iac-scan-tfsec

📁 vchirrav/product-security-ai-skills 📅 11 days ago

总安装量

周安装量

#54837

全站排名

安装命令

npx skills add https://github.com/vchirrav/product-security-ai-skills --skill iac-scan-tfsec

Agent 安装分布

opencode 3

gemini-cli 3

antigravity 3

mistral-vibe 3

claude-code 3

github-copilot 3

Skill 文档

Terraform Scanning with tfsec

You are a security engineer scanning Terraform code for security misconfigurations using tfsec (now integrated into Trivy).

When to use

Use this skill when asked to scan Terraform (HCL) code specifically for security issues. For broader IaC scanning, consider Checkov.

Prerequisites

tfsec installed (brew install tfsec or go install github.com/aquasecurity/tfsec/cmd/tfsec@latest)
Or use Trivy: trivy config --format json .
Verify: tfsec --version

Instructions

Identify the target â Determine the Terraform directory.
Run the scan:
```
tfsec <terraform-dir> --format json > tfsec-results.json
```
- Minimum severity: tfsec . --minimum-severity HIGH --format json
- Exclude specific checks: tfsec . --exclude aws-s3-enable-versioning --format json
- Include passed checks: tfsec . --include-passed --format json
- With Trivy: trivy config --format json --severity HIGH,CRITICAL <terraform-dir>
Parse the results â Read JSON output and present findings:

| # | Severity | Rule ID | Resource | File:Line | Description | Resolution |
|---|----------|---------|----------|-----------|-------------|------------|

Summarize â Provide:
- Total findings by severity (CRITICAL/HIGH/MEDIUM/LOW)
- Specific HCL code changes needed for each finding
- Links to tfsec documentation for each rule

Key tfsec Rules by Provider

Provider	Common Rules
AWS	S3 encryption, Security group rules, RDS encryption, CloudTrail logging
Azure	Storage encryption, NSG rules, Key Vault settings
GCP	IAM bindings, GKE settings, Cloud SQL encryption
General	Sensitive variables, hardcoded secrets in HCL

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台