Skip to content
Latchkey

How to Add tflint, tfsec, checkov, and trivy Gates in CI

tflint catches provider-specific mistakes while tfsec, checkov, and trivy scan HCL for insecure configuration, all as a fast gate before plan.

Run tflint for linting and one config scanner (tfsec, checkov, or trivy in config mode) to flag insecure defaults such as open security groups or unencrypted storage. Fail the PR on findings you have not baselined.

Steps

  • Install and run tflint --recursive after tflint --init.
  • Run a scanner such as checkov -d . or trivy config ..
  • Fail the job on new findings; baseline accepted ones.

Workflow

.github/workflows/ci.yml
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: terraform-linters/setup-tflint@v4
      - run: tflint --init && tflint --recursive
      - uses: aquasecurity/tfsec-action@v1.0.0
      - uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: config
          scan-ref: .

Gotchas

  • checkov and trivy scan HCL and cannot see runtime values, so suppress false positives with inline skips.
  • Pin scanner versions; a newer ruleset can suddenly fail a PR that did not change.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →