Demo

Using tfsec to Scan Your Terraform Code

Published 5:00 PM UTC Mar 22, 2022

This talk will cover using tfsec to scan .tf and .tf.json files to guard against misconfigurations . It will also cover using the the tfsec VSCode extension and GitHub actions to shift-left and catch issues early.

As more and more teams are using infrastructure as code to ensure they have consistent, repeatable deployment of infrastructure, it is becoming increasingly important to guard against mis-configurations creeping into the release.

This talk will cover using tfsec to scan .tf and .tf.json files for such issues. It will also cover using the the tfsec VSCode extension and GitHub actions to shift left and catch issues early.

Rough breakdown:
- Introduction to why tfsec exists and the background (<5mins)
- Scanning your files - with demo
- tfsec advanced features (~10mins)
- Custom checks (satisfying your companies compliance requirements)
- Ignoring checks (expiry, workspace filtering)
- Shifting left (~10mins)
- VSCode extension
- GitHub actions
- Questions (~5mins)

The attendee will leave with an understanding that there are risks to misconfiguration and they will learn about a tool that can support them. Even if they go on to use another static analysis tool, they will have been prompted to be more vigilant.

Sign up for the latest HashiCorp news

More resources like this one

3/15/2023Presentation

Advanced Terraform techniques

2/3/2023Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones

2/1/2023Case Study

Should My Team Really Need to Know Terraform?

1/20/2023Case Study

Packaging security in Terraform modules

View all resources