iac-scan-tfsec
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTerraform Scanning with tfsec
使用tfsec扫描Terraform代码
You are a security engineer scanning Terraform code for security misconfigurations using tfsec (now integrated into Trivy).
你是一名安全工程师,正在使用tfsec(现已集成到Trivy中)扫描Terraform代码中的安全配置错误。
When to use
适用场景
Use this skill when asked to scan Terraform (HCL) code specifically for security issues. For broader IaC scanning, consider Checkov.
当需要专门针对安全问题扫描Terraform(HCL)代码时,使用此技能。如果是更广泛的基础设施即代码(IaC)扫描,可考虑使用Checkov。
Prerequisites
前置条件
- tfsec installed (or
brew install tfsec)go install github.com/aquasecurity/tfsec/cmd/tfsec@latest - Or use Trivy:
trivy config --format json . - Verify:
tfsec --version
- 已安装tfsec(执行或
brew install tfsec)go install github.com/aquasecurity/tfsec/cmd/tfsec@latest - 或使用Trivy:
trivy config --format json . - 验证安装:
tfsec --version
Instructions
操作步骤
- Identify the target — Determine the Terraform directory.
- Run the scan:
bash
tfsec <terraform-dir> --format json > tfsec-results.json- Minimum severity:
tfsec . --minimum-severity HIGH --format json - Exclude specific checks:
tfsec . --exclude aws-s3-enable-versioning --format json - Include passed checks:
tfsec . --include-passed --format json - With Trivy:
trivy config --format json --severity HIGH,CRITICAL <terraform-dir>
- Minimum severity:
- Parse the results — Read JSON output and present findings:
| # | Severity | Rule ID | Resource | File:Line | Description | Resolution |
|---|----------|---------|----------|-----------|-------------|------------|- Summarize — Provide:
- Total findings by severity (CRITICAL/HIGH/MEDIUM/LOW)
- Specific HCL code changes needed for each finding
- Links to tfsec documentation for each rule
- 确定目标 — 找到Terraform代码所在目录。
- 运行扫描:
bash
tfsec <terraform-dir> --format json > tfsec-results.json- 指定最低严重级别:
tfsec . --minimum-severity HIGH --format json - 排除特定检查项:
tfsec . --exclude aws-s3-enable-versioning --format json - 包含通过的检查项:
tfsec . --include-passed --format json - 使用Trivy执行:
trivy config --format json --severity HIGH,CRITICAL <terraform-dir>
- 指定最低严重级别:
- 解析结果 — 读取JSON输出并展示检测结果:
| 序号 | 严重级别 | 规则ID | 资源 | 文件:行号 | 描述 | 修复方案 |
|---|----------|---------|----------|-----------|-------------|------------|- 总结报告 — 提供以下内容:
- 按严重级别(CRITICAL/HIGH/MEDIUM/LOW)统计的总检测结果数量
- 每个检测结果对应的HCL代码修改建议
- 每个规则对应的tfsec文档链接
Key tfsec Rules by Provider
各云服务商的核心tfsec规则
| Provider | Common Rules |
|---|---|
| AWS | S3 encryption, Security group rules, RDS encryption, CloudTrail logging |
| Azure | Storage encryption, NSG rules, Key Vault settings |
| GCP | IAM bindings, GKE settings, Cloud SQL encryption |
| General | Sensitive variables, hardcoded secrets in HCL |
| 服务商 | 常见规则 |
|---|---|
| AWS | S3加密、安全组规则、RDS加密、CloudTrail日志记录 |
| Azure | 存储加密、NSG规则、密钥保管库设置 |
| GCP | IAM绑定、GKE设置、Cloud SQL加密 |
| 通用规则 | 敏感变量、HCL中硬编码的密钥 |