Articles

Terraform tfsec: Static Security Analysis for IaC (2026)

April 6, 2026 4 min read

tfsec is a security scanner for Terraform code that finds common misconfigurations and security risks before you deploy your infrastructure.

Here’s how it works in a real-world scenario. Imagine you’re provisioning an AWS S3 bucket.

resource "aws_s3_bucket" "example" {
  bucket = "my-insecure-bucket"
  acl    = "public-read"

  tags = {
    Name = "My bucket"
  }
}

You’ve committed this code, and your CI/CD pipeline automatically runs tfsec against it. tfsec will immediately flag this as a critical issue:

[Critical] S3 Bucket ACL should not be public.
    │ Resource: aws_s3_bucket.example
    │ File: main.tf:3:1
    │
    │ The S3 bucket ACL is set to "public-read", which allows anonymous users to read the objects in the bucket. This can lead to data breaches.
    │
    │ Recommended action: Remove the `acl` argument or set it to a more restrictive value, such as "private".

This is the core value proposition: catching these kinds of mistakes before they hit production. It goes beyond just syntax checking; it understands the security implications of your Terraform configuration.

Let’s dive into the mental model of how tfsec operates and how you can leverage it.

The Problem tfsec Solves

The primary problem tfsec addresses is the inherent risk of misconfiguration in Infrastructure as Code (IaC). Terraform, while powerful, allows for complex resource definitions. A single misplaced argument, an incorrect value, or a missing security control can expose your cloud environment to significant risks. Manually reviewing every line of Terraform code for security vulnerabilities is tedious, error-prone, and simply doesn’t scale. tfsec automates this process, acting as a first line of defense.

How tfsec Works Internally

tfsec parses your Terraform code, building an Abstract Syntax Tree (AST) representation of your configuration. It then applies a set of built-in security rules against this AST. These rules are essentially checks that look for specific patterns or resource configurations known to be insecure.

For example, a rule might look for aws_s3_bucket resources where the acl attribute is set to public-read or public-read-write. If it finds such a pattern, it generates a finding. The rules are written in Go and are part of the tfsec codebase, making them transparent and auditable. You can even write your own custom rules if needed.

Key Levers for Control

The primary way you control tfsec is through its command-line interface and its configuration options.

  1. Running tfsec: The simplest way to run it is tfsec . in your Terraform project directory. This scans all .tf files in the current directory and its subdirectories.

  2. Filtering Results: You can filter by severity using flags like --severity CRITICAL,HIGH.

    tfsec --severity CRITICAL,HIGH .

  3. Ignoring Specific Checks: Sometimes, you might have a valid reason for a configuration that tfsec flags. You can ignore specific checks using a .tfsec.yml configuration file or inline comments.

    • Inline Comment:
      resource "aws_s3_bucket" "example" {
  bucket = "my-insecure-bucket"
  acl    = "public-read" # tfsec:ignore:AWS002
  // tfsec:ignore:AWS002
  tags = {
    Name = "My bucket"
  }
}
      Here, AWS002 is the check ID for the public S3 bucket ACL rule.
    • Configuration File (.tfsec.yml):
      exclude:
  - rule: AWS002
    resource: aws_s3_bucket.example

  4. Custom Rules: For advanced users, you can define custom rules in a separate .tfsec.yml file. This allows you to enforce organizational-specific security policies.

    custom_rules:
  - name: "No public read access to sensitive data"
    code: "CUSTOM001"
    description: "Ensure sensitive data buckets are not publicly readable."
    resource: "aws_s3_bucket"
    checks:
      - "acl != 'public-read'"
      - "acl != 'public-read-write'"

    When you run tfsec, you’d include this file: tfsec --custom-rules .tfsec.yml .

  5. Integrating with CI/CD: The most effective use of tfsec is within your CI/CD pipeline. This ensures that every code change is scanned before it can be merged or deployed. Most CI/CD platforms (GitHub Actions, GitLab CI, Jenkins, etc.) have easy integrations.

    • GitHub Actions Example:
      name: Terraform Security Scan

on: [push, pull_request]

jobs:
  tfsec:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run tfsec
        uses: aquasecurity/tfsec-action@v1
        with:
          # Optional: Path to the Terraform files
          # tfsec-path: './'
          # Optional: Severity level to fail on
          # failure-severity: 'CRITICAL,HIGH'
          # Optional: List of checks to exclude
          # exclude: 'AWS002'

When you run tfsec on a Terraform configuration, it doesn’t just output a list of potential issues; it provides context about why something is a problem and often suggests a remediation. This makes it an invaluable tool for developers and security teams alike to build more secure infrastructure from the ground up.

The next hurdle you’ll likely encounter is integrating tfsec into your existing Terraform workflow, particularly around managing exceptions and ensuring consistent application across multiple teams and projects.

More Deep Dives in Terraform

Want structured learning?

Take the full Terraform course →