously defined ignore

messages might not work. To solve all of the above problems please update the tfsec

version to the latest one and then run the migration command for migrating the tfsec project

to the latest version. The following command will migrate all your previous error messages

and upgrade your project.

Originally published at https://pranit-p.blogspot.com.

Terraform
Aws Security
Tfsec
Devsecops

--

--

Pranit Pawar
Pranit Pawar

Written by Pranit Pawar

1 Follower
9 Following

Automation is about Mindset as much as Technology | Cloud and Security Evangelist | AWS Certified | Python | Kubernetes | visit - https://github.com/pranit-p

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams