Terraform Scanning with tfsec

When to use

Prerequisites

• tfsec installed (

  brew install tfsec

  or

  go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

  )
• Or use Trivy:

  trivy config --format json .

• Verify:

  tfsec --version

Instructions

1. Identify the target — Determine the Terraform directory.
2. Run the scan:
   bash

   tfsec <terraform-dir> --format json > tfsec-results.json

   • Minimum severity:

     tfsec . --minimum-severity HIGH --format json

   • Exclude specific checks:

     tfsec . --exclude aws-s3-enable-versioning --format json

   • Include passed checks:

     tfsec . --include-passed --format json

   • With Trivy:

     trivy config --format json --severity HIGH,CRITICAL <terraform-dir>

3. Parse the results — Read JSON output and present findings:

| # | Severity | Rule ID | Resource | File:Line | Description | Resolution |
|---|----------|---------|----------|-----------|-------------|------------|

1. Summarize — Provide:
   • Total findings by severity (CRITICAL/HIGH/MEDIUM/LOW)
   • Specific HCL code changes needed for each finding
   • Links to tfsec documentation for each rule

Key tfsec Rules by Provider