Terraform security scanning CLI for finding infrastructure misconfigurations in code and modules before apply.
$brew install tfsec
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
tfsec is a static analysis CLI for Terraform that scans configuration files and modules for security misconfigurations before plan or apply. It is built for local and CI use, with built-in provider checks plus support for custom checks and Rego policies.
What It Enables
- Scan Terraform repos and modules for risky network exposure, missing encryption, weak IAM settings, secrets exposure, and other provider-specific misconfigurations before infrastructure changes ship.
- Gate pull requests or CI runs with severity thresholds, rule filters, ignore controls, tfvars inputs, and optional config or custom policy files.
- Export findings as JSON, SARIF, JUnit, Checkstyle, CSV, Markdown, or HTML for code scanning systems, dashboards, and follow-up automation.
Agent Fit
--format json, non-interactive flags, and documented exit behavior make it easy to run in inspect-then-fix loops or CI.- Flags for excludes, minimum severity, workspace-specific ignores, tfvars, and module download control let an agent rerun targeted scans deterministically.
- It is a read-only analysis primitive, so it fits safe review workflows well, but remediation still requires separate edits and some scans may need network access for remote modules.
Caveats
- Aqua's own docs now encourage migration to
trivy config, so tfsec remains useful but is no longer the forward-looking flagship in this product line. - Remote module fetching and custom policy inputs can change scan behavior; unattended runs may need
--no-module-downloadsor pinned config.