Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use TFsec to safely scan your Terraform code. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

TFsec

TFsec is a security scanning tool for Terraform code that performs static scan analysis on Terraform templates and detects potential security issues. The current version of TFsec supports Terraform v0.12 +.

Function introduction

Check whether all provided programs contain sensitive data

Check whether the target code violates AWS, Azure, and GCP security best practices recommendations

Scanning function module (currently only local modules are supported)

Evaluate expressions and values

Evaluate the functional functions of Terraform, such as concat (), etc.

Tool installation

Researchers can use the following utilities to install TFsec.

Install with Brew or Linuxbrew: brew install tfsec install with Chocolatey: choco install tfsec

In addition, we can also directly visit the [Releases page] of the project's GitHub library to download the tool source code for our own system platform.

Of course, we can also use go get to install the tool: the go get-u github.com/tfsec/tfsec/cmd/tfsec tool uses

TFsec can scan a specified directory, and if you do not specify a directory to scan, TFsec will scan the current working directory. If TFsec finds a security problem, the exit status will be non-zero, otherwise the exit status will be zero:

Tfsec .Docker uses

If you don't want to install and run TFsec on your system, you can also choose to run TFsec in a Docker container:

Docker run-- rm-it-v "$(pwd): / src" liamg/tfsec / src disable detection

In some cases, we may need to exclude certain tests during the run, and we can run our cmd command, such as-e CHECK1,CHECK2, etc., by adding new parameters:

Tfsec. -e GEN001,GCP001,GCP002 gets a value from .tfvars

We can also get values from a tfvars file during the scan, such as:

-- tfvars-file terraform.tfvars runs in CI

TFsec can run in a CI viewer, and if a potential security problem is detected, the tool will exit with a non-zero exit code. If you do not want the output highlighted in color, you can also use the following parameters:

-- no-colour output option

The output format of TFsec supports JSON, CSV, Checkstyle, Sarif, JUnit, and other human-readable data formats, which can be specified using the-- format parameter.

GitHub Security Alert

If you want to integrate GitHub security alerts, we can also use tfsec-sarif-actionGitHub Action to run static analysis and upload the analysis results to the GitHub security alert tag:

Screenshot of tool running

So much for sharing about how to use TFsec to scan your Terraform code safely. I hope the above can be helpful and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.