Securing your Terraform IaC with tfsec
Created on 2025-07-16 18:53
Published on 2025-07-17 15:30
Hello everyone,
Hope you all are doing well. I'm back with another exciting blog on Securing your terraform IaC with tfsec. In this blog we will learn about -
✅ Scanning Terraform projects with tfsec
🔁 Blocking PRs with GitHub Actions
Let's dive in!
tfsec is an open-source security scanner for Terraform created by Aqua Security. It inspects your code for:
Misconfigured resources
Insecure defaults
Compliance issues (CIS, PCI, NIST, etc.)
And most important of all, it smoothly integrates into local dev workflows and CI/CD pipelines.
Let's see how exactly it works!
For the purpose of a brief demonstration, let's intentionally create a Terraform configuration that includes deliberate misconfigurations and insecure default settings, in order to illustrate security pitfalls that can arise from improper infrastructure-as-code practices.
main.tf
s3 module
security group module
Now, let's install tfsec.
Though I had previously installed it
Now, let's run a scan locally -
Now, Let's write a simple github action to utlize tfsec . for that, create a .github folder and inside that create a workflows folder. After that create tfsec.yaml file.
Let's see how it works when it is triggered.
Now, since we want to enforce this on every Pull Request for Main branch, we will create a branch protection rule.
Or You can create it on from UI as well.
Now we will be able to see it running on every PR, and if it doesn't passes, you won't be able to merge.
Now, one more feature is to use tfsec-commenter GitHub Action as well. We will see that in next blog.
Screenshot from Official Repo from Aquasecurity. \
Another way is to use VS Code extension -
That's it for this blog. See you all soon!
Thanks,
Regards,
Sankalp Sandeep Paranjpe
