๐Ÿ”’๐ŸŒ Security scanner for your Terraform code

Overview

Travis Build Status GoReportCard Github Release GitHub All Releases Join Our Slack Docker Build Homebrew Chocolatey

tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support.

Example Output

Example screenshot

Installation

Install with brew/linuxbrew:

brew install tfsec

Install with Chocolatey:

choco install tfsec

You can also grab the binary for your system from the releases page.

Alternatively, install with Go:

go get -u github.com/tfsec/tfsec/cmd/tfsec

Usage

tfsec will scan the specified directory. If no directory is specified, the current working directory will be used.

The exit status will be non-zero if tfsec finds problems, otherwise the exit status will be zero.

tfsec .

Use with Docker

As an alternative to installing and running tfsec on your system, you may run tfsec in a Docker container.

There are a number of Docker options available

Image Name Base Comment
tfsec/tfsec alpine Normal tfsec image
tfsec/tfsec-alpine alpine Exactly the same as tfsec/tfsec, but for those whole like to be explicit
tfsec/tfsec-ci alpine tfsec with no entrypoint - useful for CI builds where you want to override the command
tfsec/tfsec-scratch scratch An image built on scratch - nothing frilly, just runs tfsec

To run:

docker run --rm -it -v "$(pwd):/src" liamg/tfsec /src

Use with Visual Studio Code

A Visual Studio Code extension is being developed to integrate with tfsec results. More information can be found on the tfsec Marketplace page

Use as GitHub Action

If you want to run tfsec on your repository as a GitHub Action, you can use https://github.com/triat/terraform-security-scan.

Features

  • Checks for sensitive data inclusion across all providers
  • Checks for violations of AWS, Azure and GCP security best practice recommendations
  • Scans modules (currently only local modules are supported)
  • Evaluates expressions as well as literal values
  • Evaluates Terraform functions e.g. concat()

Ignoring Warnings

You may wish to ignore some warnings. If you'd like to do so, you can simply add a comment containing tfsec:ignore: to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block, by itself.

For example, to ignore an open security group rule:

resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}

...or...

resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    #tfsec:ignore:AWS006
    cidr_blocks = ["0.0.0.0/0"]
}

If you're not sure which line to add the comment on, just check the tfsec output for the line number of the discovered problem.

You can ignore multiple rules by concatenating the rules on a single line:

#tfsec:ignore:AWS017 tfsec:ignore:AWS002
resource "aws_s3_bucket" "my-bucket" {
  bucket = "foobar"
  acl    = "private"
}

Disable checks

You may wish to exclude some checks from running. If you'd like to do so, you can simply add new argument -e CHECK1,CHECK2,etc to your cmd command

tfsec . -e GEN001,GCP001,GCP002

Including values from .tfvars

You can include values from a tfvars file in the scan, using, for example: --tfvars-file terraform.tfvars.

Included Checks

Checks are currently limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

Checks
AWS Checks
Azure Checks
GCP Checks
General Checks

Running in CI

tfsec is designed for running in a CI pipeline. For this reason it will exit with a non-zero exit code if a potential problem is detected. You may wish to run tfsec as part of your build without coloured output. You can do this using --no-colour (or --no-color for our American friends).

Output options

You can output tfsec results as JSON, CSV, Checkstyle, Sarif, JUnit or just plain old human readable format. Use the --format flag to specify your desired format.

Github Security Alerts

If you want to integrate with Github Security alerts and include the output of your tfsec checks you can use the tfsec-sarif-action Github action to run the static analysis then upload the results to the security alerts tab.

The alerts generated for tfsec-example-project look like this.

github security alerts

When you click through the alerts for the branch, you get more information about the actual issue.

github security alerts

For more information about adding security alerts, check

Support for older terraform versions

If you need to support versions of terraform which use HCL v1 (terraform <0.12), you can use v0.1.3 of tfsec, though support is very limited and has fewer checks.

Comments
  • bug: False positive about missing S3 public access block

    bug: False positive about missing S3 public access block

    Describe the bug We're having an S3 bucket with a s3_public_access_block. Last week this was not detected, now it is causing multiple HIGH level potential problems. The 1.0.3 fix earlier today did remove some of the problems but other similar problems still remain.

    To Reproduce This is part of the code. The var.create_module is either true or false since the bucket shall only be created for specific environments. `resource "aws_s3_bucket" "s3_bucket" { count = var.create_module ? 1 : 0 bucket = "${var.bucket_name}" acl = "private"

    logging { target_bucket = aws_s3_bucket.log_bucket[0].id }

    versioning { enabled = true }

    server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } }

    resource "aws_s3_bucket_public_access_block" "s3_public_access_block" { count = var.create_module ? 1 : 0 bucket = aws_s3_bucket.s3_bucket[0].id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }`

    Version tfsec v1.0.4

    bug waiting for input 
    opened by PB-TW 30
  • tfsec 0.21.0 hangs

    tfsec 0.21.0 hangs

    It seems there was a change between version 0.19.0 and 0.21.0 and now tfsec hangs indefinitely.

    It works in some sub directories, but not at the root of our project. Could it be something related to folder with dot in the name? I may have more time to dig into the issue in the days to come.

    opened by TLaborde 21
  • bug: non-deterministic behavior/results due to for_each processing for v1+ releases

    bug: non-deterministic behavior/results due to for_each processing for v1+ releases

    Describe the bug Some combination of tf resources yields inconsistent results.

    To Reproduce Steps to reproduce the behavior:

    1. Create directory the files from this gist: https://gist.github.com/BryanStenson-okta/caf244cc5ffbf25a590f4a3fc5d7ae51
    2. Run tfsec . repeatedly (sometimes at least 10-20 times), and observe different results.

    Expected behavior Each execution of tfsec, on the identical codebase, should yield identical results.

    Screenshots/Output

    System Info

    • tfsec version: v1.0.11
    • terraform version: v1.1.3
    • OS: osx

    Example Code

    https://gist.github.com/BryanStenson-okta/caf244cc5ffbf25a590f4a3fc5d7ae51

    Additional context

    bug waiting for input 
    opened by BryanStenson-okta 20
  • Latest release increased scanning time from a few seconds to 6+ minutes

    Latest release increased scanning time from a few seconds to 6+ minutes

    Latest releases increased scanning time from a few seconds to 6+ minutes. I've seen some talks about reducing looping on nested modules, which seems to have helped a bit, but scanning time is still exceptionally high.

    investigating 
    opened by favoretti 19
  • bug: tfsec --exclude-downloaded-modules doesn't work for submodules in external modules (since 1.16)

    bug: tfsec --exclude-downloaded-modules doesn't work for submodules in external modules (since 1.16)

    Describe the bug

    Since 1.16 the --exclude-downloaded-modules argument doesn't work anymore on submodules in external modules.

    To Reproduce

    > tfsec-test $tree
    .
    โ”œโ”€โ”€ external-module
    โ”‚   โ”œโ”€โ”€ sns.tf
    โ”‚   โ””โ”€โ”€ submodule
    โ”‚       โ””โ”€โ”€ aws_sns_topic.tf
    โ””โ”€โ”€ root
        โ””โ”€โ”€ main.tf
    
    3 directories, 3 files
    
    > tfsec-test $cat root/main.tf
    module "test" {
        source = "git::/mnt/c/work/Bitbucket/tfsec-test/external-module"
    }
    
    > tfsec-test $cat external-module/sns.tf
    module "submodule" {
        source = "./submodule"
    }
    
    > tfsec-test $cat external-module/submodule/aws_sns_topic.tf 
    resource "aws_sns_topic" "this" {
      name = "test"
    }
    
    
    

    Expected behavior

    The issues found in the external module are excluded.

    Screenshots/Output

    > tfsec-test $tfsec --version
    v1.18.0
    > tfsec-test $tfsec root/ --exclude-downloaded-modules  --concise-output
    
    Result #1 HIGH Topic does not have encryption enabled. 
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
     .terraform/modules/test/submodule/aws_sns_topic.tf Lines 1-3
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
        1  โ”‚ resource "aws_sns_topic" "this" {
        2  โ”‚   name = "test"
        3  โ”‚ }
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
              ID aws-sns-enable-topic-encryption
          Impact The SNS topic messages could be read if compromised
      Resolution Turn on SNS Topic encryption
    
      More Information
      - https://aquasecurity.github.io/tfsec/v1.18.0/checks/aws/sns/enable-topic-encryption/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
    
    

    System Info

    • tfsec version: v1.18.0
    • terraform version: v0.14.0
    • OS: 20.04.4 LTS (Focal Fossa) (WSL2)

    Example Code

    See above

    Additional context

    TFsec tests are passing with versions below 1.16:

    > tfsec-test $tfsec --version
    v1.15.4
    > tfsec-test $tfsec root/ --exclude-downloaded-modules --concise-output
    
    No problems detected!
    
    bug aws 
    opened by ragchuck 18
  • tfsec hangs indefinitely on MacOS 10.14.6 (Mojave)

    tfsec hangs indefinitely on MacOS 10.14.6 (Mojave)

    I runned test on MacOS from scratch and from release file (github.com) Test runned more 40 mins and not ended ( Check please I am using modules also in my TF files (tf 0.12.10)

    bug 
    opened by academ1c 18
  • Latest version does not appear to crawl directory hierarchy recursively like previous version

    Latest version does not appear to crawl directory hierarchy recursively like previous version

    Describe the bug I am using latest stable v0.37.1 and comparing against a previous version (v0.27.0) I was using and had various integration tests configured for. Previously I was getting findings for .tf files in sub-directories from the directory specified at the command line, now it appears that it does not crawl all files

    To Reproduce Steps to reproduce the behavior:

    1. tfsec ./some-dir-with-sub-dirs/

    Expected behavior Get findings for .tf files located all the way down the hierarchy

    Desktop (please complete the following information):

    • OS: macOS Big Sur
    opened by fproulx-boostsecurity 17
  • Ignoring checks within a module

    Ignoring checks within a module

    Hi All,

    My first post here, I've looked to try and find an answer to my problem but couldn't see one, but if this is already resolved apologies but if you could link me to the fix that'd be great. TFsec seems to be a great idea so thanks to everyone for their efforts.

    I'm trying to use TFSec to review my code, including what is getting deployed into modules being used.

    I've written the below piece of code, and successfully annotated the code to get TFSec to ignore a security group rule check, using the Hashicorp provided terraform module for security groups : -

    #Create Security Group for Build Runner
    module "build_runner_sg" {
      source = "terraform-aws-modules/security-group/aws"
    
      name        = "build_runner_sg"
      description = "Security group for Gitlab Build Runner"
      vpc_id      = module.vpc.vpc_id
    
      egress_with_cidr_blocks = [
        {
          from_port   = 0
          to_port     = 65535
          protocol    = -1
          description = "Runner outbound access"
          cidr_blocks = "0.0.0.0/0" #tfsec:ignore:AWS007 ignore warning as this open outbound security rule is valid
        }
      ]
    }
    

    Having done a Terraform init and then run tfsec I'm still getting TFSec warnings for the code in the module related to the above, e.g. : -

    Problem 1
      [AWS007][WARNING] Resource 'module.build_runner_sg:aws_security_group_rule.egress_rules' defines a fully open egress security group rule.
      /builds/_redacted_/.terraform/modules/build_runner_sg/main.tf:440
         437 |   security_group_id = local.this_sg_id
         438 |   type              = "egress"
         439 | 
         440 |   cidr_blocks      = var.egress_cidr_blocks
         441 |   ipv6_cidr_blocks = var.egress_ipv6_cidr_blocks
         442 |   prefix_list_ids  = var.egress_prefix_list_ids
         443 |   description      = var.rules[var.egress_rules[count.index]][3]
      See https://tfsec.dev/docs/aws/AWS007/ for more information.
    

    I can't find a way of ignoring this message from within the module, whilst still scanning the module. I thought I could ignore checking modules (e.g. not running terraform init first), but it would be good to check everything if that's possible.

    Mark

    feature 
    opened by markrossatos 17
  • question: docker run --rm -v

    question: docker run --rm -v "$(pwd):/src" aquasec/tfsec /src not scanning the current repository path!

    Hello all, I wanted to use tfsec in Jenkins, following your documentation, first I pulled tfsec-ci docker image and then ran the command docker run --rm -v "$(pwd):/src" aquasec/tfsec /src as shown in the read.me file. But this command doesn't get the current path of the repository pulled from bitbucket. I've also tried this locally on my laptop and it worked without changing anything! image
    image

    As you can see, the images above show different results, even though I used the same command...

    Any suggestion?

    question stale 
    opened by vehbirestelica 16
  • bug: Lots of false positives for S3 with 1.27.2

    bug: Lots of false positives for S3 with 1.27.2

    Describe the bug 1.27.2 shows lots of false positives like for example https://github.com/aquasecurity/tfsec/issues/1863 1.27.1 works fine.

    To Reproduce Use 1.27.2

    Expected behavior No false positives.

    System Info

    • tfsec version: 1.27.2
    • terraform version: 1.2.6
    • OS: ubuntu-20.04
    bug 
    opened by rreich 15
  • Check results are duplicated multiple times for modules

    Check results are duplicated multiple times for modules

    Describe the bug Identical check findings are repeated multiple times. For example, this CRITICAL warning appears 37 times (I think, findings #32783 to #32819). Seems to affect all check types, not just this one.

     #32783 CRITICAL Security group rule allows ingress from public internet.
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
     sno**************ing.tf Line 489
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
      484  โ”‚   ingress {
      485  โ”‚     from_port = 443
      486  โ”‚     to_port   = 443
      487  โ”‚     protocol  = "tcp"
      488  โ”‚ 
      489  โ”‚     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
      490  โ”‚   }
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
              ID aws-vpc-no-public-ingress-sgr
          Impact Your port exposed to the internet
      Resolution Set a more restrictive cidr range
    
      More Information
      - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
    
    ..........repeated many times.......
    
    
    #32819 CRITICAL Security group rule allows ingress from public internet.
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
     sno**************ing.tf Line 489
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
      484  โ”‚   ingress {
      485  โ”‚     from_port = 443
      486  โ”‚     to_port   = 443
      487  โ”‚     protocol  = "tcp"
      488  โ”‚ 
      489  โ”‚     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
      490  โ”‚   }
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
              ID aws-vpc-no-public-ingress-sgr
          Impact Your port exposed to the internet
      Resolution Set a more restrictive cidr range
    
      More Information
      - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
    
    

    To Reproduce Steps to reproduce the behavior:

    1. I'm currently working on a simple shareable repro case.

    Expected behavior Each check is only reported once (or possible once for each expanded for_each occurrence.

    Screenshots N/A

    Desktop (please complete the following information):

    • OS: MacOS Monterey 12.1
    • Go: go1.17.6 darwin/arm64
    • Terraform: 1.1.4

    Additional context Add any other context about the problem here.

    release-candidate 
    opened by andrassy 15
Releases(v1.28.0)
Owner
tfsec
tfsec
GoKart - Go Security Static Analysis

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code.

Praetorian 2k Oct 1, 2022
Catalyst is an incident response platform / SOAR (Security Orchestration, Automation and Response) system.

