TFSec configuration

TFSec analyzes your terraform templates to spot potential security issues. It requires configuration via a tfsec.yml configuration file as detailed in TFSec's documentation.

By default, all types of issues are enabled. However, there are occasions where you want to suppress specific problems. You can add simple configuration file like in the example below to the root of your repository and Codeac automatically picks it up and apply to all further analyzes. We suggest to add your own configuration file into your repository root directory to be able to specify your quality standards.


    - GCP002
    - AWS025

Ignoring specific issue

If you'd like to ignore only specific issue, you can simply add a comment containing tfsec:ignore:RULE to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block like in the examples below:

resource "aws_security_group_rule" "backend" {
    type = "ingress"
    cidr_blocks = [""] #tfsec:ignore:AWS006

resource "aws_security_group_rule" "api" {
    type = "ingress"
    cidr_blocks = [""]

You can also ignore multiple rules by concatenating tme with a space on a single line:

#tfsec:ignore:AWS017 tfsec:ignore:AWS002
resource "aws_s3_bucket" "backend" {
    bucket = "backend"
    acl    = "private"

Outdated SSL / TLS protocol Example

TLS 1.0 and 1.1 reached End of Life and were deprecated by several web browsers and cloud vendors. Using TLS 1.2 or newer is recommended for majority of applications. Codeac scans each change in your Infrastructure as Code repository and pinpoints potential security threads.

Terraform - Outdated SSL / TLS protocol Example