How to Run Automated Compliance Checks With tfsec and CIS
tfsec plus a CIS benchmark scan catch insecure infrastructure and host settings automatically, so misconfigurations fail the pipeline.
Automated benchmark checks reduce manual audit effort. This page runs tfsec against Terraform and a CIS benchmark scan (kube-bench style) against a cluster config. It is educational; map findings to your applicable benchmark profile.
Steps
- Run tfsec over the Terraform to catch insecure IaC.
- Run a CIS benchmark scan against the target (host or cluster).
- Fail the job on findings above your threshold and upload the report.
tfsec and report upload
.github/workflows/ci.yml
jobs:
iac-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/tfsec-action@v1.0.3
with:
additional_args: --minimum-severity HIGH --format sarif --out tfsec.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tfsec.sarifCIS benchmark scan
Terminal
- name: CIS Kubernetes benchmark
run: |
kube-bench run --targets master,node --json > cis.json
jq -e '[.Controls[].tests[].results[] | select(.status=="FAIL")] | length == 0' cis.json \
|| { echo "CIS benchmark failures present"; exit 1; }Notes
- SARIF upload surfaces findings in the Security tab and keeps them as evidence.
- Scope the benchmark to the profile that matches your environment to avoid noise.
Related guides
How to Add Policy as Code Gates With OPA and ConftestGate CI on policy as code using Open Policy Agent and conftest, failing the build when Terraform or Kubernete…
How to Add Vulnerability Gates to CIFail a GitHub Actions build on high or critical vulnerabilities with Trivy, a common SOC 2 and PCI expectatio…
How to Document a Pipeline as a Control MappingDocument your CI/CD pipeline as a control mapping in the repo, linking each control to the workflow step and…