DEV Community

Cover image for Terraform - IaC Scanning with TFSEC for VsCode (Extension)
Marcel.L
Marcel.L

Posted on • Edited on

Terraform - IaC Scanning with TFSEC for VsCode (Extension)

TFSEC Vulnerability Scanner

tfsec is a static analysis security scanner for your Terraform code.

Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks mean detection and remediation can take place as quickly and efficiently as possible.

tfsec takes a developer-first approach to scanning your Terraform templates; using static analysis and deep integration with the official HCL parser it ensures that security issues can be detected before your infrastructure changes take effect.

Using the TFSEC VsCode extension

In this tutorial we will go through how to install tfsec and the tfsec extension for VsCode on your development machine where you are developing and writing your Terraform code, and show how you can scan and detect for any vulnerabilities or misconfigurations to detect potential issues that expose your deployments to the risk of attack.

You can scan your Terraform configuration artifacts easily giving you the confidence that all is well with your configuration before committing your code to source control / deploying your Terraform (IaC) configurations. It is a free/open source tool by AquaSecurity. For more information go check out the Tfsec github page

Installing TFSEC

First we need to make sure we have the latest version of tfsec installed on our development machine. There are a couple of ways to do this:

Install with brew/linuxbrew



brew install tfsec


Enter fullscreen mode Exit fullscreen mode

Install with Chocolatey



choco install tfsec


Enter fullscreen mode Exit fullscreen mode

Install with Scoop



scoop install tfsec


Enter fullscreen mode Exit fullscreen mode

You can also grab the binary for your system from the releases page.

Alternatively, install with Go:



go install github.com/aquasecurity/tfsec/cmd/tfsec@latest


Enter fullscreen mode Exit fullscreen mode

Please note that using go install will install directly from the master branch and version numbers will not be reported via tfsec --version.

Installing TFSEC extension for VSCODE

The next step is to just open up VsCode and under extensions you can search for the extension called TFSEC and hit the install button.

image.png

You should now see the TFSEC logo on your VsCode side bar to the left.

Run TFSEC VsCode extension

Next we will create a simple Terraform configuration and use the extension to inspect for any issues before committing the code to source control.

I created a very basic terraform configuration that will build a resource group and key vault. You can take a look at the configuration here.

After writing you terraform configuration navigate to the TFSEC extension on the left of the screen:

image.png

Click on the button that says Run tfsec now:

image.png

As you can see my Terraform configurations have been scanned and notified me of what issues are in my configuration, the severity rating of the issues detected, as well as guidance on remediating the issues.

image.png

I hope you have enjoyed this post and have learned something new. You can find the code samples used in this blog post on my GitHub page. ❤️

Author

Like, share, follow me on: 🐙 GitHub | 🐧 X/Twitter | 👾 LinkedIn

Top comments (1)

Collapse
 
owenrumney profile image
Owen Rumney

Nice post, thank!