How to Add tflint, tfsec, checkov, and trivy Gates in CI
tflint catches provider-specific mistakes while tfsec, checkov, and trivy scan HCL for insecure configuration, all as a fast gate before plan.
Run tflint for linting and one config scanner (tfsec, checkov, or trivy in config mode) to flag insecure defaults such as open security groups or unencrypted storage. Fail the PR on findings you have not baselined.
Steps
- Install and run
tflint --recursiveaftertflint --init. - Run a scanner such as
checkov -d .ortrivy config .. - Fail the job on new findings; baseline accepted ones.
Workflow
.github/workflows/ci.yml
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: terraform-linters/setup-tflint@v4
- run: tflint --init && tflint --recursive
- uses: aquasecurity/tfsec-action@v1.0.0
- uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: config
scan-ref: .Gotchas
- checkov and trivy scan HCL and cannot see runtime values, so suppress false positives with inline skips.
- Pin scanner versions; a newer ruleset can suddenly fail a PR that did not change.
Related guides
How to Run terraform fmt and validate in CIGate every Terraform pull request on formatting and validity by running terraform fmt -check -recursive and t…
How to Generate terraform-docs in CIKeep module READMEs current by running terraform-docs in GitHub Actions to inject an inputs and outputs table…