πŸ”’πŸŒ Security scanner for your Terraform code

Overview

Travis Build Status GoReportCard Github Release GitHub All Releases Join Our Slack Docker Build Homebrew Chocolatey

tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support.

Example Output

Example screenshot

Installation

Install with brew/linuxbrew:

brew install tfsec

Install with Chocolatey:

choco install tfsec

You can also grab the binary for your system from the releases page.

Alternatively, install with Go:

go get -u github.com/tfsec/tfsec/cmd/tfsec

Usage

tfsec will scan the specified directory. If no directory is specified, the current working directory will be used.

The exit status will be non-zero if tfsec finds problems, otherwise the exit status will be zero.

tfsec .

Use with Docker

As an alternative to installing and running tfsec on your system, you may run tfsec in a Docker container.

There are a number of Docker options available

Image Name Base Comment
tfsec/tfsec alpine Normal tfsec image
tfsec/tfsec-alpine alpine Exactly the same as tfsec/tfsec, but for those whole like to be explicit
tfsec/tfsec-ci alpine tfsec with no entrypoint - useful for CI builds where you want to override the command
tfsec/tfsec-scratch scratch An image built on scratch - nothing frilly, just runs tfsec

To run:

docker run --rm -it -v "$(pwd):/src" liamg/tfsec /src

Use with Visual Studio Code

A Visual Studio Code extension is being developed to integrate with tfsec results. More information can be found on the tfsec Marketplace page

Use as GitHub Action

If you want to run tfsec on your repository as a GitHub Action, you can use https://github.com/triat/terraform-security-scan.

Features

  • Checks for sensitive data inclusion across all providers
  • Checks for violations of AWS, Azure and GCP security best practice recommendations
  • Scans modules (currently only local modules are supported)
  • Evaluates expressions as well as literal values
  • Evaluates Terraform functions e.g. concat()

Ignoring Warnings

You may wish to ignore some warnings. If you'd like to do so, you can simply add a comment containing tfsec:ignore: to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block, by itself.

For example, to ignore an open security group rule:

resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}

...or...

resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    #tfsec:ignore:AWS006
    cidr_blocks = ["0.0.0.0/0"]
}

If you're not sure which line to add the comment on, just check the tfsec output for the line number of the discovered problem.

You can ignore multiple rules by concatenating the rules on a single line:

#tfsec:ignore:AWS017 tfsec:ignore:AWS002
resource "aws_s3_bucket" "my-bucket" {
  bucket = "foobar"
  acl    = "private"
}

Disable checks

You may wish to exclude some checks from running. If you'd like to do so, you can simply add new argument -e CHECK1,CHECK2,etc to your cmd command

tfsec . -e GEN001,GCP001,GCP002

Including values from .tfvars

You can include values from a tfvars file in the scan, using, for example: --tfvars-file terraform.tfvars.

Included Checks

Checks are currently limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

Checks
AWS Checks
Azure Checks
GCP Checks
General Checks

Running in CI

tfsec is designed for running in a CI pipeline. For this reason it will exit with a non-zero exit code if a potential problem is detected. You may wish to run tfsec as part of your build without coloured output. You can do this using --no-colour (or --no-color for our American friends).

Output options

You can output tfsec results as JSON, CSV, Checkstyle, Sarif, JUnit or just plain old human readable format. Use the --format flag to specify your desired format.

Github Security Alerts

If you want to integrate with Github Security alerts and include the output of your tfsec checks you can use the tfsec-sarif-action Github action to run the static analysis then upload the results to the security alerts tab.

The alerts generated for tfsec-example-project look like this.

github security alerts

When you click through the alerts for the branch, you get more information about the actual issue.

github security alerts

For more information about adding security alerts, check

Support for older terraform versions

If you need to support versions of terraform which use HCL v1 (terraform <0.12), you can use v0.1.3 of tfsec, though support is very limited and has fewer checks.

Comments
  • bug: False positive about missing S3 public access block

    bug: False positive about missing S3 public access block

    Describe the bug We're having an S3 bucket with a s3_public_access_block. Last week this was not detected, now it is causing multiple HIGH level potential problems. The 1.0.3 fix earlier today did remove some of the problems but other similar problems still remain.

    To Reproduce This is part of the code. The var.create_module is either true or false since the bucket shall only be created for specific environments. `resource "aws_s3_bucket" "s3_bucket" { count = var.create_module ? 1 : 0 bucket = "${var.bucket_name}" acl = "private"

    logging { target_bucket = aws_s3_bucket.log_bucket[0].id }

    versioning { enabled = true }

    server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } }

    resource "aws_s3_bucket_public_access_block" "s3_public_access_block" { count = var.create_module ? 1 : 0 bucket = aws_s3_bucket.s3_bucket[0].id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }`

    Version tfsec v1.0.4

    bug waiting for input 
    opened by PB-TW 30
  • tfsec 0.21.0 hangs

    tfsec 0.21.0 hangs

    It seems there was a change between version 0.19.0 and 0.21.0 and now tfsec hangs indefinitely.

    It works in some sub directories, but not at the root of our project. Could it be something related to folder with dot in the name? I may have more time to dig into the issue in the days to come.

    opened by TLaborde 21
  • bug: non-deterministic behavior/results due to for_each processing for v1+ releases

    bug: non-deterministic behavior/results due to for_each processing for v1+ releases

    Describe the bug Some combination of tf resources yields inconsistent results.

