Adding tfsec to GitHub Actions
Run tfsec on your Terraform in CI to catch insecure configurations early.
tfsec is a focused Terraform static analyzer (now part of the Trivy project). The aquasecurity/tfsec-action and tfsec-pr-commenter variants run it in CI, fail on findings, and can annotate the PR. It is lighter than full IaC suites when you only have Terraform.
What you need
- Terraform code in the repo.
- The aquasecurity/tfsec-action (or tfsec-sarif-action for SARIF).
- security-events: write if uploading SARIF.
The workflow
Run tfsec and emit SARIF for code scanning.
.github/workflows/ci.yml
- uses: aquasecurity/tfsec-sarif-action@v0.1.4
with:
sarif_file: tfsec.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tfsec.sarifCommon gotchas
- tfsec is being merged into Trivy; for new setups consider Trivy config scanning instead.
- Suppress findings with #tfsec:ignore comments, not by disabling the whole rule.
- It scans static HCL, so issues only present at plan time can slip through.
Key takeaways
- tfsec is a focused Terraform static analyzer.
- Use SARIF output to surface findings in code scanning.
- Suppress with inline #tfsec:ignore comments where justified.
Related guides
Adding Checkov IaC Scanning to GitHub ActionsScan Terraform, CloudFormation, and Kubernetes manifests with Checkov in GitHub Actions, emit SARIF, and fail…
Adding Trivy Container Scanning to GitHub ActionsScan container images for vulnerabilities with Trivy in GitHub Actions, fail on critical CVEs, and upload SAR…
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…