How to use tfsec

 What is tfsec 

Tfsec is a static code analysis tool for terraform. We can use tfsec to increase our security 

posture. Tfsec scans your all terraform files and then provides us with suggestions that 

we can implement to increase the security posture of your infrastructure. 

You can run tfsec on your local as well as on Github action. 

1. Run tfsec locally 

To run tfsec locally, you need to install tfsec in your system. 

To install tfsec using brew, use the below command

>> brew install tfsec 

After that in your root directory run tfsec using the below command

   

>> tfsec

In the terminal, you can see all tfsec reported errors

2.  Run tfsec in GitHub action

        To run tfsec in GitHub action, You can follow below steps

Step 1 

   Create tfsec.yml file in .github/workflows/ directory file in directory

           

Step 2 

    Add below code in tfsec.yml file 

name: tfsec on:   push:     branches:       - main   pull_request: jobs:   tfsec:     name: Terraform Security Scan and PR Commenter     runs-on: ubuntu-latest     steps:       - name: Clone repo         uses: actions/checkout@master       - name: Pull Request Commenter         if: ${{ github.event_name == 'pull_request' }}         uses: aquasecurity/tfsec-pr-commenter-action@v1.0.2         with:               github_token: ${{ secrets.GITHUB_TOKEN }}       - name: Terraform security scan         uses: aquasecurity/tfsec-action@v1.0.0         with:              format: json

      Code Explanation 

• name: 

• Name parameter is used for assign name to your workflow 

• on: 

• With the help of on the flag, we can specify when our workflow will trigger. 

• With the help of on flag, we can define single or multiple events that will 

  trigger your workflow.          

• Jobs: 

• Job is a set of actions that we use for building our workflow.

• We can specify one or more jobs in a single workflow.

•  List of properties that help for building job

• Name:

•  You can define your job name 

• Run-on:

• Run-on property is used for defining which virtual environment 

  you would like to use for  running your job.

• Steps:

• Steps is a set of checks which you are using for running test 

  or building project

 

        Github action explanation

1. aquasecurity/tfsec-pr-commenter-action

• This action is used to add a comment in a pull request if  tfsec check failed

• Example of pull request comment by tfsec bot as below

2. aquasecurity/tfsec-action

• This GitHub action helps you run tfsec and scans your complete project in 

  Github action and gives output in formats like JSON, CSV and many more.

  •  Example of tfsec reported issues in GitHub action as below

• 
  

               

 

Step 3

Commit the changes. Now your project is ready to do static code analysis of terraform 

code with the help of tfsec.

Step 4

If you want to ignore some checks from GitHub action, then you have two ways 

to do that. 

   

    1. Using ignore messages 

You can put the ignore message above the resource creation blog, 

so that tfsec understand you know the pros and cons of the resource. 

And the particular error for that resource will be ignored.

Example 

    2. Ignore a few checks globally

We also can ignore some tfsec checks globally. If we mention that checks 

in workflow/tfsec.yml file as additional arguments, it will ignore that checks

 for that repository.

   

Important Note

If you are familiar with tfsec, last time tfsec upgraded their major version along with 

it’s rule-id and documentation. Possibly your existing tfsec GitHub action checks might be 

not working properly or you might see lots of error messages or previously defined ignore 

messages might not work. To solve all of the above problems please update the tfsec 

version to the latest one and then run the migration command for migrating tfsec project 

to the latest version. The following command will migrate all your previous error messages

 and upgrade your project.

   

>> tfsec --migrate-ignores

Conclusion In this blog, we learned how to use tfsec locally as well in GitHub actions. I hope you find this blog useful. Please let us know in the comments, if you have any  questions.  Thank you so much Yogita Surve for your support References tfsec  tfsec action tfsec pr commentor brew Happy reading!