Catalyst Speed up your reactions Website - The Catalyst Handbook (Documentation) - Try online (user: bob, password: bob) Catalyst is an incident respo

Security Brewery 106 Sep 13, 2022
The most opinionated Go source code linter for code audit.

go-critic Highly extensible Go source code linter providing checks currently missing from other linters. There is never too much static code analysis.

null 1.4k Oct 1, 2022
๐Ÿถ Automated code review tool integrated with any code analysis tools regardless of programming language

reviewdog - A code review dog who keeps your codebase healthy. reviewdog provides a way to post review comments to code hosting service, such as GitHu

reviewdog 5.6k Sep 26, 2022
A Golang tool that does static analysis, unit testing, code review and generate code quality report.

goreporter A Golang tool that does static analysis, unit testing, code review and generate code quality report. This is a tool that concurrently runs

360 Enterprise Security Group, Endpoint Security, inc. 3k Sep 25, 2022
Sloc, Cloc and Code: scc is a very fast accurate code counter with complexity calculations and COCOMO estimates written in pure Go

Sloc Cloc and Code (scc) A tool similar to cloc, sloccount and tokei. For counting physical the lines of code, blank lines, comment lines, and physica

Ben Boyter 3.8k Sep 30, 2022
๐Ÿถ Automated code review tool integrated with any code analysis tools regardless of programming language

reviewdog - A code review dog who keeps your codebase healthy. reviewdog provides a way to post review comments to code hosting service, such as GitHu

reviewdog 5.6k Oct 3, 2022
Tool to populate your code with traceable and secure error codes

Essential part of any project, especially customer facing is proper and secure error handling. When error happens and customer reports it, it would be nice to know the context of the error and where it exactly occured.

vs 52 Apr 1, 2022
Know when GC runs from inside your golang code

gcnotifier gcnotifier provides a way to receive notifications after every run of the garbage collector (GC). Knowing when GC runs is useful to instruc

Carlo Alberto Ferraris 168 Jun 10, 2022
Detect non-inclusive language in your source code.

Detect non-inclusive language in your source code. I stay woke - Erykah Badu Creating an inclusive work environment is imperative to a healthy, suppor

woke 348 Sep 24, 2022
Manage your repository's TODOs, tickets and checklists as config in your codebase.

tickgit ??๏ธ tickgit is a tool to help you manage latent work in a codebase. Use the tickgit command to view pending tasks, progress reports, completio

Augmentable 279 Sep 14, 2022
a tool for code clone detection

dupl dupl is a tool written in Go for finding code clones. So far it can find clones only in the Go source files. The method uses suffix tree for seri

Michal Bohuslรกvek 294 Sep 20, 2022
[mirror] This is a linter for Go source code.

Golint is a linter for Go source code. Installation Golint requires a supported release of Go. go get -u golang.org/x/lint/golint To find out where g

Go 4k Sep 23, 2022
Run linters from Go code -

Lint - run linters from Go Lint makes it easy to run linters from Go code. This allows lint checks to be part of a regular go build + go test workflow

Surul Software Labs GmbH 67 Sep 27, 2022
depth is tool to retrieve and visualize Go source code dependency trees.

depth is tool to retrieve and visualize Go source code dependency trees. Install Download the appropriate binary for your platform from the Rele

Kyle Banks 784 Sep 25, 2022
A reference for the Go community that covers the fundamentals of writing clean code and discusses concrete refactoring examples specific to Go.

A reference for the Go community that covers the fundamentals of writing clean code and discusses concrete refactoring examples specific to Go.

Lasse Martin Jakobsen 2.4k Oct 3, 2022
A static code analyzer for annotated TODO comments

todocheck todocheck is a static code analyzer for annotated TODO comments. It let's you create actionable TODOs by annotating them with issues from an

Preslav Mihaylov 390 Sep 19, 2022
A little fast cloc(Count Lines Of Code)

gocloc A little fast cloc(Count Lines Of Code), written in Go. Inspired by tokei. Installation $ go get -u github.com/hhatto/gocloc/cmd/gocloc Usage

Hideo Hattori 602 Sep 25, 2022
a Go code to detect leaks in JS files via regex patterns

a Go code to detect leaks in JS files via regex patterns

Joรฃo Teles 113 Sep 7, 2022