DEV.co
Open-Source DevOps · aquasecurity

tfsec

tfsec is a static analysis tool for Terraform that detects security misconfigurations across AWS, Azure, GCP, and other cloud providers. The project is now being consolidated into Trivy, Aqua Security's unified scanning platform, with engineering focus shifting away from tfsec toward Trivy.

Source: GitHub — github.com/aquasecurity/tfsec
7k
GitHub stars
555
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryaquasecurity/tfsec
Owneraquasecurity
Primary languageGo
LicenseMIT — OSI-approved
Stars7k
Forks555
Open issues16
Latest releasev1.28.14 (2025-05-02)
Last updated2026-03-25
Sourcehttps://github.com/aquasecurity/tfsec

What tfsec is

Written in Go, tfsec scans HCL/Terraform code to identify misconfigurations using hundreds of built-in rules. It evaluates literals, HCL expressions, Terraform functions, and resource relationships. Supports multiple output formats (JSON, SARIF, CSV, JUnit) and integrates with CI/CD pipelines, IDEs (VSCode, JetBrains, Vim), and Docker.

Quickstart

Get the tfsec source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/aquasecurity/tfsec.gitcd tfsec# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Terraform security scanning in CI/CD

Integrates directly into GitHub Actions, Azure DevOps, and standard CI pipelines for automated IaC security checks before deployment.

Multi-cloud compliance validation

Scans Terraform configurations against security baselines for AWS, Azure, GCP, DigitalOcean, and Kubernetes, supporting organizations with multi-cloud infrastructure.

Local development-time feedback

IDE extensions (VSCode, JetBrains) provide real-time linting during Terraform authoring, catching misconfigurations before commit.

Implementation considerations

  • Requires Terraform files to be present; supports local and remote module scanning, but effectiveness depends on HCL code completeness.
  • False positive tuning: configure via CLI flags, config files, or per-line ignore comments (#tfsec:ignore:rule-id) with optional expiration dates.
  • Performance is stated as fast for large repositories; evaluate scanning time against your codebase size in staging before production rollout.
  • Supports HCL expressions and Terraform functions (e.g., concat), but complex dynamic configurations may not be fully analyzable.
  • Available in multiple distribution formats (Homebrew, Chocolatey, Docker, binary, Go install); choose based on your existing DevOps toolchain.

When to avoid it — and what to weigh

  • Need actively maintained upstream project — Engineering effort is shifting to Trivy. While tfsec remains available, future development and critical updates will prioritize Trivy instead.
  • Require non-Terraform IaC scanning — tfsec is Terraform-specific. Other IaC languages (CloudFormation, Bicep, Helm) are not natively supported; Trivy is recommended for multi-language IaC.
  • Evaluating Aqua's commercial offering — Aqua directs commercial support and integrations toward Trivy. tfsec is community-driven; commercial backing is limited.
  • Need comprehensive container/dependency scanning — tfsec focuses solely on IaC misconfigurations. For application vulnerability scanning (container images, dependencies), Trivy is the unified solution.

License & commercial use

MIT License (permissive OSI-approved). Allows commercial use, modification, and distribution without restriction.

MIT license permits commercial use. However, Aqua Security's commercial support and integrations are directed at Trivy, not tfsec. Community Slack channel is available, but production commercial backing is limited. Review Aqua's support offerings before assuming production SLA coverage.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

tfsec performs static analysis only; it does not execute Terraform or validate against live infrastructure. Accuracy depends on code completeness and HCL evaluator correctness. No mention of automated security audits of tfsec itself. Binaries are signed (key provided); verify signatures in CI/CD pipelines. As a static analyzer, it cannot detect runtime misconfigurations or supply-chain attacks; use alongside runtime security tools.

Alternatives to consider

Trivy (Aqua Security)

Aqua's unified scanning platform with Terraform support plus additional IaC languages, container scanning, and library vulnerability detection. Officially recommended migration path from tfsec with active development and commercial backing.

Checkov (Bridgecrewio/Palo Alto)

Multi-language IaC scanner (Terraform, CloudFormation, Kubernetes, Ansible) with policy-as-code (Rego/YAML), cloud-native integrations, and commercial support options.

Terraform Cloud/Enterprise (HashiCorp)

Native Terraform governance with policy enforcement (Sentinel), VCS integration, cost estimation, and state management in a managed service. Best for teams already using Terraform Cloud.

Software development agency

Build on tfsec with DEV.co software developers

Start with tfsec for immediate Terraform security scanning, or consider migrating to Trivy for a unified IaC and dependency scanning platform. Review the migration guide if you plan to scale across multiple IaC languages.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

tfsec FAQ

Is tfsec still maintained?
Yes, tfsec remains available and actively receives bug fixes. However, Aqua is consolidating development effort into Trivy. Future feature development will be limited; critical updates are expected but direction is toward Trivy migration.
Can I use tfsec with non-Terraform IaC?
No. tfsec is Terraform-specific. For CloudFormation, Kubernetes manifests, Ansible, or other IaC languages, use Trivy or Checkov.
How do I suppress false positives?
Use inline comments (#tfsec:ignore:rule-id) in Terraform files, disable checks via CLI (-e flag), or create a tfsec config file. Ignore comments can include expiration dates (exp:yyyy-mm-dd) to enforce review.
Does tfsec evaluate dynamic Terraform code?
Partially. tfsec evaluates HCL expressions and Terraform functions (concat, etc.) and resource relationships, but highly dynamic or conditional logic may not be fully analyzable. Test in your environment.

Custom software development services

Need help beyond evaluating tfsec? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to Scan Terraform for Security Issues?

Start with tfsec for immediate Terraform security scanning, or consider migrating to Trivy for a unified IaC and dependency scanning platform. Review the migration guide if you plan to scale across multiple IaC languages.