    To Reproduce Steps to reproduce the behavior:

    1. Create directory the files from this gist: https://gist.github.com/BryanStenson-okta/caf244cc5ffbf25a590f4a3fc5d7ae51
    2. Run tfsec . repeatedly (sometimes at least 10-20 times), and observe different results.

    Expected behavior Each execution of tfsec, on the identical codebase, should yield identical results.

    Screenshots/Output

    System Info

    • tfsec version: v1.0.11
    • terraform version: v1.1.3
    • OS: osx

    Example Code

    https://gist.github.com/BryanStenson-okta/caf244cc5ffbf25a590f4a3fc5d7ae51

    Additional context

    bug waiting for input 
    opened by BryanStenson-okta 20
  • Latest release increased scanning time from a few seconds to 6+ minutes

    Latest release increased scanning time from a few seconds to 6+ minutes

    Latest releases increased scanning time from a few seconds to 6+ minutes. I've seen some talks about reducing looping on nested modules, which seems to have helped a bit, but scanning time is still exceptionally high.

    investigating 
    opened by favoretti 19
  • bug: tfsec --exclude-downloaded-modules doesn't work for submodules in external modules (since 1.16)

    bug: tfsec --exclude-downloaded-modules doesn't work for submodules in external modules (since 1.16)

    Describe the bug

    Since 1.16 the --exclude-downloaded-modules argument doesn't work anymore on submodules in external modules.

    To Reproduce

    > tfsec-test $tree
    .
    β”œβ”€β”€ external-module
    β”‚   β”œβ”€β”€ sns.tf
    β”‚   └── submodule
    β”‚       └── aws_sns_topic.tf
    └── root
        └── main.tf
    
    3 directories, 3 files
    
    > tfsec-test $cat root/main.tf
    module "test" {
        source = "git::/mnt/c/work/Bitbucket/tfsec-test/external-module"
    }
    
    > tfsec-test $cat external-module/sns.tf
    module "submodule" {
        source = "./submodule"
    }
    
    > tfsec-test $cat external-module/submodule/aws_sns_topic.tf 
    resource "aws_sns_topic" "this" {
      name = "test"
    }
    
    
    

    Expected behavior

    The issues found in the external module are excluded.

    Screenshots/Output

    > tfsec-test $tfsec --version
    v1.18.0
    > tfsec-test $tfsec root/ --exclude-downloaded-modules  --concise-output
    
    Result #1 HIGH Topic does not have encryption enabled. 
    ─────────────────────────────────────────────────────────────────
     .terraform/modules/test/submodule/aws_sns_topic.tf Lines 1-3
    ───────┬─────────────────────────────────────────────────────────
        1  β”‚ resource "aws_sns_topic" "this" {
        2  β”‚   name = "test"
        3  β”‚ }
    ───────┴─────────────────────────────────────────────────────────
              ID aws-sns-enable-topic-encryption
          Impact The SNS topic messages could be read if compromised
      Resolution Turn on SNS Topic encryption
    
      More Information
      - https://aquasecurity.github.io/tfsec/v1.18.0/checks/aws/sns/enable-topic-encryption/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
    ─────────────────────────────────────────────────────────────────
    
    

    System Info

    • tfsec version: v1.18.0
    • terraform version: v0.14.0
    • OS: 20.04.4 LTS (Focal Fossa) (WSL2)

    Example Code

    See above

    Additional context

    TFsec tests are passing with versions below 1.16:

    > tfsec-test $tfsec --version
    v1.15.4
    > tfsec-test $tfsec root/ --exclude-downloaded-modules --concise-output
    
    No problems detected!
    
    bug aws 
    opened by ragchuck 18
  • tfsec hangs indefinitely on MacOS 10.14.6 (Mojave)

    tfsec hangs indefinitely on MacOS 10.14.6 (Mojave)

    I runned test on MacOS from scratch and from release file (github.com) Test runned more 40 mins and not ended ( Check please I am using modules also in my TF files (tf 0.12.10)

    bug 
    opened by academ1c 18
  • Latest version does not appear to crawl directory hierarchy recursively like previous version

    Latest version does not appear to crawl directory hierarchy recursively like previous version

    Describe the bug I am using latest stable v0.37.1 and comparing against a previous version (v0.27.0) I was using and had various integration tests configured for. Previously I was getting findings for .tf files in sub-directories from the directory specified at the command line, now it appears that it does not crawl all files

    To Reproduce Steps to reproduce the behavior:

    1. tfsec ./some-dir-with-sub-dirs/

    Expected behavior Get findings for .tf files located all the way down the hierarchy

    Desktop (please complete the following information):

    • OS: macOS Big Sur
    opened by fproulx-boostsecurity 17
  • Ignoring checks within a module

    Ignoring checks within a module

    Hi All,

    My first post here, I've looked to try and find an answer to my problem but couldn't see one, but if this is already resolved apologies but if you could link me to the fix that'd be great. TFsec seems to be a great idea so thanks to everyone for their efforts.

    I'm trying to use TFSec to review my code, including what is getting deployed into modules being used.

    I've written the below piece of code, and successfully annotated the code to get TFSec to ignore a security group rule check, using the Hashicorp provided terraform module for security groups : -

    #Create Security Group for Build Runner
    module "build_runner_sg" {
      source = "terraform-aws-modules/security-group/aws"
    
      name        = "build_runner_sg"
      description = "Security group for Gitlab Build Runner"
      vpc_id      = module.vpc.vpc_id
    
      egress_with_cidr_blocks = [
        {
          from_port   = 0
          to_port     = 65535
          protocol    = -1
          description = "Runner outbound access"
          cidr_blocks = "0.0.0.0/0" #tfsec:ignore:AWS007 ignore warning as this open outbound security rule is valid
        }
      ]
    }
    

    Having done a Terraform init and then run tfsec I'm still getting TFSec warnings for the code in the module related to the above, e.g. : -

    Problem 1
      [AWS007][WARNING] Resource 'module.build_runner_sg:aws_security_group_rule.egress_rules' defines a fully open egress security group rule.
      /builds/_redacted_/.terraform/modules/build_runner_sg/main.tf:440
         437 |   security_group_id = local.this_sg_id
         438 |   type              = "egress"
         439 | 
         440 |   cidr_blocks      = var.egress_cidr_blocks
         441 |   ipv6_cidr_blocks = var.egress_ipv6_cidr_blocks
         442 |   prefix_list_ids  = var.egress_prefix_list_ids
         443 |   description      = var.rules[var.egress_rules[count.index]][3]
      See https://tfsec.dev/docs/aws/AWS007/ for more information.
    

    I can't find a way of ignoring this message from within the module, whilst still scanning the module. I thought I could ignore checking modules (e.g. not running terraform init first), but it would be good to check everything if that's possible.

    Mark

    feature 
    opened by markrossatos 17
  • question: docker run --rm -v

    question: docker run --rm -v "$(pwd):/src" aquasec/tfsec /src not scanning the current repository path!

    Hello all, I wanted to use tfsec in Jenkins, following your documentation, first I pulled tfsec-ci docker image and then ran the command docker run --rm -v "$(pwd):/src" aquasec/tfsec /src as shown in the read.me file. But this command doesn't get the current path of the repository pulled from bitbucket. I've also tried this locally on my laptop and it worked without changing anything! image
    image

    As you can see, the images above show different results, even though I used the same command...

    Any suggestion?

    question stale 
    opened by vehbirestelica 16
  • bug: Lots of false positives for S3 with 1.27.2

    bug: Lots of false positives for S3 with 1.27.2

    Describe the bug 1.27.2 shows lots of false positives like for example https://github.com/aquasecurity/tfsec/issues/1863 1.27.1 works fine.

    To Reproduce Use 1.27.2

    Expected behavior No false positives.

    System Info

    • tfsec version: 1.27.2
    • terraform version: 1.2.6
    • OS: ubuntu-20.04
    bug 
    opened by rreich 15
  • Check results are duplicated multiple times for modules

    Check results are duplicated multiple times for modules

    Describe the bug Identical check findings are repeated multiple times. For example, this CRITICAL warning appears 37 times (I think, findings #32783 to #32819). Seems to affect all check types, not just this one.

     #32783 CRITICAL Security group rule allows ingress from public internet.
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     sno**************ing.tf Line 489
    ───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
      484  β”‚   ingress {
      485  β”‚     from_port = 443
      486  β”‚     to_port   = 443
      487  β”‚     protocol  = "tcp"
      488  β”‚ 
      489  β”‚     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
      490  β”‚   }
    ───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
              ID aws-vpc-no-public-ingress-sgr
          Impact Your port exposed to the internet
      Resolution Set a more restrictive cidr range
    
      More Information
      - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    ..........repeated many times.......
    
    
    #32819 CRITICAL Security group rule allows ingress from public internet.
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     sno**************ing.tf Line 489
    ───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
      484  β”‚   ingress {
      485  β”‚     from_port = 443
      486  β”‚     to_port   = 443
      487  β”‚     protocol  = "tcp"
      488  β”‚ 
      489  β”‚     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
      490  β”‚   }
    ───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
              ID aws-vpc-no-public-ingress-sgr
          Impact Your port exposed to the internet
      Resolution Set a more restrictive cidr range
    
      More Information
      - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
      - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

    To Reproduce Steps to reproduce the behavior:

    1. I'm currently working on a simple shareable repro case.

    Expected behavior Each check is only reported once (or possible once for each expanded for_each occurrence.

    Screenshots N/A

    Desktop (please complete the following information):

    • OS: MacOS Monterey 12.1
    • Go: go1.17.6 darwin/arm64
    • Terraform: 1.1.4

    Additional context Add any other context about the problem here.

    release-candidate 
    opened by andrassy 15
  • bug: Panic: not a string if azurerm_key_vault_key expiration_date attribute not set to static string value

    bug: Panic: not a string if azurerm_key_vault_key expiration_date attribute not set to static string value

    Describe the bug If the value of the expiration_data attribute of an azuremr_key_vault_key is set to null or a variable, the error "panic: not a string" is thrown.

    To Reproduce See example Terraform module code below. Running tfsec against the code throws the error.

    Expected behavior Results are returned with a passed result for the "Key should have an expiry date specified" check.

    Output of your tfsec command with --debug flag 17:35.971248300 system.info APP tfsec.exe 17:35.971248300 system.info VERSION v1.28.1 17:35.971248300 system.info OS windows 17:35.972346500 system.info ARCH amd64 17:35.972346500 system.info KERNEL 17:35.972346500 system.info TERM 17:35.972346500 system.info SHELL 17:35.972878400 system.info GOVERSION go1.18.7 17:35.972878400 system.info GOROOT /opt/hostedtoolcache/go/1.18.7/x64 17:35.972878400 system.info CGO false 17:35.972878400 system.info CPUCOUNT 8 17:35.973409100 system.info MAXPROCS 8 17:35.973409100 system.info WORKDIR C:\repos\test 17:35.973409100 system.info UID -1 17:35.973409100 system.info EUID -1 17:35.973409100 system.info DOCKER false 17:35.973935800 system.info CI false 17:35.973935800 system.info HOSTNAME
    17:35.973935800 system.info TEMP C:\Users\RICHER~1\AppData\Local\Temp 17:35.973935800 system.info PATHSEP
    17:35.974459200 system.info CMD C:\ProgramData\chocolatey\lib\tfsec\tools\tfsec.exe modules\terraform-azurerm-key_vault_key --debug 17:35.974459200 cmd Command args=[]string{"modules\terraform-azurerm-key_vault_key"} 17:35.974982000 cmd Determined path dir=C:\repos\test\modules\terraform-azurerm-key_vault_key
    17:35.974982000 cmd Determined path root=C: 17:35.974982000 cmd Determined path rel=repos\test\modules\terraform-azurerm-key_vault_key
    17:35.975501900 terraform.scanner Scanning [&{C: C:}] at 'repos\test\modules\terraform-azurerm-key_vault_key'...17:35.979382500 terraform.scanner.rego Loaded 3 embedded libraries. 17:36.002955100 terraform.scanner.rego Loaded 119 embedded policies. 17:36.128659400 terraform.scanner Scanning root module 'repos\test\modules\terraform-azurerm-key_vault_key'... 17:36.129699500 terraform.parser. Setting project/module root to 'repos\test\modules\terraform-azurerm-key_vault_key' 17:36.129699500 terraform.parser. Parsing FS from 'repos/test/modules/terraform-azurerm-key_vault_key' 17:36.130660000 terraform.parser. Parsing 'repos\test\modules\terraform-azurerm-key_vault_key\locals.tf'...
    17:36.131664800 terraform.parser. Added file repos\test\modules\terraform-azurerm-key_vault_key\locals.tf.
    17:36.131664800 terraform.parser. Parsing 'repos\test\modules\terraform-azurerm-key_vault_key\main.tf'...
    17:36.131664800 terraform.parser. Added file repos\test\modules\terraform-azurerm-key_vault_key\main.tf.
    17:36.131664800 terraform.parser. Parsing 'repos\test\modules\terraform-azurerm-key_vault_key\outputs.tf'...
    17:36.132659600 terraform.parser. Added file repos\test\modules\terraform-azurerm-key_vault_key\outputs.tf.
    17:36.132659600 terraform.parser. Parsing 'repos\test\modules\terraform-azurerm-key_vault_key\variables.tf'...
    17:36.133662800 terraform.parser. Added file repos\test\modules\terraform-azurerm-key_vault_key\variables.tf.
    17:36.133662800 terraform.parser. Parsing 'repos\test\modules\terraform-azurerm-key_vault_key\version.tf'...
    17:36.133662800 terraform.parser. Added file repos\test\modules\terraform-azurerm-key_vault_key\version.tf.
    17:36.133662800 terraform.parser. Evaluating module... 17:36.135194400 terraform.parser. Read 15 block(s) and 0 ignore(s) for module 'root' (5 file[s])... 17:36.135298700 terraform.parser. Added 0 variables from tfvars. 17:36.135298700 terraform.parser. Error loading module metadata: open repos\test\modules\terraform-azurerm-key_vault_key.terraform\modules\modules.json: invalid argument. 17:36.135298700 terraform.parser. Working directory for module evaluation is 'C:\repos\test' 17:36.135298700 terraform.parser..evaluator Filesystem key is '98d6a362eb8a41f901f5a1635aca87711499f306803437f93a9fa0f398dc83b6' 17:36.135298700 terraform.parser..evaluator Starting module evaluation... 17:36.136311800 terraform.parser..evaluator Starting submodule evaluation... 17:36.136311800 terraform.parser..evaluator Finished processing 0 submodule(s). 17:36.136311800 terraform.parser..evaluator Starting post-submodule evaluation... 17:36.136311800 terraform.parser..evaluator Module evaluation complete. 17:36.136311800 terraform.parser. Finished parsing module 'root'. 17:36.136311800 terraform.parser..evaluator Added module output expirationDate=cty.NilVal. 17:36.137310900 terraform.parser..evaluator Added module output id=cty.StringVal("09fba0b3-f2c4-4ce2-9b85-0906ce5a1c17"). 17:36.137310900 terraform.parser..evaluator Added module output name=cty.NilVal. 17:36.137310900 terraform.parser..evaluator Added module output versionless_id=cty.NilVal. 17:36.137310900 terraform.executor Adapting modules... panic: not a string

