Question 1

How do I ignore a specific warning in tfsec?

Accepted Answer

Add a comment like `#tfsec:ignore:<rule>` on the line with the issue or above the block. You can ignore multiple rules by concatenating them, and set expiration dates with `:exp:yyyy-mm-dd`. For example, `#tfsec:ignore:aws-s3-enable-bucket-encryption:exp:2025-01-02`.

Question 2

tfsec vs Checkov: which is better for Terraform security?

Accepted Answer

tfsec is specialized for Terraform with deep HCL analysis and faster scanning, while Checkov supports multiple IaC tools but may be less optimized for Terraform. Choose tfsec for Terraform-only projects needing speed, or Checkov for mixed environments.

Question 3

Can tfsec scan remote Terraform modules?

Accepted Answer

Yes, tfsec can scan both local and remote Terraform modules, evaluating their configurations for security misconfigurations. This is a key feature mentioned in the overview, ensuring comprehensive coverage.

Question 4

How to integrate tfsec into a GitHub Actions workflow?

Accepted Answer

Use the tfsec-pr-commenter-action or tfsec-sarif-action from the GitHub Marketplace. These actions run tfsec and can comment on pull requests or upload SARIF reports to GitHub Security Alerts for visibility.

Question 5

What output formats does tfsec support?

Accepted Answer

tfsec supports multiple formats including lovely (human-readable), JSON, SARIF, CSV, CheckStyle, JUnit, and text. Specify the format with the `--format` flag, making it easy to integrate with various reporting tools.

Question 6

Is tfsec still maintained after the Trivy migration announcement?

Accepted Answer

According to the README, tfsec will remain available but engineering attention is directed at Trivy. It's recommended to transition to Trivy for long-term support, more features, and broader ecosystem integrations.

TFSec

What is TFSec?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions