tfsec
tfsec is a static analysis tool for Terraform that detects security misconfigurations across AWS, Azure, GCP, and other cloud providers. The project is now being consolidated into Trivy, Aqua Security's unified scanning platform, with engineering focus shifting away from tfsec toward Trivy.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | aquasecurity/tfsec |
| Owner | aquasecurity |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 7k |
| Forks | 555 |
| Open issues | 16 |
| Latest release | v1.28.14 (2025-05-02) |
| Last updated | 2026-03-25 |
| Source | https://github.com/aquasecurity/tfsec |
What tfsec is
Written in Go, tfsec scans HCL/Terraform code to identify misconfigurations using hundreds of built-in rules. It evaluates literals, HCL expressions, Terraform functions, and resource relationships. Supports multiple output formats (JSON, SARIF, CSV, JUnit) and integrates with CI/CD pipelines, IDEs (VSCode, JetBrains, Vim), and Docker.
Get the tfsec source
Clone the repository and explore it locally.
git clone https://github.com/aquasecurity/tfsec.gitcd tfsec# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Terraform files to be present; supports local and remote module scanning, but effectiveness depends on HCL code completeness.
- False positive tuning: configure via CLI flags, config files, or per-line ignore comments (#tfsec:ignore:rule-id) with optional expiration dates.
- Performance is stated as fast for large repositories; evaluate scanning time against your codebase size in staging before production rollout.
- Supports HCL expressions and Terraform functions (e.g., concat), but complex dynamic configurations may not be fully analyzable.
- Available in multiple distribution formats (Homebrew, Chocolatey, Docker, binary, Go install); choose based on your existing DevOps toolchain.
When to avoid it — and what to weigh
- Need actively maintained upstream project — Engineering effort is shifting to Trivy. While tfsec remains available, future development and critical updates will prioritize Trivy instead.
- Require non-Terraform IaC scanning — tfsec is Terraform-specific. Other IaC languages (CloudFormation, Bicep, Helm) are not natively supported; Trivy is recommended for multi-language IaC.
- Evaluating Aqua's commercial offering — Aqua directs commercial support and integrations toward Trivy. tfsec is community-driven; commercial backing is limited.
- Need comprehensive container/dependency scanning — tfsec focuses solely on IaC misconfigurations. For application vulnerability scanning (container images, dependencies), Trivy is the unified solution.
License & commercial use
MIT License (permissive OSI-approved). Allows commercial use, modification, and distribution without restriction.
MIT license permits commercial use. However, Aqua Security's commercial support and integrations are directed at Trivy, not tfsec. Community Slack channel is available, but production commercial backing is limited. Review Aqua's support offerings before assuming production SLA coverage.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Moderate |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
tfsec performs static analysis only; it does not execute Terraform or validate against live infrastructure. Accuracy depends on code completeness and HCL evaluator correctness. No mention of automated security audits of tfsec itself. Binaries are signed (key provided); verify signatures in CI/CD pipelines. As a static analyzer, it cannot detect runtime misconfigurations or supply-chain attacks; use alongside runtime security tools.
Alternatives to consider
Trivy (Aqua Security)
Aqua's unified scanning platform with Terraform support plus additional IaC languages, container scanning, and library vulnerability detection. Officially recommended migration path from tfsec with active development and commercial backing.
Checkov (Bridgecrewio/Palo Alto)
Multi-language IaC scanner (Terraform, CloudFormation, Kubernetes, Ansible) with policy-as-code (Rego/YAML), cloud-native integrations, and commercial support options.
Terraform Cloud/Enterprise (HashiCorp)
Native Terraform governance with policy enforcement (Sentinel), VCS integration, cost estimation, and state management in a managed service. Best for teams already using Terraform Cloud.
Build on tfsec with DEV.co software developers
Start with tfsec for immediate Terraform security scanning, or consider migrating to Trivy for a unified IaC and dependency scanning platform. Review the migration guide if you plan to scale across multiple IaC languages.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
tfsec FAQ
Is tfsec still maintained?
Can I use tfsec with non-Terraform IaC?
How do I suppress false positives?
Does tfsec evaluate dynamic Terraform code?
Custom software development services
Need help beyond evaluating tfsec? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.
Ready to Scan Terraform for Security Issues?
Start with tfsec for immediate Terraform security scanning, or consider migrating to Trivy for a unified IaC and dependency scanning platform. Review the migration guide if you plan to scale across multiple IaC languages.