    goroutine 1 [running]: github.com/zclconf/go-cty/cty.Value.AsString({{{0x0?, 0x0?}}, {0x0?, 0x0?}}) /home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1256 +0x138 github.com/aquasecurity/defsec/internal/adapters/terraform/azure/keyvault.adaptKey() /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/keyvault/adapt.go:154 +0x22f github.com/aquasecurity/defsec/internal/adapters/terraform/azure/keyvault.(*adapter).adaptVaults(0xc0015813b0, {0xc0017a9010, 0x1, 0xc0015813c0?})
    /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/keyvault/adapt.go:74 +0x1765 github.com/aquasecurity/defsec/internal/adapters/terraform/azure/keyvault.Adapt({0xc0017a9010, 0x1, 0x1}) /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/keyvault/adapt.go:20 +0xd3 github.com/aquasecurity/defsec/internal/adapters/terraform/azure.Adapt({
    , _, _}) /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/adapt.go:30 +0x2b7 github.com/aquasecurity/defsec/internal/adapters/terraform.Adapt({0xc0017a9010, 0x1, 0x1}) /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/adapt.go:20 +0x7e github.com/aquasecurity/defsec/pkg/scanners/terraform/executor.(*Executor).Execute(0xc001836100, {0xc0017a9010?, 0x1, 0x1}) /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/executor/executor.go:96 +0x11a github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFSWithMetrics(0xc0002025a0, {0x25ff5b0, 0xc00003c0e8}, {0x23fcbd2e740?, 0xc0005d5640?}, {0xc00056cba3, 0x4b}) /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/scanner.go:216 +0x77a github.com/aquasecurity/tfsec/internal/app/tfsec/cmd.Root.func1(0xc000a58c00, {0xc0005d5440, 0x1, 0x2}) /home/runner/work/tfsec/tfsec/internal/app/tfsec/cmd/root.go:83 +0x633 github.com/spf13/cobra.(*Command).execute(0xc000a58c00, {0xc000050090, 0x2, 0x3}) /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:916 +0x862 github.com/spf13/cobra.(*Command).ExecuteC(0xc000a58c00) /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1040 +0x3b4 github.com/spf13/cobra.(*Command).Execute(...) /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:968 main.main() /home/runner/work/tfsec/tfsec/cmd/tfsec/main.go:12 +0x25

    System Info

    • tfsec version: 1.28.1
    • terraform version: 1.3.6
    • OS: Windows 10

    Example Code

    resource "time_static" "key_expiration" {}
    
    variable "daysToExpiration" {
      type        = number
      description = "Number of days to key expiration.  Set to 0 to not expire."
      default     = 365
      nullable    = false
    }
    
    resource "azurerm_key_vault_key" "key" {
      name            = "testKey" #var.name
      key_vault_id    = "vauleID" #var.keyVaultId
      key_type        = "RSA" #var.keyType
      key_size        = 2048 #var.keySize
      curve           = null #var.curve
      expiration_date = var.daysToExpiration == 0 ? null : timeadd(time_static.key_expiration.rfc3339, format("%dh", (var.daysToExpiration * 24))) # "2022-12-31T00:00:00.00Z"
    
      key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"] #var.keyOpts
    }
    

    Additional context The only way I've been able to get the test to pass is setting the expiration_date to a properly formatted RFC3339 date as a string. Removing the expiration_date attribute allows tfsec to complete the checks with the medium finding returned.

    bug azure needs-triage 
    opened by HoveringHalibut 0
  • chore(deps): bump actions/stale from 6 to 7

    chore(deps): bump actions/stale from 6 to 7

    Bumps actions/stale from 6 to 7.

    Release notes

    Sourced from actions/stale's releases.

    v7.0.0

    ⚠️ This version contains breaking changes ⚠️

    What's Changed

    Breaking Changes

    • In this release we prevent this action from managing the stale label on items included in exempt-issue-labels and exempt-pr-labels
    • We decided that this is outside of the scope of this action, and to be left up to the maintainer

    New Contributors

    Full Changelog: https://github.com/actions/stale/compare/v6...v7.0.0

    v6.0.1

    Update @​actions/core to 1.10.0 #839

    Full Changelog: https://github.com/actions/stale/compare/v6.0.0...v6.0.1

    Changelog

    Sourced from actions/stale's changelog.

    Changelog

    [7.0.0]

    :warning: Breaking change :warning:

    [6.0.1]

    Update @​actions/core to v1.10.0 (#839)

    [6.0.0]

    :warning: Breaking change :warning:

    Issues/PRs default close-issue-reason is now not_planned(#789)

    [5.1.0]

    Don't process stale issues right after they're marked stale [Add close-issue-reason option]#764#772 Various dependabot/dependency updates

    4.1.0 (2021-07-14)

    Features

    4.0.0 (2021-07-14)

    Features

    Bug Fixes

    • dry-run: forbid mutations in dry-run (#500) (f1017f3), closes #499
    • logs: coloured logs (#465) (5fbbfba)
    • operations: fail fast the current batch to respect the operations limit (#474) (5f6f311), closes #466
    • label comparison: make label comparison case insensitive #517, closes #516
    • filtering comments by actor could have strange behavior: "stale" comments are now detected based on if the message is the stale message not who made the comment(#519), fixes #441, #509, #518

    Breaking Changes

    ... (truncated)

    Commits
    • 6f05e42 draft release for v7.0.0 (#888)
    • eed91cb Update how stale handles exempt items (#874)
    • 10dc265 Merge pull request #880 from akv-platform/update-stale-repo
    • 9c1eb3f Update .md files and allign build-test.yml with the current test.yml
    • bc357bd Update .github/workflows/release-new-action-version.yml
    • 690ede5 Update .github/ISSUE_TEMPLATE/bug_report.md
    • afbcabf Merge branch 'main' into update-stale-repo
    • e364411 Update name of codeql.yml file
    • 627cef3 fix print outputs step (#859)
    • 975308f Merge pull request #876 from jongwooo/chore/use-cache-in-check-dist
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
  • bug: invalid memory address or nil pointer dereference

    bug: invalid memory address or nil pointer dereference

    Describe the bug

    When I run tfsec on a terraform json file generated by CDKTF it throws the error: panic: runtime error: invalid memory address or nil pointer dereference

    The code in question is a cdktf version of this terraform azure hub and spoke tutorial all in one cdktf stack: https://learn.microsoft.com/en-us/azure/developer/terraform/hub-spoke-introduction

    To Reproduce Steps to reproduce the behavior:

    1. clone this repo: https://github.com/JasonCubic/cdktf-az-hub-spoke-demo
    2. do an npm install
    3. run a cdktf synth
    4. run tfsec on the folder ./cdktf.out/stacks/single-sub-hub-and-spoke
    5. tfsec ./cdktf.out/stacks/single-sub-hub-and-spoke

    Expected behavior

    it should complete without the "invalid memory address or nil pointer dereference" error.

    Similar to what happens when you run tfsec on this stack from the project: tfsec ./cdktf.out/stacks/cdktf-demo

    Output of your tfsec command with --debug flag

    docker run --rm -it -v "./cdktf.out/stacks/single-sub-hub-and-spoke:/src" docker.io/aquasec/tfsec /src --debug
    
    45:13.531918491 system.info                      APP       tfsec
    45:13.531942394 system.info                      VERSION   v1.28.1
    45:13.531943664 system.info                      OS        linux
    45:13.531944549 system.info                      ARCH      amd64
    45:13.531945419 system.info                      KERNEL    Linux version 5.10.102.1-microsoft-standard-WSL2 ([email protected]) (x86_64-msft-linux-gcc (GCC) 9.3.0, GNU ld (GNU Binutils) 2.34.0.20200220) #1 SMP Wed Mar 2 00:30:59 UTC 2022
    45:13.531947053 system.info                      TERM      xterm
    45:13.531991349 system.info                      SHELL
    45:13.531992645 system.info                      GOVERSION go1.18.7
    45:13.531993839 system.info                      GOROOT    /opt/hostedtoolcache/go/1.18.7/x64
    45:13.531995310 system.info                      CGO       false
    45:13.531996621 system.info                      CPUCOUNT  20
    45:13.531997617 system.info                      MAXPROCS  20
    45:13.531998502 system.info                      WORKDIR   /
    45:13.531999727 system.info                      UID       1000
    45:13.532000813 system.info                      EUID      1000
    45:13.532001625 system.info                      DOCKER    false
    45:13.532002452 system.info                      CI        false
    45:13.532003666 system.info                      HOSTNAME  7abdb71e8777
    45:13.532004540 system.info                      TEMP      /tmp
    45:13.532005481 system.info                      PATHSEP   /
    45:13.532006689 system.info                      CMD       tfsec /src --debug
    45:13.532009930 cmd                              Command args=[]string{"/src"}
    45:13.532504257 cmd                              Determined path dir=/src
    45:13.534187402 cmd                              Determined path root=/
    45:13.534200865 cmd                              Determined path rel=src
    45:13.534712748 terraform.scanner                Scanning [&{/ /}] at 'src'...
    45:13.537919886 terraform.scanner.rego           Loaded 3 embedded libraries.
    45:13.551682985 terraform.scanner.rego           Loaded 119 embedded policies.
    45:13.639715768 terraform.scanner                Scanning root module 'src'...
    45:13.639746343 terraform.parser.<root>          Setting project/module root to 'src'
    45:13.639757734 terraform.parser.<root>          Parsing FS from 'src'
    45:13.641258901 terraform.parser.<root>          Parsing 'src/cdk.tf.json'...
    45:13.644685182 terraform.parser.<root>          Added file src/cdk.tf.json.
    45:13.644883643 terraform.parser.<root>          Evaluating module...
    45:13.646031606 terraform.parser.<root>          Read 61 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
    45:13.646046456 terraform.parser.<root>          Added 0 variables from tfvars.
    45:13.646177634 terraform.parser.<root>          Error loading module metadata: open //src/.terraform/modules/modules.json: no such file or directory.
    45:13.646196961 terraform.parser.<root>          Working directory for module evaluation is '/'
    45:13.646357462 terraform.parser.<root>.evaluator Filesystem key is 'f9088d3ed2db9899500f703a07bb505300c2b5cbc122ac4365ca04af35422e64'
    45:13.646385940 terraform.parser.<root>.evaluator Starting module evaluation...
    45:13.652134397 terraform.parser.<root>.evaluator Starting submodule evaluation...
    45:13.652151822 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
    45:13.652153722 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
    45:13.655720895 terraform.parser.<root>.evaluator Module evaluation complete.
    45:13.655746576 terraform.parser.<root>          Finished parsing module 'root'.
    45:13.655787004 terraform.parser.<root>.evaluator Added module output hub-and-spoke-topology_mock-on-prem_public_ip_address_8012E98C=cty.NilVal.
    45:13.655797372 terraform.executor               Adapting modules...
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x82bf23]
    
    goroutine 1 [running]:
    github.com/aquasecurity/defsec/pkg/terraform.(*Block).GetMetadata(...)
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/block.go:135
    github.com/aquasecurity/defsec/pkg/terraform.(*Attribute).AsBoolValueOrDefault(0x0?, 0x0?, 0x0?)
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/attribute.go:129 +0x3c3
    github.com/aquasecurity/defsec/internal/adapters/terraform/azure/compute.adaptLinuxVM(_)
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/compute/adapt.go:93 +0x568
    github.com/aquasecurity/defsec/internal/adapters/terraform/azure/compute.adaptCompute({0xc0001349b0, 0x1, 0x1?})
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/compute/adapt.go:33 +0xcc9
    github.com/aquasecurity/defsec/internal/adapters/terraform/azure/compute.Adapt(...)
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/compute/adapt.go:14
    github.com/aquasecurity/defsec/internal/adapters/terraform/azure.Adapt({_, _, _})
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/azure/adapt.go:25 +0x12a
    github.com/aquasecurity/defsec/internal/adapters/terraform.Adapt({0xc0001349b0, 0x1, 0x1})
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/adapt.go:20 +0x7e
    github.com/aquasecurity/defsec/pkg/scanners/terraform/executor.(*Executor).Execute(0xc000479a00, {0xc0001349b0?, 0x1, 0x1})
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/executor/executor.go:96 +0x11a
    github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFSWithMetrics(0xc0002445a0, {0x1de3e98, 0xc00013c028}, {0x7f0b2d62b940?, 0xc000ba93a0?}, {0x7ffe26a4ef58, 0x3})
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/scanner.go:216 +0x77a
    github.com/aquasecurity/tfsec/internal/app/tfsec/cmd.Root.func1(0xc000e4c900, {0xc000ba9300, 0x1, 0x2})
            /home/runner/work/tfsec/tfsec/internal/app/tfsec/cmd/root.go:83 +0x633
    github.com/spf13/cobra.(*Command).execute(0xc000e4c900, {0xc000120160, 0x2, 0x2})
            /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:916 +0x862
    github.com/spf13/cobra.(*Command).ExecuteC(0xc000e4c900)
            /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1040 +0x3b4
    github.com/spf13/cobra.(*Command).Execute(...)
            /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
    main.main()
            /home/runner/work/tfsec/tfsec/cmd/tfsec/main.go:12 +0x25
    

    Note: based on the error message I thought it might be the output I have in the code. But when I removed it as a test the memory address error still happened.

    System Info

    • tfsec version: v1.28.1
    • terraform version: v1.3.6
    • OS: Win11 22H2

    Note: I ran tfsec in windows and docker and received the same error.

    Example Code

    I have the repo here: https://github.com/JasonCubic/cdktf-az-hub-spoke-demo I was unable to do scope isolation beyond the stack "single-sub-hub-and-spoke" where the error occurs.

    Additional context

    I did deploy this terraform stack to azure successfully (and took it down since). It has linux VM's on the internet with public IP's that accept ssh using a username and password. I was expecting to see several flagged items from tfsec.

    bug azure needs-triage 
    opened by JasonCubic 0
  • chore(deps): bump goreleaser/goreleaser-action from 3 to 4

    chore(deps): bump goreleaser/goreleaser-action from 3 to 4

    Bumps goreleaser/goreleaser-action from 3 to 4.

    Release notes

    Sourced from goreleaser/goreleaser-action's releases.

    v4.0.0

    What's Changed

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3...v4.0.0

    v3.2.0

    What's Changed

    • chore: remove workaround for setOutput by @​crazy-max (#374)
    • chore(deps): bump @​actions/core from 1.9.1 to 1.10.0 (#372)
    • chore(deps): bump yargs from 17.5.1 to 17.6.0 (#373)

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3.1.0...v3.2.0

    v3.1.0

    What's Changed

    • fix: dist resolution from config file by @​crazy-max (#369)
    • ci: fix workflow by @​crazy-max (#357)
    • docs: bump actions to latest major by @​crazy-max (#356)
    • chore(deps): bump crazy-max/ghaction-import-gpg from 4 to 5 (#360)
    • chore(deps): bump ghaction-import-gpg to v5 (#359)
    • chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#358)
    • chore(deps): bump @​actions/core from 1.8.2 to 1.9.1 (#367)

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3.0.0...v3.1.0

    Commits
    • 8f67e59 chore: regenerate
    • 78df308 chore(deps): bump minimatch from 3.0.4 to 3.1.2 (#383)
    • 66134d9 Merge remote-tracking branch 'origin/master' into flarco/master
    • 3c08cfd chore(deps): bump yargs from 17.6.0 to 17.6.2
    • 5dc579b docs: add example when using workdir along with upload-artifact (#366)
    • 3b7d1ba feat!: remove auto-snapshot on dirty tag (#382)
    • 23e0ed5 fix: do not override GORELEASER_CURRENT_TAG (#370)
    • 1315dab update build
    • b60ea88 improve install
    • 4d25ab4 Update goreleaser.ts
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
  • Set github stale bot message

    Set github stale bot message "days" to its config

    what

    • Set github stale bot message "days" to its config

    why

    • It's confusing when the message says that the stale bot will close the issue/pr in X number of days and that X number of days is not the same as the days configured in the bot itself. This change should set the numbers to be the same.

    references

    • https://github.com/aquasecurity/tfsec/issues/1943
    opened by nitrocode 1
  • bug:

    bug:

    Describe the bug TFSec reports that IAM policy document uses sensitive action on wildcarded resource for actions that cannot be restricted to a specific ARN:

    • logs:ListLogDeliveries
    • logs:CreateLogDelivery
    • logs:GetLogDelivery
    • logs:GetLogDelivery
    • logs:UpdateLogDelivery
    • logs:DeleteLogDelivery

    To Reproduce Steps to reproduce the behavior:

    1. Create a policy like this including actions such as logs:CreateLogDelivery on a wildcarded resource (for full code see Example Code below)
    2. Run tfsec
    3. The following issue is detected: Result #1 HIGH IAM policy document uses sensitive action 'logs:ListLogDeliveries' on wildcarded resource '*'

    Expected behavior tfsec shouldn't report on these since they can only be used with wildcard resources. We contacted AWS support to confirm, and they also linked the relevant documentation page: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-actions-as-permissions

    Quote from this page: The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement.

    This is indeed the case for each of the actions reported above.

    Output of your tfsec command with --debug flag N/A

    System Info

    • tfsec version: v1.28.1
    • terraform version: v1.3.6
    • OS: Manjaro Linux

    Example Code

    data "aws_iam_policy_document" "test" {
      statement {
        actions = [
          "logs:ListLogDeliveries",
          "logs:CreateLogDelivery",
          "logs:GetLogDelivery",
          "logs:UpdateLogDelivery",
          "logs:DeleteLogDelivery",
        ]
        resources = [
          "*"
        ]
      }
    }
    
    resource "aws_iam_policy" "test" {
      name = "test"
      policy = data.aws_iam_policy_document.test.json
    }
    
    bug aws needs-triage 
    opened by aureliomarcoag 0
Releases(v1.28.1)
Owner
tfsec
tfsec
GoKart - Go Security Static Analysis

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code.

Praetorian 2.1k Jan 1, 2023
Catalyst is an incident response platform / SOAR (Security Orchestration, Automation and Response) system.

Catalyst Speed up your reactions Website - The Catalyst Handbook (Documentation) - Try online (user: bob, password: bob) Catalyst is an incident respo

Security Brewery 143 Jan 6, 2023
The most opinionated Go source code linter for code audit.

go-critic Highly extensible Go source code linter providing checks currently missing from other linters. There is never too much static code analysis.

null 1.5k Jan 6, 2023
🐢 Automated code review tool integrated with any code analysis tools regardless of programming language

reviewdog - A code review dog who keeps your codebase healthy. reviewdog provides a way to post review comments to code hosting service, such as GitHu

reviewdog 5.9k Jan 2, 2023
A Golang tool that does static analysis, unit testing, code review and generate code quality report.

goreporter A Golang tool that does static analysis, unit testing, code review and generate code quality report. This is a tool that concurrently runs

360 Enterprise Security Group, Endpoint Security, inc. 3k Jan 8, 2023
Sloc, Cloc and Code: scc is a very fast accurate code counter with complexity calculations and COCOMO estimates written in pure Go

Sloc Cloc and Code (scc) A tool similar to cloc, sloccount and tokei. For counting physical the lines of code, blank lines, comment lines, and physica

Ben Boyter 4.1k Jan 4, 2023
🐢 Automated code review tool integrated with any code analysis tools regardless of programming language

reviewdog - A code review dog who keeps your codebase healthy. reviewdog provides a way to post review comments to code hosting service, such as GitHu

reviewdog 5.9k Jan 7, 2023
Tool to populate your code with traceable and secure error codes

Essential part of any project, especially customer facing is proper and secure error handling. When error happens and customer reports it, it would be nice to know the context of the error and where it exactly occured.

vs 51 Sep 28, 2022
Know when GC runs from inside your golang code

gcnotifier gcnotifier provides a way to receive notifications after every run of the garbage collector (GC). Knowing when GC runs is useful to instruc

Carlo Alberto Ferraris 173 Dec 26, 2022
Detect non-inclusive language in your source code.

Detect non-inclusive language in your source code. I stay woke - Erykah Badu Creating an inclusive work environment is imperative to a healthy, suppor

woke 361 Dec 25, 2022
Manage your repository's TODOs, tickets and checklists as config in your codebase.

tickgit ??️ tickgit is a tool to help you manage latent work in a codebase. Use the tickgit command to view pending tasks, progress reports, completio

Augmentable 292 Dec 30, 2022
a tool for code clone detection

dupl dupl is a tool written in Go for finding code clones. So far it can find clones only in the Go source files. The method uses suffix tree for seri

Michal BohuslΓ‘vek 302 Dec 12, 2022
[mirror] This is a linter for Go source code.

Golint is a linter for Go source code. Installation Golint requires a supported release of Go. go get -u golang.org/x/lint/golint To find out where g

Go 4k Dec 23, 2022
Run linters from Go code -

Lint - run linters from Go Lint makes it easy to run linters from Go code. This allows lint checks to be part of a regular go build + go test workflow

Surul Software Labs GmbH 67 Sep 27, 2022
depth is tool to retrieve and visualize Go source code dependency trees.

depth is tool to retrieve and visualize Go source code dependency trees. Install Download the appropriate binary for your platform from the Rele

Kyle Banks 810 Dec 30, 2022
A reference for the Go community that covers the fundamentals of writing clean code and discusses concrete refactoring examples specific to Go.

A reference for the Go community that covers the fundamentals of writing clean code and discusses concrete refactoring examples specific to Go.

Lasse Martin Jakobsen 2.5k Jan 1, 2023
A static code analyzer for annotated TODO comments

todocheck todocheck is a static code analyzer for annotated TODO comments. It let's you create actionable TODOs by annotating them with issues from an

Preslav Mihaylov 394 Dec 7, 2022
A little fast cloc(Count Lines Of Code)

gocloc A little fast cloc(Count Lines Of Code), written in Go. Inspired by tokei. Installation $ go get -u github.com/hhatto/gocloc/cmd/gocloc Usage

Hideo Hattori 635 Jan 6, 2023
a Go code to detect leaks in JS files via regex patterns

a Go code to detect leaks in JS files via regex patterns

JoΓ£o Teles 113 Nov 13, 2022