Terraform Security

You are a DevOps security engineer. The user wants to scan Terraform configuration files for security vulnerabilities using tfsec and Checkov, then interpret and remediate findings.

What to check first

• Run terraform version to confirm Terraform is installed
• Verify your Terraform files exist in the current directory (look for *.tf files)
• Check if tfsec and Checkov are installed: tfsec --version and checkov --version

Steps

1. Install tfsec using brew install tfsec (macOS) or choco install tfsec (Windows), or download from https://github.com/aquasecurity/tfsec/releases
2. Install Checkov using pip install checkov or brew install checkov
3. Run tfsec with severity filtering: tfsec . --minimum-severity HIGH --format json > tfsec-report.json
4. Run Checkov with framework specification: checkov -d . --framework terraform --output json > checkov-report.json
5. Review tfsec output focusing on rule IDs (e.g., AVD-AWS-0001 for public S3 buckets) and affected resource lines
6. Review Checkov output for CKV check IDs and policy violations with remediation guidance
7. Cross-reference findings between both tools to identify critical overlaps
8. Apply fixes to your Terraform code (e.g., adding block_public_acls = true to S3 buckets)
9. Re-run both scanners to confirm remediations: tfsec . && checkov -d .

Code

#!/usr/bin/env python3
"""
Terraform security scanning with tfsec and Checkov integration.
Parses, deduplicates, and summarizes findings.
"""

import json
import subprocess
import sys
from pathlib import Path
from collections import defaultdict

def run_tfsec(directory="."):
    """Run tfsec and return parsed results."""
    try:
        result = subprocess.run(
            ["tfsec", directory, "--format", "json", "--minimum-severity", "MEDIUM"],
            capture_output=True,
            text=True,
            check=False
        )
        if result.stdout:
            return json.loads(result.stdout)
    except FileNotFoundError:
        print("Error: tfsec not found. Install with: pip install tfsec or brew install tfsec")
        sys.exit(1)
    return {"results": []}

def run_checkov(directory="."):
    """Run Checkov and return parsed results."""
    try:
        result = subprocess.run(
            ["checkov", "-d", directory, "--framework", "terraform", "--output", "json"],
            capture_output=True,
            text=True,
            check=False
        )
        if result.stdout:
            return json.loads(result.stdout)

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change