Tfsec

tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms.

The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements.

The scanner includes features for automating analysis within DevSecOps pipelines and exporting results to security dashboards. It manages analysis noise through check filtering and the suppression of security warnings via inline comments with expiration dates.

Features

Static Configuration Analysis - Scans Terraform and cloud configuration files to identify security vulnerabilities and compliance issues before deployment.

Static Analysis Engines - Implements a static analysis engine to identify security misconfigurations in infrastructure code without executing it.

Infrastructure Variable Resolution - Resolves external variable files to determine the final attribute state of cloud resources for accurate analysis.

Infrastructure Configuration Analysis - Analyzes Terraform configuration files to detect misconfigurations and compliance violations before deployment.

Policy Engines - Enforces security best practices and operational standards across multiple cloud-native environments using a policy engine.

Cloud Compliance Auditors - Automates the evaluation of cloud infrastructure against regulatory frameworks and security compliance benchmarks.

Infrastructure as Code Scanners - Identifies security risks and vulnerabilities in cloud infrastructure definitions via static analysis.

Infrastructure as Code Security - Scans Terraform and cloud configuration files to identify security misconfigurations before deployment.

Infrastructure Policy Enforcers - Provides the ability to define and apply organization-specific security requirements through a flexible policy language.

Security Pattern Matching - Evaluates infrastructure code structures against known signatures of security vulnerabilities and misconfigurations.

Relationship Analysis - Analyzes dependencies between cloud resources to detect security vulnerabilities that span multiple configuration blocks.

DevSecOps and Automation - Automates the integration of security analysis and alert uploads within DevSecOps pipelines.

CI/CD Pipeline Integrations - Provides native integration for automating security quality checks within CI/CD deployment workflows.

CI Pipeline Integrations - Integrates static security analysis and optimized logging directly into automated CI pipeline environments.

Infrastructure Development Kit Scanning - Analyzes Cloud Development Kit code and resource relationships to identify security flaws in programmatic infrastructure.

Custom Security Scan Extensions - Supports the definition of custom security policies and tailored checks to meet organizational requirements.

Infrastructure and Configuration - Static analysis for Terraform to prevent cloud misconfigurations.

Infrastructure as Code - Static analysis tool for identifying security issues in Terraform.

Application Security Testing - Static analysis tool for identifying infrastructure misconfigurations.

tfsectfsec

Features

Star history