https://backend-engineering-strategy-tools.github.io/site/tags/tfsec/Recent content in Tfsec on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usMon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/iac-scanning/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/iac-scanning/<p>Static analysis for infrastructure code. Scan Terraform, Helm, Kubernetes manifests, Dockerfiles, and CloudFormation before they are applied. The goal is catching misconfigurations — open security groups, missing encryption, public S3 buckets — in the same pipeline that runs your application tests.</p> <p>These tools do not require running infrastructure. They read the source and flag violations against a built-in rule library, with optional custom rule support.</p> <h2 id="checkov">Checkov </h2><p>Checkov is a static analysis tool from Bridgecrew (now Prisma Cloud). Large built-in rule library for Terraform, Helm, Kubernetes, Dockerfiles, GitHub Actions, and more. Custom rules in Python or YAML.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pip install checkov </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>brew install checkov </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Scan a Terraform directory</span> </span></span><span style="display:flex;"><span>checkov -d ./infra/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan a specific file</span> </span></span><span style="display:flex;"><span>checkov -f main.tf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan Kubernetes manifests</span> </span></span><span style="display:flex;"><span>checkov -d ./k8s/ --framework kubernetes </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan a Helm chart</span> </span></span><span style="display:flex;"><span>checkov -d ./charts/myapp/ --framework helm </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output as JSON</span> </span></span><span style="display:flex;"><span>checkov -d ./infra/ -o json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Skip specific checks</span> </span></span><span style="display:flex;"><span>checkov -d ./infra/ --skip-check CKV_AWS_20,CKV_AWS_57 </span></span></code></pre></div><p>Output shows passed/failed checks per resource with the check ID, description, and file:line reference.</p> <h3 id="custom-policies-yaml">Custom policies (YAML) </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Ensure S3 bucket has MFA delete enabled&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">id</span>: <span style="color:#e6db74">&#34;CKV2_AWS_CUSTOM_1&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">category</span>: <span style="color:#e6db74">&#34;ENCRYPTION&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">scope</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">provider</span>: <span style="color:#ae81ff">terraform</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">definition</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">cond_type</span>: <span style="color:#ae81ff">attribute</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resource_types</span>: [<span style="color:#e6db74">&#34;aws_s3_bucket&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">attribute</span>: <span style="color:#ae81ff">mfa_delete</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">operator</span>: <span style="color:#ae81ff">equals</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#e6db74">&#34;Enabled&#34;</span> </span></span></code></pre></div><h2 id="trivy-iac-mode">Trivy (IaC mode) </h2><p>Trivy is primarily a container image vulnerability scanner, but its <code>--scanners misconfig</code> mode covers IaC. One tool, multiple surfaces — useful when you are already using Trivy for image scanning and want consistent output.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>brew install trivy </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Scan Terraform</span> </span></span><span style="display:flex;"><span>trivy config ./infra/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan Kubernetes manifests</span> </span></span><span style="display:flex;"><span>trivy config ./k8s/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan a Helm chart</span> </span></span><span style="display:flex;"><span>trivy config ./charts/myapp/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Include severity filter</span> </span></span><span style="display:flex;"><span>trivy config --severity HIGH,CRITICAL ./infra/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># JSON output</span> </span></span><span style="display:flex;"><span>trivy config -f json ./infra/ </span></span></code></pre></div><p>Trivy&rsquo;s IaC rules are sourced from <a class="link" href="https://github.com/aquasecurity/trivy-checks" target="_blank" rel="noopener" >Trivy&rsquo;s built-in checks</a> — the same checks engine used by <code>tfsec</code> (Trivy absorbed <code>tfsec</code> in 2023).</p> <h2 id="tfsec">tfsec </h2><p><code>tfsec</code> was a standalone Terraform-focused scanner, now maintained as part of Trivy. The standalone CLI still works and is simpler if you only scan Terraform.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>brew install tfsec </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>tfsec ./infra/ </span></span><span style="display:flex;"><span>tfsec ./infra/ --severity HIGH </span></span><span style="display:flex;"><span>tfsec ./infra/ --format json </span></span></code></pre></div><p>Most teams migrating from <code>tfsec</code> to Trivy get equivalent coverage with <code>trivy config</code>.</p> <h2 id="comparison">Comparison </h2><table> <thead> <tr> <th></th> <th>Checkov</th> <th>Trivy config</th> </tr> </thead> <tbody> <tr> <td>Terraform</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Kubernetes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Helm</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Dockerfile</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>GitHub Actions</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Custom rules</td> <td>Python / YAML</td> <td>Rego</td> </tr> <tr> <td>Also scans</td> <td>—</td> <td>Container images, Git secrets, SBOMs</td> </tr> <tr> <td>Maintained by</td> <td>Prisma Cloud</td> <td>Aqua Security</td> </tr> </tbody> </table> <p>For a team already using Trivy for image scanning, extending to IaC with <code>trivy config</code> keeps the toolchain simple. Checkov&rsquo;s advantage is the broader coverage (GitHub Actions, Bitbucket Pipelines) and more mature custom rule support.</p> <h2 id="in-ci">In CI </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#75715e"># GitHub Actions — Trivy IaC scan</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Trivy IaC scan</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">aquasecurity/trivy-action@master</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">scan-type</span>: <span style="color:#ae81ff">config</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">scan-ref</span>: <span style="color:#ae81ff">./infra/</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">severity</span>: <span style="color:#ae81ff">HIGH,CRITICAL</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">exit-code</span>: <span style="color:#ae81ff">1</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#75715e"># GitHub Actions — Checkov</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Checkov scan</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">bridgecrewio/checkov-action@master</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">directory</span>: <span style="color:#ae81ff">infra/</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">framework</span>: <span style="color:#ae81ff">terraform</span> </span></span></code></pre></div><h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://www.checkov.io/1.Welcome/What%20is%20Checkov.html" target="_blank" rel="noopener" >Checkov documentation</a></li> <li><a class="link" href="https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/" target="_blank" rel="noopener" >Trivy misconfig scanning</a></li> <li><a class="link" href="https://github.com/aquasecurity/trivy-checks" target="_blank" rel="noopener" >Trivy-checks (rule library)</a></li> <li><a class="link" href="https://github.com/bridgecrewio/checkov" target="_blank" rel="noopener" >Checkov GitHub</a></li> </ul>