In this blog, we will see installation and demo of security tool called "tfsec"

TFSec : It is a security scanner tool, which helps to find any misconfiguration in terraform code which leads to any security risks

Github link : https://github.com/aquasecurity/tfsec

Requirements:

1.linux/Mac machine

2.Terraform code

Installation :

Install tfsec

we can install mac/linux,

in Linux use below command,

curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash

in mac use below command,

brew install tfsec

Run tfsec :

Go to the terraform script location and run "tfsec ." inside the directory

I have sample tf code to create a storage account in Azure cloud. Here is my main.tf

resource "azurerm_storage_account" "storageaccount" {

  name                     = "devopsartstrgtest"

  resource_group_name      = "devopsart-non-prod"

  location                 = "East US"

  account_tier             = "Standard"

  account_replication_type = "GRS"

}


It will give a nice output which says where are the places the misconfiguration and fix needs to apply.

In the above result it says, "CRITICAL Storage account uses an insecure TLS version" so need to update with right configuration and run it.

We can run docker by using below command,

docker run --rm -it -v "$(pwd):/src" aquasec/tfsec /src



That's all. We have installed tfsec and experimented with it. 


Few more functionalities with tfsec:

- We can create a new policy based on our requirements.

- We can set it to ignore any of the tf scripts by defining it in the tfscript.

#tfsec:ignore:az-vm-no-public-ip-rg

- We can also set it to ignore with an expiration date, so the section will be enabled after the given date

#tfsec:ignore:ignore:az-vm-no-public-ip-rg:2023-08-30


You can try with this tool and give your comments!


Tags

Post a Comment

Post a Comment

Previous Post Next Post