// the find
aquasecurity/tfsec
Tfsec is now part of Trivy
tfsec is a static analysis tool for Terraform that catches security misconfigurations before they reach cloud infrastructure. It's now officially deprecated in favor of Trivy, which absorbed its scanning engine. If you're starting fresh with IaC security scanning, you should go directly to Trivy.
Hundreds of built-in rules across AWS, Azure, GCP, Kubernetes, and several smaller providers with good coverage depth. The inline ignore syntax (`tfsec:ignore:rule-id`) with optional expiration dates is well-designed — you can suppress a finding without forgetting about it. Evaluates HCL expressions and Terraform functions rather than just matching literal strings, which catches misconfigs that simpler pattern matchers miss. SARIF output support means findings integrate directly into GitHub Security Alerts with no extra glue code.
It's dead. The README says go use Trivy — new rules, bug fixes, and engineering attention are in that repo now. Adopting tfsec today means you're inheriting a frozen codebase and will eventually have to migrate anyway. Custom Rego policy support exists but the documentation is sparse and the examples are minimal, so writing non-trivial custom checks requires reading source code. No awareness of drift between Terraform state and actual cloud resources — it only sees what's written, not what's deployed, so it won't catch misconfigs introduced outside of Terraform.