Question 1

How do I ignore a specific warning in tfsec?

Accepted Answer

Add a comment like `#tfsec:ignore:<rule>` on the offending line or above the block. You can also set expiration dates, e.g., `#tfsec:ignore:aws-s3-enable-bucket-encryption:exp:2025-01-02`, as explained in the 'Ignoring Warnings' section.

Question 2

tfsec vs Trivy: which one should I use for Terraform scanning?

Accepted Answer

Trivy is the recommended successor, offering the same Terraform scanning engine plus additional languages and integrations. tfsec is being phased out, so for new projects, Trivy is better for long-term support, per the migration guide.

Question 3

Does tfsec work with Azure DevOps pipelines?

Accepted Answer

Yes, there's an official tfsec task available in the Azure DevOps Marketplace, allowing easy integration into CI/CD workflows, as mentioned in the 'Use as an Azure DevOps Pipelines Task' section.

Question 4

Can tfsec scan remote Terraform modules?

Accepted Answer

Yes, tfsec scans both local and remote Terraform modules, evaluating their configurations for security misconfigurations, as highlighted in the features list.

Question 5

How to output tfsec results in JSON format?

Accepted Answer

Use the `--format json` flag when running tfsec to get results in JSON, which is useful for programmatic processing or integration with other tools, detailed in the 'Output options' section.

Question 6

Is tfsec still maintained since it's moving to Trivy?

Accepted Answer

tfsec remains available but is in maintenance mode; active development has shifted to Trivy. For new features and long-term viability, transitioning to Trivy is advised, as per the migration note.

tfsec

What is tfsec?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions