TL;DR, What is tfsec?
tfsec is a static analysis security scanner for your Terraform code; its scanning engine is now consolidated into Aqua Security’s Trivy. You can keep using tfsec, but new features focus on Trivy, which offers broader, actively developed coverage.
If your team uses infrastructure as code, you know that misconfigurations are a leading cause of security breaches. tfsec helps solve this problem by running static analysis on your Terraform code early in the development lifecycle, which stops vulnerabilities from ever reaching production. It plugs directly into your CI/CD pipeline, letting developers quickly find and fix issues like overly permissive IAM policies, unencrypted data storage, and exposed network resources across AWS, Azure, and GCP. Integrating tfsec this way helps your team shift security left without slowing down delivery.
As a popular open-source tool, tfsec helps developers and security engineers build more secure cloud infrastructure right from the start.
Get the IaC Security Best Practices [Cheat Sheet]
Scan early, fix at the source. Get the IaC Best Practices Cheat Sheet and discover how to embed scanning, remediation, feedback loops, and drift prevention into your infrastructure workflow.

At-a-Glance
License: MIT License
Primary Language: Go
Stars: 6.9k
Last Release: May 2025
Topics/Tags: terraform, security, iac, static-analysis, devsecops, cloud-security, misconfiguration
Common use cases
Local Developer Feedback: Developers run scans locally on their workstations before committing code. Running scans locally provides immediate feedback on potential misconfigurations, allowing them to fix security issues in real time without slowing down the development cycle and fostering a culture of secure coding from the start.
Automated CI/CD Security Gates: Integrated into CI/CD pipelines like GitHub Actions or Jenkins, the tool acts as an automated security gate. It scans Terraform code upon every commit and can be configured to fail the build if vulnerabilities are detected, preventing insecure infrastructure from being provisioned.
Pre-Commit Code Validation: Used as a pre-commit hook, tfsec automatically scans staged files before a commit is finalized. Using it this way enforces a security baseline by blocking any commit that introduces policy violations, ensuring that only vetted and secure code enters the version-control system.
Continuous Compliance Monitoring: Security teams use tfsec for periodic audits of their Terraform repositories. By generating structured reports (like SARIF or JSON), you can feed scan results into SIEMs or governance platforms to continuously monitor compliance with standards like CIS and PCI DSS.
IDE Integration for Real-time Scanning: By integrating with IDEs through plugins, developers receive instant, in-line feedback as they write Terraform code. This real-time analysis highlights potential security issues immediately, offering the earliest possible opportunity for remediation directly within the developer's primary workspace.
How does tfsec work?
tfsec is a command-line static analysis tool that scans your Terraform code directly, so you don’t need any cloud credentials or state files. You just point tfsec at a directory of your configuration files. From there, the tool parses your code to build an internal model of your infrastructure, checks it against a huge library of security best practices, and then gives you a report of any vulnerabilities it finds. Because the entire scan runs locally, it’s incredibly fast and perfect for CI/CD pipelines.
HCL Parsing: tfsec uses the official HashiCorp Configuration Language (HCL) parser to get a deep understanding of the relationships between all your resources, modules, and data sources.
Powerful Rule Engine: Historically powered by defsec, now consolidated into Trivy, tfsec’s checks continue to be available; Trivy uses the same underlying approach for IaC scanning.
Comprehensive Static Checks: The engine evaluates the parsed code for common security misconfigurations, including overly permissive firewall rules, unencrypted storage, and disabled logging.
Flexible Output: You can get your results in multiple formats—like human-readable text, JSON, SARIF, JUnit, CSV, and Checkstyle—for easy integration with your other developer tools.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.

Core Capabilities:
Extensive Security Rulebase: tfsec delivers comprehensive IaC security with hundreds of built-in rules for AWS, Azure, GCP, and Kubernetes. The tool's extensive rule set is powered by a robust static analysis engine that covers a wide range of common misconfigurations and security vulnerabilities. With continuously updated policies, you get broad coverage of security pitfalls, enabling your teams to proactively find and fix risks in your Terraform code before they hit production.
Compliance and Policy Controls: While tfsec doesn’t ship official, turnkey mappings to frameworks like CIS, NIST, PCI DSS, or ISO 27001, many tfsec checks align with those best practices. Teams typically generate compliance evidence by mapping tfsec findings to internal control catalogs or by aggregating results in governance tools/Trivy dashboards.
Flexible Custom Policy Engine: tfsec extends its built-in capabilities by letting your organization define its own custom security policies. This powerful feature gives you the flexibility to enforce internal standards, address unique architectural patterns, or meet specific security requirements not covered by the default rules. Your teams can write checks tailored to your environment, ensuring the scanning process aligns perfectly with your risk appetite and governance policies for a more customized and effective security posture.
Seamless CI/CD and Developer Integration: tfsec is designed for frictionless integration into modern developer workflows and CI/CD pipelines. The tool delivers clear, actionable feedback with detailed vulnerability explanations and links to remediation guidance, helping developers resolve issues quickly. With support for various output formats like JSON, SARIF, and JUnit, it connects seamlessly with other security dashboards and reporting systems. This focus on the developer experience is key for successful CI/CD security integration, helping make security a shared responsibility instead of a bottleneck.
Early Detection with Static Analysis: With tfsec, you can adopt a "shift-left" security approach by running static analysis directly on your source code, without needing cloud credentials or access to a live environment. The tool identifies misconfigurations and vulnerabilities early in the development lifecycle – often right in a developer's IDE or a pre-commit hook. Catching issues before deployment dramatically reduces the cost and complexity of remediation, prevents insecure infrastructure from ever being provisioned, and truly embeds security into your development process.
Limitations
Static Analysis Scope: Because tfsec is a static analysis tool, its scope is limited to your Terraform code and doesn't assess the live, running state of your cloud infrastructure. This means it can't detect configuration drift or security issues introduced manually after deployment. For comprehensive security, you should pair it with a cloud security posture management (CSPM) tool that monitors your runtime environment for real-time threats.
Terraform-Specific: The scanner is built exclusively for Terraform, so it can't parse or analyze other infrastructure-as-code frameworks like AWS CloudFormation, Pulumi, or Ansible. If your organization uses multiple IaC frameworks, you'll need to implement and manage separate security tools for each one, which can add complexity and operational overhead to your security program.
Risk of False Positives: Like any static analysis tool, tfsec can sometimes generate false positives or miss context-specific vulnerabilities. Complex or non-standard Terraform code might trigger alerts that aren't actual risks. Your teams will need to invest time in triaging, customizing rules, or suppressing findings to reduce noise without accidentally ignoring genuine security threats.
Dependency on Rulebase Updates: tfsec's effectiveness depends on how timely and comprehensive its security rulebase is. Any delay in updating rules to cover new cloud services, features, or emerging threats could create a window of exposure. To get the best protection, your teams need to be diligent about keeping the tool updated to the latest version.
Limited Business Context: The tool analyzes code in isolation, which means it lacks awareness of the specific business logic or intended purpose of the infrastructure. A configuration flagged as a high-risk vulnerability – like a publicly accessible storage bucket – might be intentional and necessary for a specific application. This limitation means your team will need to perform human reviews to tell the difference between true security risks and acceptable, context-dependent configurations.
Getting Started
Step 1: Install tfsec
Choose your preferred installation method:
On macOS or Linux (Homebrew):
brew install tfsec
On Windows (Chocolatey):
choco install tfsec
Directly from source (Go):
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
Step 2: Run a scan
Once installed, scan your current directory containing Terraform files by running:
tfsec .
If no path is specified, tfsec
scans the current directory by default. Use the --help
flag to explore more options.
Alternatives
Feature | tfsec | Checkov | Trivy | KICS |
---|---|---|---|---|
Core Functionality | Static analysis for Terraform code to find security misconfigurations. | Policy as code for IaC, container images, and open source packages; finds misconfigurations and vulnerabilities | Comprehensive security scanner for vulnerabilities, misconfigurations, secrets, and SBOMIncorporates tfsec's IaC scanning | Scans IaC for security vulnerabilities, compliance issues, and misconfigurations. |
Cloud/IaC Provider Support | AWS, Azure, GCP, Kubernetes, DigitalOcean (Terraform) | All major cloud providers (AWS, Azure, GCP), Kubernetes, Helm, ARM Templates, Serverless, AWS CDK | Extensive, including Terraform, CloudFormation, Kubernetes manifests, container images, filesystems, Git repos, VM images | Terraform, CloudFormation, Kubernetes, Docker, ARM Templates, Serverless |
Compliance Policy Enforcement | Aligns with best practices; teams map findings to frameworks or use Trivy/GRC dashboards for compliance evidence | Yes (hundreds of out-of-the-box policies including CIS, PCI DSS, HIPAA) | Yes, through misconfiguration scanning and policy checks | Yes, through policies |
Custom Rule Support | Yes | Yes, extensible Python and graph-based YAML policies | Yes, extensible | Yes, custom queries |
Integration & Output | CI/CD friendly, clear/actionable output, JSON, SARIF, JUnit, CSV, and Checkstyle | VS Code, Jenkins, GitHub, GitLab, CI/CD, various output formats | CLI, GitHub Actions, Kubernetes operator, VS Code plugin, multiple output formats | CI/CD integration, various output formats |
Shift-Left Capability | Yes, static analysis without cloud API/state | Yes, scans cloud resources at build-time | Yes, comprehensive scanning across the development lifecycle | Yes |