DEV Community

Cover image for Terraform - IaC Scanning with TFSEC for VsCode (Extension)
Marcel.L
Marcel.L

Posted on • Edited on

10 1

Terraform - IaC Scanning with TFSEC for VsCode (Extension)

TFSEC Vulnerability Scanner

tfsec is a static analysis security scanner for your Terraform code.

Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks mean detection and remediation can take place as quickly and efficiently as possible.

tfsec takes a developer-first approach to scanning your Terraform templates; using static analysis and deep integration with the official HCL parser it ensures that security issues can be detected before your infrastructure changes take effect.

Using the TFSEC VsCode extension

In this tutorial we will go through how to install tfsec and the tfsec extension for VsCode on your development machine where you are developing and writing your Terraform code, and show how you can scan and detect for any vulnerabilities or misconfigurations to detect potential issues that expose your deployments to the risk of attack.

You can scan your Terraform configuration artifacts easily giving you the confidence that all is well with your configuration before committing your code to source control / deploying your Terraform (IaC) configurations. It is a free/open source tool by AquaSecurity. For more information go check out the Tfsec github page

Installing TFSEC

First we need to make sure we have the latest version of tfsec installed on our development machine. There are a couple of ways to do this:

Install with brew/linuxbrew



brew install tfsec


Enter fullscreen mode Exit fullscreen mode

Install with Chocolatey



choco install tfsec


Enter fullscreen mode Exit fullscreen mode

Install with Scoop



scoop install tfsec


Enter fullscreen mode Exit fullscreen mode

You can also grab the binary for your system from the releases page.

Alternatively, install with Go:



go install github.com/aquasecurity/tfsec/cmd/tfsec@latest


Enter fullscreen mode Exit fullscreen mode

Please note that using go install will install directly from the master branch and version numbers will not be reported via tfsec --version.

Installing TFSEC extension for VSCODE

The next step is to just open up VsCode and under extensions you can search for the extension called TFSEC and hit the install button.

image.png

You should now see the TFSEC logo on your VsCode side bar to the left.

Run TFSEC VsCode extension

Next we will create a simple Terraform configuration and use the extension to inspect for any issues before committing the code to source control.

I created a very basic terraform configuration that will build a resource group and key vault. You can take a look at the configuration here.

After writing you terraform configuration navigate to the TFSEC extension on the left of the screen:

image.png

Click on the button that says Run tfsec now:

image.png

As you can see my Terraform configurations have been scanned and notified me of what issues are in my configuration, the severity rating of the issues detected, as well as guidance on remediating the issues.

image.png

I hope you have enjoyed this post and have learned something new. You can find the code samples used in this blog post on my GitHub page. ❤️

Author

Like, share, follow me on: 🐙 GitHub | 🐧 X/Twitter | 👾 LinkedIn

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (1)

Collapse
 
owenrumney profile image
Owen Rumney

Nice post, thank!

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay