Hack Tools

tfsec: Static analysis powered security scanner for your terraform code

tfsec

tfsec uses static analysis of your terraforms templates to spot potential security issues. Now with terraform v0.12+ support.

Features

  • Checks for sensitive data inclusion across all providers
  • Checks for violations of AWS, Azure and GCP security best practice recommendations
  • Scans modules (currently only local modules are supported)
  • Evaluates expressions as well as literal values



Included Checks

Currently, checks are mostly limited to AWS/Azure/GCP resources, but there are also checks which are provider agnostic.

CodeProviderDescription
GEN001*Potentially sensitive data stored in “default” value of variable.
GEN002*Potentially sensitive data stored in local value.
GEN003*Potentially sensitive data stored in block attribute.
AWS001awsS3 Bucket has an ACL defined which allows public access.
AWS002awsS3 Bucket does not have logging enabled.
AWS003awsAWS Classic resource usage.
AWS004awsUse of plain HTTP.
AWS005awsLoad balancer is exposed to the internet.
AWS006awsAn ingress security group rule allows traffic from /0.
AWS007awsAn egress security group rule allows traffic to /0.
AWS008awsAn inline ingress security group rule allows traffic from /0.
AWS009awsAn inline egress security group rule allows traffic to /0.
AWS010awsAn outdated SSL policy is in use by a load balancer.
AWS011awsA resource is marked as publicly accessible.
AWS012awsA resource has a public IP address.
AWS013awsTask definition defines sensitive environment variable(s).
AWS014awsLaunch configuration with unencrypted block device.
AWS015awsUnencrypted SQS queue.
AWS016awsUnencrypted SNS topic.
AWS017awsUnencrypted S3 bucket.
AWS018awsMissing description for security group/security group rule.
AZU001azurermAn inbound network security rule allows traffic from /0.
AZU002azurermAn outbound network security rule allows traffic to /0.
AZU003azurermUnencrypted managed disk.
AZU004azurermUnencrypted data lake store.
AZU005azurermPassword authentication in use instead of SSH keys.
GCP001googleUnencrypted compute disk.
GCP002googleUnencrypted storage bucket.
GCP003googleAn inbound firewall rule allows traffic from /0.
GCP004googleAn outbound firewall rule allows traffic to /0.

Install && Use

Copyright (c) 2019 Liam Galvin



The post tfsec: Static analysis powered security scanner for your terraform code appeared first on Penetration Testing.

Comments
To Top

Pin It on Pinterest

Share This