Question 1

Should I use tfsec or Trivy for Terraform security scanning?

Accepted Answer

Aqua Security recommends migrating to Trivy, which includes tfsec's scanning engine plus support for more languages and integrations. For new projects, Trivy is the better long-term choice due to active development.

Question 2

How to ignore a false positive warning in tfsec?

Accepted Answer

Add a comment like #tfsec:ignore:<rule_id> on the line with the issue or above the resource block. You can also set expiration dates (e.g., :exp:2025-01-02) to ensure ignores are temporary.

Question 3

Does tfsec work with private Terraform module registries?

Accepted Answer

Yes, tfsec can scan remote modules, but you may need to configure authentication for private registries. The README confirms it scans both local and remote modules.

Question 4

Can I integrate tfsec into GitHub Actions for automated checks?

Accepted Answer

Yes, use the tfsec-pr-commenter-action for PR comments or tfsec-sarif-action for uploading results to GitHub Security Alerts, as mentioned in the README's CI integration section.

Question 5

How accurate is tfsec compared to Checkov?

Accepted Answer

tfsec is praised for its deep Terraform-specific analysis, which can improve accuracy by evaluating HCL expressions. However, rule coverage and false positive rates vary by provider and use case.

Question 6

Is tfsec still receiving updates for new cloud services?

Accepted Answer

While updates may occur, the README states engineering attention is directed at Trivy, so new checks or features are less likely to be added to tfsec over time.

tfsec

What is tfsec?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions