Skip to main content
HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Demo

Using tfsec to Scan Your Terraform Code

This talk will cover using tfsec to scan .tf and .tf.json files to guard against misconfigurations . It will also cover using the the tfsec VSCode extension and GitHub actions to shift-left and catch issues early.

As more and more teams are using infrastructure as code to ensure they have consistent, repeatable deployment of infrastructure, it is becoming increasingly important to guard against mis-configurations creeping into the release.

This talk will cover using tfsec to scan .tf and .tf.json files for such issues. It will also cover using the the tfsec VSCode extension and GitHub actions to shift left and catch issues early.

Rough breakdown:
- Introduction to why tfsec exists and the background (<5mins)
- Scanning your files - with demo
- tfsec advanced features (~10mins)
- Custom checks (satisfying your companies compliance requirements)
- Ignoring checks (expiry, workspace filtering)
- Shifting left (~10mins)
- VSCode extension
- GitHub actions
- Questions (~5mins)

The attendee will leave with an understanding that there are risks to misconfiguration and they will learn about a tool that can support them. Even if they go on to use another static analysis tool, they will have been prompted to be more vigilant.

More resources like this one

  • 3/15/2023
  • Presentation
Advanced Terraform techniques
  • 2/3/2023
  • Case Study
Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones
  • 2/1/2023
  • Case Study
Should My Team Really Need to Know Terraform?
  • 1/20/2023
  • Case Study
Packaging security in Terraform modules