Skip to content
Latchkey

Adding tfsec to GitHub Actions

Run tfsec on your Terraform in CI to catch insecure configurations early.

tfsec is a focused Terraform static analyzer (now part of the Trivy project). The aquasecurity/tfsec-action and tfsec-pr-commenter variants run it in CI, fail on findings, and can annotate the PR. It is lighter than full IaC suites when you only have Terraform.

What you need

  • Terraform code in the repo.
  • The aquasecurity/tfsec-action (or tfsec-sarif-action for SARIF).
  • security-events: write if uploading SARIF.

The workflow

Run tfsec and emit SARIF for code scanning.

.github/workflows/ci.yml
- uses: aquasecurity/tfsec-sarif-action@v0.1.4
  with:
    sarif_file: tfsec.sarif

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: tfsec.sarif

Common gotchas

  • tfsec is being merged into Trivy; for new setups consider Trivy config scanning instead.
  • Suppress findings with #tfsec:ignore comments, not by disabling the whole rule.
  • It scans static HCL, so issues only present at plan time can slip through.

Key takeaways

  • tfsec is a focused Terraform static analyzer.
  • Use SARIF output to surface findings in code scanning.
  • Suppress with inline #tfsec:ignore comments where justified.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →