Static Analysis (Security scanner) for Terraform Code

in DevOps , DevSecOps , Cloud Computing

    What is Terraform?

    Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files. (Source →

    Basically, we use terraform tool to provision cloud services from CLI using the code.

    But can we check if our terrafrom code has some security flaws??

    YES. We can. Using TFsec tool.

    TFsec uses HCL parser to understand the terraform code and have many default checks in place already. They also give you freedom to write your own custom checks.

    You can run this tool in you CI pipeline (also in github actions) and check your code before making changes to cloud. And the best thing it is supported in all the mostly used OS.. and they have a docker container as well (which I love btw).

    You can download yourself one form here →

    And they are also Open Source. That means you can read the code and make changes to it that suits you best. And also you can help to make it better. Just like tons of people who are making it better everyday.

    “Gettign Hands Dirty” Time

    I already had some test code for Terraform and I intentionally added a default secret key variable (which I know is a bad idea from a security point of view).

    variable file with default secret key variable file with default secret key

    I am now expecting any security scanner to detect this type of behavior and report it.
    After the code was ready… I pulled and created a container for tfsec and mounted my code repository in that to perform scanning.

    docker run --rm -it -v $PWD:/src tfsec/tfsec /src

    And as expected,

    scan report from tfsec scan report from tfsec

    It gave me a good human readable report with all the highlighted potential issues along with the time taken for everything. Since it is using HCL parser to parse every thing.. It also gives me warning/errors in my code.


    Get similar stories in your inbox weekly, for free

    Share this story:
    Rishabh Umrao, Information Security Engineer @ Sophos

    Another Computer Science and Engineering Graduate (B.Tech) from india with a strong interest in Devops, Security and Automation.

    Latest stories

    How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

    We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

    AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

    In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

    A Review of Zoho ManageEngine

    Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

    Should I learn Java in 2023? A Practical Guide

    Java is one of the most widely used programming languages in the world. It has …

    The fastest way to ramp up on DevOps

    You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

    Why You Need a Blockchain Node Provider

    In this article, we briefly cover the concept of blockchain nodes provider and explain why …

    Top 5 Virtual desktop Provides in 2022

    Here are the top 5 virtual desktop providers who offer a range of benefits such …

    Why Your Business Should Connect Directly To Your Cloud

    Today, companies make the most use of cloud technology regardless of their size and sector. …

    7 Must-Watch DevSecOps Videos

    Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …