tfsec <directory>

Tfsec is a simple tool to detect potential security vulnerabilities in your terraformed infrastructure




--concise-outputReduce the amount of output and no statistics
--config-file <config-file>Config file to use during run
--custom-check-dir <custom-check-dir>Explicitly the custom checks dir location
--debugEnable debug logging (same as verbose)
-G, --disable-groupingDisable grouping of similar results
-e, --exclude <excludeList>Provide comma-separated list of rule IDs to exclude from run
--exclude-downloaded-modulesRemove results for downloaded modules in .terraform folder
--exclude-path <excludePath>Folder path to exclude, can be used multiple times and evaluated in order of specification
--filter-results <filterResults>Filter results to return specific checks only (supports comma-delimited input)
--force-all-dirsDon't search for tf files, include everything below provided directory
-f, --format <format>Select output format: default, json, csv, checkstyle, junit, sarif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout
-h, --helpHelp for tfsec
--ignore-hcl-errorsStop and report an error if an HCL parse error is encountered
--include-ignoredInclude ignored checks in the result output
--include-passedInclude passed checks in the result output
--migrate-ignoresMigrate ignore codes to the new ID structure
-m, --minimum-severity <minimumSeverity>The minimum severity to report. One of CRITICAL, HIGH, MEDIUM, LOW
--no-colorDisable colored output (American style!)
--no-colourDisable coloured output
--no-ignoresDo not apply any ignore rules - normally ignored checks will fail
--no-module-downloadsDo not download remote modules
-O, --out <outputFile>Set output file. This filename will have a format descriptor appended if multiple formats are specified with --format
--print-rego-inputPrint a JSON representation of the input supplied to rego policies
--rego-policy-dir <regoPolicyDir>Directory to load rego policies from (recursively)
--run-statisticsView statistics table of current findings
--single-threadRun checks using a single thread
-s, --soft-failRuns checks but suppresses error code
--tfvars-file <tfvarsFilePath>Path to .tfvars file, can be used multiple times and evaluated in order of specification
--updateUpdate to latest version
--verboseEnable verbose logging (same as debug)
-v, --versionShow version information and exit
-W, --workspace <workspace>Specify a workspace for ignore limits (default "default")