tfsec: The Terraform Security Scanner That Became Trivy
Hook
tfsec was so successful at catching Terraform security issues that its creators deprecated it—not because it failed, but because its DNA now powers something bigger.
Context
Before tfsec, Terraform security scanning was a fragmented landscape. Teams either wrote brittle shell scripts to grep for hardcoded credentials, relied on generic linters that couldn’t understand HCL semantics, or paid for commercial platforms. The fundamental problem was that Terraform isn’t just configuration text—it’s a declarative programming language with expressions, functions, module composition, and complex interpolation. A tool that treated it like YAML would miss resource relationships, fail to evaluate terraform functions like concat(), and generate false positives on dynamic values.
Aqua Security built tfsec specifically to understand Terraform as a language, not as text files. Written in Go for speed and portability, it could parse HCL into an abstract syntax tree, evaluate expressions in context, trace dependencies between resources, and apply security rules that understood cloud provider semantics. It accumulated nearly 7,000 GitHub stars and became Thoughtworks’ recommended tool for Terraform security—rated ‘Adopt’ in their influential Tech Radar. Then Aqua Security announced tfsec would transition into Trivy, their flagship security scanner. This wasn’t an abandonment—it was a promotion. tfsec’s architecture proved so effective that it became the foundation for multi-purpose security scanning.
Technical Insight
tfsec’s architecture reveals why it succeeded where text-based scanners failed. At its core, it’s built on three layers: HCL parsing, expression evaluation, and rule execution.
The parser doesn’t just tokenize Terraform files—it builds a complete abstract syntax tree that preserves semantic relationships. When you run tfsec on a directory, it recursively discovers all .tf files, resolves module sources (including remote modules from the Terraform Registry or Git), and constructs a dependency graph. This graph is crucial because security issues often span resources. For example, an S3 bucket without encryption is only a problem if it’s publicly accessible—tfsec can evaluate both resources together.
The expression evaluator is what separates tfsec from glorified grep tools. Consider this Terraform code:
resource "aws_security_group" "app" {
name = "app-sg"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = concat(var.internal_cidrs, ["0.0.0.0/0"])
}
}A naive scanner sees cidr_blocks as an expression and can’t determine if it’s dangerous. tfsec evaluates the concat() function, recognizes that “0.0.0.0/0” appears in the array regardless of var.internal_cidrs, and flags this as a security issue. It understands Terraform’s built-in functions, which is critical for evaluating security-relevant contexts.
The rule engine supports two paradigms: built-in Go-based checks and custom Rego policies. The built-in rules cover hundreds of scenarios across AWS, Azure, GCP, and other cloud providers. The tool provides contextual output including impact analysis and remediation guidance.
tfsec supports multiple output formats: the default ‘lovely’ format for human readability, JSON for CI/CD integration, SARIF for GitHub Code Scanning, JUnit XML for test reporting, CSV, CheckStyle, and others. This flexibility makes it compatible with diverse development workflows.
For organization-specific requirements, you can write custom policies in Rego, the policy language from Open Policy Agent. This allows encoding company standards beyond generic cloud security checks.
Performance was a design priority. tfsec is described as “very fast, capable of quickly scanning huge repositories.” The Go implementation with minimal dependencies means a single static binary with no runtime requirements—critical for CI/CD environments.
Gotcha
The elephant in the room is that tfsec is no longer actively developed, with engineering effort redirected to Trivy. The README states tfsec “will continue to remain available for the time being, although our engineering attention will be directed at Trivy going forward.” This creates uncertainty for long-term planning, though existing releases continue to work.
The inline ignore mechanism, while functional, creates technical debt. When you suppress a finding with a comment like #tfsec:ignore:aws-vpc-no-public-ingress-sgr, you’re embedding tool-specific directives into infrastructure code. If you later migrate to Trivy or another scanner, these comments become noise. The alternative—using configuration files for exemptions—is better for maintainability but requires more setup.
Another limitation is Terraform-specific scope. tfsec only scans Terraform HCL. If your infrastructure includes CloudFormation templates, Kubernetes manifests, Dockerfiles, or Helm charts, you need additional tools. This was the strategic driver for migrating tfsec’s engine into Trivy, which scans all those formats plus container images and application dependencies. For teams with heterogeneous infrastructure-as-code, running multiple specialized scanners creates integration friction.
Verdict
Use if: You have existing CI/CD pipelines deeply integrated with tfsec and need time to plan a migration. The tool still works excellently for pure Terraform environments, and if you’re already getting value from it, there’s no emergency. Also consider it if you’re evaluating Trivy and want to understand the Terraform scanning capabilities in isolation—tfsec represents the same engine with a simpler surface area to learn.
Skip if: You’re starting a new project or building security scanning from scratch. Go directly to Trivy, which provides the same Terraform analysis engine plus container scanning, additional IaC format support, and active development. The README explicitly encourages transitioning to Trivy for “the same excellent Terraform scanning engine, with some extra benefits” including access to more languages, richer integrations, and commercial support. For new implementations, the migration overhead isn’t justified when Trivy is the official successor from the same team.
