tfsec: Terraform Scanner (Merged into Trivy)

Name: tfsec
Availability: Discontinued

tfsec was a static analysis security scanner for Terraform code. It detected misconfigurations in AWS, Azure, GCP, and other cloud provider resources before infrastructure deployment.

The project was acquired by Aqua Security and fully merged into Trivy in 2023.

All tfsec functionality is now available in Trivy’s misconfiguration scanner.

What tfsec did

tfsec scanned Terraform files for security issues like unencrypted storage, overly permissive security groups, missing logging, and exposed secrets. The scanner ran locally, in CI/CD pipelines, and as a pre-commit hook.

Written in Go, it shipped as a single binary with no dependencies. Point it at Terraform code, get a list of findings with severity ratings and remediation guidance.

Cloud Coverage

Checked AWS, Azure, GCP, Oracle Cloud, and DigitalOcean resources. 1000+ built-in checks covering common misconfigurations across cloud providers.

Fast Scans

Analyzed Terraform code in seconds without requiring terraform init or external API calls. Worked on static files only.

Custom Checks

Supported custom security policies written in Rego (OPA policy language). Teams added organization-specific rules beyond the default check set.

Why tfsec was merged into Trivy

Aqua Security acquired tfsec in 2021 and integrated the Terraform scanning engine into Trivy. This gave Trivy users Terraform security scanning alongside container vulnerability detection, Kubernetes cluster scanning, and secret detection in one tool.

The merger eliminated the need to maintain separate tools for different security scanning tasks. tfsec users gained access to Trivy’s broader ecosystem, CI/CD integrations, and container image scanning capabilities.

tfsec is deprecated

The tfsec repository still exists but receives no updates. All development happens in Trivy.

If you currently use tfsec, migrate to Trivy by running trivy config instead of tfsec. All check IDs and exit codes remain compatible.

Migration to Trivy

Trivy includes all tfsec checks with identical check IDs. Replace tfsec commands with trivy config for drop-in compatibility.

Before (tfsec):

tfsec .

After (Trivy):

trivy config .

Check IDs like AVD-AWS-0086 work unchanged. Severity filtering, JSON output, and custom check support transfer directly to Trivy.

Install Trivy — Use Homebrew (brew install trivy), apt (sudo apt-get install trivy), or download the binary from GitHub releases.

Replace tfsec commands — Change tfsec to trivy config in scripts and CI/CD pipelines. Add –scanners misconfig if you want only IaC checks without vulnerability scanning.

Update custom checks — Move custom Rego policies to Trivy’s policy directory. The policy format remains the same.

Test the migration — Run trivy config on your Terraform code to verify findings match previous tfsec results.

Check ID compatibility

The tfsec to Trivy migration is mechanical because Aqua Security kept the check identifiers stable. A .tfsec.yml exclusion list referencing AVD-AWS-0086 translates verbatim to a .trivyignore line — no rule reauthoring required.

The namespace prefixes (AVD-AWS-*, AVD-AZU-*, AVD-GCP-*) carry over for AWS, Azure, and GCP. Severity assignments (CRITICAL/HIGH/MEDIUM/LOW) match what tfsec emitted, and the JSON output schema for trivy config --format json mirrors tfsec --format json closely enough that downstream parsers usually keep working with one or two field renames.

CI/CD config swap

If you used the aquasecurity/tfsec-action GitHub Action, replace it with aquasecurity/trivy-action and switch the action input from tfsec mode to config mode. After the March 2026 supply chain incident, pin the action to a specific commit SHA rather than a mutable @v1 tag.

For GitLab CI and other runners, the swap is one line: change tfsec . to trivy config . in your job script. Keep the same --severity HIGH,CRITICAL and --exit-code 1 flags — the flag names match.

Custom Rego policies

Custom checks written for tfsec move to Trivy’s policy directory unchanged. The Rego entry point and the schema definitions are the same. Place your .rego files in a policies/ directory and pass --policy policies/ to trivy config.

Alternatives to tfsec

For Terraform security scanning, Trivy replaces tfsec with the same check library plus broader scanning capabilities.

Checkov offers more IaC policy checks across Terraform, CloudFormation, Kubernetes, and Ansible. KICS provides compliance framework mapping for CIS Benchmarks, PCI-DSS, and GDPR.

For commercial Terraform scanning with fix suggestions and developer guidance, Snyk IaC integrates into IDEs and pull requests.

For a broader view of Terraform security, see the cloud infrastructure security guide and the Terraform security scanning walkthrough. Browse other IaC security tools for additional options.

Should I still use tfsec in 2026?

No. Migrate to Trivy . The tfsec GitHub repository openly states “Tfsec is now part of Trivy,” the latest standalone tfsec release sits at v1.28.13 from late 2024, and no new checks have shipped to the standalone binary since the merger.

Critical fixes flow through Trivy, not tfsec.

For net-new Terraform pipelines, install Trivy and call trivy config . — same checks, same severity model, broader coverage (CloudFormation, Helm, Dockerfile, ARM, Ansible) under one binary. For existing tfsec pipelines, the migration is a near-mechanical command swap that I walk through in the next section.

Keep using standalone tfsec only if a pipeline is in active wind-down and not worth touching. For anything you’d like to be running in twelve months, switch to Trivy now and avoid the eventual binary-not-maintained surprise.

What did tfsec do well

tfsec earned its 5,700 GitHub stars by being narrow, fast, and developer-friendly at a time when Terraform security tooling was either heavyweight enterprise (think Snyk IaC, Bridgecrew) or non-existent. Three things stood out:

Single-purpose focus. It scanned Terraform and only Terraform. The check library was tuned for HCL semantics rather than retrofitted from a broader IaC engine, which made findings precise and explanations on-target for Terraform authors.
Fast and offline. The static analyser ran in seconds, never called terraform init, never reached the cloud. It worked on a laptop, in a pre-commit hook, and in air-gapped CI runners with the same setup.
Custom checks via Rego. Long before custom-policy support was table stakes, tfsec let teams add organization-specific rules in OPA-compatible Rego — a pattern Trivy now inherits.

Those virtues are why the merger was a continuation rather than a replacement. The same maintainers, the same check IDs, more coverage — folded into Trivy .

Note: Merged into Trivy. All tfsec checks are now available in Trivy’s misconfiguration scanner. Users should migrate to Trivy for Terraform security scanning.

Visit tfsec View source on GitHub (5700★)

Frequently Asked Questions

What is tfsec?

tfsec was an open-source static analysis security scanner for Terraform code. It detected potential security misconfigurations in cloud infrastructure definitions before deployment. The project was acquired by Aqua Security and merged into Trivy in 2023.

Is tfsec still maintained?

No. tfsec development has stopped. Aqua Security merged all tfsec functionality into Trivy in 2024. The tfsec repository remains accessible for historical reference, but all engineering effort now focuses on Trivy. Users should migrate to Trivy for continued updates and support.

How do I migrate from tfsec to Trivy?

Install Trivy and replace tfsec commands with trivy config. All tfsec check IDs (like AVD-AWS-0086) work in Trivy without modification. Run trivy config on Terraform files to get the same checks tfsec provided. Trivy adds container scanning, secrets detection, and broader IaC format support in the same tool.