Skip to content
Latchkey

How to Run Automated Compliance Checks With tfsec and CIS

tfsec plus a CIS benchmark scan catch insecure infrastructure and host settings automatically, so misconfigurations fail the pipeline.

Automated benchmark checks reduce manual audit effort. This page runs tfsec against Terraform and a CIS benchmark scan (kube-bench style) against a cluster config. It is educational; map findings to your applicable benchmark profile.

Steps

  • Run tfsec over the Terraform to catch insecure IaC.
  • Run a CIS benchmark scan against the target (host or cluster).
  • Fail the job on findings above your threshold and upload the report.

tfsec and report upload

.github/workflows/ci.yml
jobs:
  iac-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/tfsec-action@v1.0.3
        with:
          additional_args: --minimum-severity HIGH --format sarif --out tfsec.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: tfsec.sarif

CIS benchmark scan

Terminal
- name: CIS Kubernetes benchmark
  run: |
    kube-bench run --targets master,node --json > cis.json
    jq -e '[.Controls[].tests[].results[] | select(.status=="FAIL")] | length == 0' cis.json \
      || { echo "CIS benchmark failures present"; exit 1; }

Notes

  • SARIF upload surfaces findings in the Security tab and keeps them as evidence.
  • Scope the benchmark to the profile that matches your environment to avoid noise.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →