Links

tfsec

IAC scanning tool

What is TFSec?

Installation

  • brew install tfsec
  • Other methods can be found in the official docs

Scanning

Local Scanning

  • With tfsec installed, we can easily run it to scan a directory of terraform code
  • tfsec /terraform-directory
# Partial output of results
Result #1 HIGH Bucket does not encrypt data with a customer managed key.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
s3-cis-req.tf:3-15
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
3resource "aws_s3_bucket_server_side_encryption_configuration" "s3-encryption-config" {
4bucket = aws_s3_bucket.s3-bucket-1.bucket # defines bucket name
5
6rule {
7apply_server_side_encryption_by_default {
8sse_algorithm = var.sse-algorithm # defines encryption type
9}
10}
11
..
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys
More Information
- https://aquasecurity.github.io/tfsec/v1.28.4/checks/aws/s3/encryption-customer-key/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
[SNIP]
results
──────────────────────────────────────────
passed 9
ignored 0
critical 0
high 7
medium 3
low 1
9 passed, 11 potential problem(s) detected.

CI Job

tfsec can be added as a job to a CI pipeline. For example, the code below can be used for GitLab. Just add it to .gitlab-ci.yml.
security_scan:
stage: security_scan
image:
name: ubuntu:latest
script:
- apt-get update && apt-get install -y curl
- curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
- tfsec . -f markdown --out $CI_PROJECT_DIR/tfsec_findings.md
allow_failure: true
artifacts:
when: always
expire_in: 1 day
paths:
- tfsec_findings.md
This job runs on an Ubuntu image from DockerHub, updates its packages, and downloads curl which is then used to download tfsec. You can find the full configuration on my GitHub here. tfsec offers its own docker container which could be used here instead, but I couldn't get it to work at the time. So, instead, I chose to manually download and run the tool.

Exceptions

We can easily make exceptions by adding this line of code directly above the resource. Hint, if you use the VS Code extension, you can just click a button to do this for you. When the scan runs again, this finding will be ignored.
#tfsec:ignore:aws-s3-encryption-customer-key
resource "aws_s3_bucket_server_side_encryption_configuration" "tpcrc" {