# aquasecurity/tfsec **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/aquasecurity-tfsec).** 7,013 stars · 555 forks · Go · MIT ## Links - GitHub: https://github.com/aquasecurity/tfsec - Homepage: https://aquasecurity.github.io/trivy/ - awesome-repositories: https://awesome-repositories.com/repository/aquasecurity-tfsec.md ## Description tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypted storage across compute, networking, and identity services. The engine includes capabilities for complex expression evaluation to resolve functional expressions and resource relationships, ensuring misconfigurations are detected beyond literal string values. It supports custom policy definitions for organization-specific standards and allows for security warning suppression via source code comments or command-line flags. The scanner is designed for CI/CD security integration as a standalone binary or container, with the ability to export findings in structured formats such as JSON, SARIF, and CSV. ## Tags ### Security & Cryptography - [Infrastructure as Code Security](https://awesome-repositories.com/f/security-cryptography/infrastructure-as-code-security.md) — Provides automated security scanning and misconfiguration detection for infrastructure-as-code configuration files. ([source](https://github.com/aquasecurity/tfsec#readme)) - [Infrastructure as Code Scanners](https://awesome-repositories.com/f/security-cryptography/infrastructure-as-code-scanners.md) — Analyzes infrastructure templates to identify insecure settings before they are deployed to production. - [JSON-Based Rule Engines](https://awesome-repositories.com/f/security-cryptography/json-based-rule-engines.md) — Evaluates resource configurations against security benchmarks using a predefined set of rules. - [Misconfiguration Scanning](https://awesome-repositories.com/f/security-cryptography/misconfiguration-scanning.md) — Detects known security flaws and structural misconfigurations across cloud infrastructure definitions. ([source](https://aquasecurity.github.io/trivy/)) - [Policy Enforcement Engines](https://awesome-repositories.com/f/security-cryptography/policy-enforcement-engines.md) — Evaluates infrastructure configurations against defined security and compliance rules to enforce standards. - [Cloud Security Posture Scanners](https://awesome-repositories.com/f/security-cryptography/security/utilities/security-tools/vulnerability-assessment-tools/vulnerability-scanners/cloud-security-posture-scanners.md) — Evaluates cloud configurations against established security benchmarks to detect risks and misconfigurations. - [Cloud Auditing Tools](https://awesome-repositories.com/f/security-cryptography/cloud-auditing-tools.md) — Audits infrastructure templates across AWS, Azure, and GCP to identify common security gaps. - [Infrastructure Policy Definition](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/infrastructure-policy-definition.md) — Enforces organization-specific infrastructure standards through tailored security checks defined in configuration files. ([source](https://github.com/aquasecurity/tfsec/blob/master/mkdocs.yml)) - [Azure Misconfiguration Detectors](https://awesome-repositories.com/f/security-cryptography/misconfiguration-scanning/azure-misconfiguration-detectors.md) — Identifies security vulnerabilities across compute, networking, and storage services by scanning Azure infrastructure code. ([source](https://aquasecurity.github.io/tfsec/latest/checks/azure/)) - [GitHub Configuration Audits](https://awesome-repositories.com/f/security-cryptography/misconfiguration-scanning/github-configuration-audits.md) — Identifies security misconfigurations in GitHub repository settings, branch protections, and automation workflows. ([source](https://aquasecurity.github.io/tfsec/latest/checks/github/)) - [DigitalOcean Configuration Audits](https://awesome-repositories.com/f/security-cryptography/security-auditing-tools/digitalocean-configuration-audits.md) — Analyzes DigitalOcean compute and storage configurations for security misconfigurations. ([source](https://aquasecurity.github.io/tfsec/latest/checks/digitalocean/)) - [AWS](https://awesome-repositories.com/f/security-cryptography/security-auditing/configuration-audits/aws.md) — Performs automated security checks of Amazon Web Services resource settings and access controls. ([source](https://aquasecurity.github.io/tfsec/latest/checks/aws/)) - [Kubernetes Posture Scanning](https://awesome-repositories.com/f/security-cryptography/security/utilities/security-tools/vulnerability-assessment-tools/vulnerability-scanners/cloud-security-posture-scanners/kubernetes-posture-scanning.md) — Analyzes Kubernetes service definitions to detect insecure network settings and misconfigurations. ([source](https://aquasecurity.github.io/tfsec/latest/checks/kubernetes/)) ### Software Engineering & Architecture - [Static Analysis Engines](https://awesome-repositories.com/f/software-engineering-architecture/static-analysis-engines.md) — Analyzes infrastructure code by parsing resource blocks and attributes to identify security vulnerabilities and misconfigurations. ### Development Tools & Productivity - [Terraform Analyzers](https://awesome-repositories.com/f/development-tools-productivity/static-analysis-tools/terraform-analyzers.md) — Performs static analysis specifically on Terraform configuration files to identify security misconfigurations. ### DevOps & Infrastructure - [Misconfiguration Detectors](https://awesome-repositories.com/f/devops-infrastructure/cloud-infrastructure-resources/misconfiguration-detectors.md) — Identifies insecure settings such as public access or unencrypted storage within cloud compute and networking definitions. - [Unified Resource Models](https://awesome-repositories.com/f/devops-infrastructure/unified-resource-models.md) — Maps diverse cloud resource definitions from different providers into a unified format for consistent security scanning. - [CI/CD Pipeline Integrations](https://awesome-repositories.com/f/devops-infrastructure/ci-cd-pipeline-integrations.md) — Automates security checks within CI/CD pipelines as a standalone binary or container. ([source](https://github.com/aquasecurity/tfsec#readme)) ### Programming Languages & Runtimes - [Configuration Expression Resolvers](https://awesome-repositories.com/f/programming-languages-runtimes/expression-evaluators/configuration-expression-resolvers.md) — Resolves complex functional expressions to evaluate actual security settings instead of relying on literal strings. ### User Interface & Experience - [Static Expression Evaluation](https://awesome-repositories.com/f/user-interface-experience/layout-utilities/presentation-engines/template-engines/control-flow-directives/expression-evaluators/parsing-optimizations/constant-expression-parsing/static-expression-evaluation.md) — Resolves functional expressions and resource relationships to detect misconfigurations beyond literal string values. ([source](https://github.com/aquasecurity/tfsec#readme)) ### Part of an Awesome List - [Google Cloud Resource Audits](https://awesome-repositories.com/f/awesome-lists/devops/cloud-security/google-cloud-resource-audits.md) — Detects security misconfigurations across identity, networking, storage, and compute resources in Google Cloud. ([source](https://aquasecurity.github.io/tfsec/latest/checks/google/)) - [Workflow Automation](https://awesome-repositories.com/f/awesome-lists/devtools/workflow-automation.md) — Static analysis for security.