Menu

tfsec: Static analysis powered security scanner for your terraform code

Comments Off on tfsec: Static analysis powered security scanner for your terraform code
scan terraform code

tfsec

tfsec uses static analysis of your terraforms templates to spot potential security issues. Now with terraform v0.12+ support.

Features

  • Checks for sensitive data inclusion across all providers
  • Checks for violations of AWS, Azure and GCP security best practice recommendations
  • Scans modules (currently only local modules are supported)
  • Evaluates expressions as well as literal values

scan terraform code

Included Checks

Currently, checks are mostly limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

CodeProviderDescription
GEN001*Potentially sensitive data stored in “default” value of variable.
GEN002*Potentially sensitive data stored in local value.
GEN003*Potentially sensitive data stored in block attribute.
AWS001awsS3 Bucket has an ACL defined which allows public access.
AWS002awsS3 Bucket does not have logging enabled.
AWS003awsAWS Classic resource usage.
AWS004awsUse of plain HTTP.
AWS005awsLoad balancer is exposed to the internet.
AWS006awsAn ingress security group rule allows traffic from /0.
AWS007awsAn egress security group rule allows traffic to /0.
AWS008awsAn inline ingress security group rule allows traffic from /0.
AWS009awsAn inline egress security group rule allows traffic to /0.
AWS010awsAn outdated SSL policy is in use by a load balancer.
AWS011awsA resource is marked as publicly accessible.
AWS012awsA resource has a public IP address.
AWS013awsTask definition defines sensitive environment variable(s).
AWS014awsLaunch configuration with unencrypted block device.
AWS015awsUnencrypted SQS queue.
AWS016awsUnencrypted SNS topic.
AWS017awsUnencrypted S3 bucket.
AWS018awsMissing description for security group/security group rule.
AZU001azurermAn inbound network security rule allows traffic from /0.
AZU002azurermAn outbound network security rule allows traffic to /0.
AZU003azurermUnencrypted managed disk.
AZU004azurermUnencrypted data lake store.
AZU005azurermPassword authentication in use instead of SSH keys.
GCP001googleUnencrypted compute disk.
GCP002googleUnencrypted storage bucket.
GCP003googleAn inbound firewall rule allows traffic from /0.
GCP004googleAn outbound firewall rule allows traffic to /0.

Install && Use

Copyright (c) 2019 Liam Galvin

Share on Facebook

Share on Twitter

The post tfsec: Static analysis powered security scanner for your terraform code appeared first on Penetration Testing.

Related Articles

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
Menu
Live Chat
RESOURCES
Menu
Get Started
TOOLBOX
Menu
Tools Directory

2014 – 2019 | Haxf4rall.com               Stay Connected:

Facebook Twitter Instagram Youtube
Do NOT follow this link or you will be banned from the site!