Demo

Using tfsec to Scan Your Terraform Code

This talk will cover using tfsec to scan .tf and .tf.json files to guard against misconfigurations . It will also cover using the the tfsec VSCode extension and GitHub actions to shift-left and catch issues early.

As more and more teams are using infrastructure as code to ensure they have consistent, repeatable deployment of infrastructure, it is becoming increasingly important to guard against mis-configurations creeping into the release.

This talk will cover using tfsec to scan .tf and .tf.json files for such issues. It will also cover using the the tfsec VSCode extension and GitHub actions to shift left and catch issues early.

Rough breakdown:
- Introduction to why tfsec exists and the background (<5mins)
- Scanning your files - with demo
- tfsec advanced features (~10mins)
- Custom checks (satisfying your companies compliance requirements)
- Ignoring checks (expiry, workspace filtering)
- Shifting left (~10mins)
- VSCode extension
- GitHub actions
- Questions (~5mins)

The attendee will leave with an understanding that there are risks to misconfiguration and they will learn about a tool that can support them. Even if they go on to use another static analysis tool, they will have been prompted to be more vigilant.

More resources like this one