tfsec <command>

Tfsec is a simple tool to detect potential security vulnerabilities in your terraformed infrastructure

Arguments

NameDescription
commandfolders

Options

NameDescription
--concise-outputReduce the amount of output and no statistics
--config-file <command>Config file to use during run
--custom-check-dir <command>Explicitly the custom checks dir location
--debugEnable debug logging (same as verbose)
-G,--disable-groupingDisable grouping of similar results
-e,--exclude <command>Provide comma-separated list of rule IDs to exclude from run
--exclude-downloaded-modulesRemove results for downloaded modules in .terraform folder
--exclude-path <command>Folder path to exclude, can be used multiple times and evaluated in order of specification
--filter-results <command>Filter results to return specific checks only (supports comma-delimited input)
--force-all-dirsDon't search for tf files, include everything below provided directory
-f,--format <command>Select output format: default, json, csv, checkstyle, junit, sarif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout
-h,--helpHelp for tfsec
--ignore-hcl-errorsStop and report an error if an HCL parse error is encountered
--include-ignoredInclude ignored checks in the result output
--include-passedInclude passed checks in the result output
--migrate-ignoresMigrate ignore codes to the new ID structure
-m,--minimum-severity <command>The minimum severity to report. One of CRITICAL, HIGH, MEDIUM, LOW
--no-colorDisable colored output (American style!)
--no-colourDisable coloured output
--no-ignoresDo not apply any ignore rules - normally ignored checks will fail
--no-module-downloadsDo not download remote modules
-O,--out <command>Set output file. This filename will have a format descriptor appended if multiple formats are specified with --format
--print-rego-inputPrint a JSON representation of the input supplied to rego policies
--rego-policy-dir <command>Directory to load rego policies from (recursively)
--run-statisticsView statistics table of current findings
--single-threadRun checks using a single thread
-s,--soft-failRuns checks but suppresses error code
--tfvars-file <command>Path to .tfvars file, can be used multiple times and evaluated in order of specification
--updateUpdate to latest version
--verboseEnable verbose logging (same as debug)
-v,--versionShow version information and exit
-W,--workspace <command>Specify a workspace for ignore limits (default "default")