Skip to content
tfsec

tfsec

DEPRECATED
Category: IaC Security
License: Free (Open-Source, MIT)
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 20, 2026
2 min read

tfsec was a static analysis security scanner for Terraform code. It detected misconfigurations in AWS, Azure, GCP, and other cloud provider resources before infrastructure deployment. The project was acquired by Aqua Security and fully merged into Trivy in 2023.

All tfsec functionality is now available in Trivy’s misconfiguration scanner.

What tfsec did

tfsec scanned Terraform files for security issues like unencrypted storage, overly permissive security groups, missing logging, and exposed secrets. The scanner ran locally, in CI/CD pipelines, and as a pre-commit hook.

Written in Go, it shipped as a single binary with no dependencies. Point it at Terraform code, get a list of findings with severity ratings and remediation guidance.

Cloud Coverage
Checked AWS, Azure, GCP, Oracle Cloud, and DigitalOcean resources. 1000+ built-in checks covering common misconfigurations across cloud providers.
Fast Scans
Analyzed Terraform code in seconds without requiring terraform init or external API calls. Worked on static files only.
Custom Checks
Supported custom security policies written in Rego (OPA policy language). Teams added organization-specific rules beyond the default check set.

Why tfsec was merged into Trivy

Aqua Security acquired tfsec in 2021 and integrated the Terraform scanning engine into Trivy. This gave Trivy users Terraform security scanning alongside container vulnerability detection, Kubernetes cluster scanning, and secret detection in one tool.

The merger eliminated the need to maintain separate tools for different security scanning tasks. tfsec users gained access to Trivy’s broader ecosystem, CI/CD integrations, and container image scanning capabilities.

tfsec is deprecated
The tfsec repository still exists but receives no updates. All development happens in Trivy. If you currently use tfsec, migrate to Trivy by running trivy config instead of tfsec. All check IDs and exit codes remain compatible.

Migration to Trivy

Trivy includes all tfsec checks with identical check IDs. Replace tfsec commands with trivy config for drop-in compatibility.

Before (tfsec):

tfsec .

After (Trivy):

trivy config .

Check IDs like AVD-AWS-0086 work unchanged. Severity filtering, JSON output, and custom check support transfer directly to Trivy.

1
Install Trivy — Use Homebrew (brew install trivy), apt (sudo apt-get install trivy), or download the binary from GitHub releases.
2
Replace tfsec commands — Change tfsec to trivy config in scripts and CI/CD pipelines. Add –scanners misconfig if you want only IaC checks without vulnerability scanning.
3
Update custom checks — Move custom Rego policies to Trivy’s policy directory. The policy format remains the same.
4
Test the migration — Run trivy config on your Terraform code to verify findings match previous tfsec results.

Alternatives to tfsec

For Terraform security scanning, Trivy replaces tfsec with the same check library plus broader scanning capabilities.

Checkov offers more IaC policy checks across Terraform, CloudFormation, Kubernetes, and Ansible. KICS provides compliance framework mapping for CIS Benchmarks, PCI-DSS, and GDPR.

For commercial Terraform scanning with fix suggestions and developer guidance, Snyk IaC integrates into IDEs and pull requests.

For a broader view of Terraform security, see our cloud infrastructure security guide. Browse other IaC security tools for additional options.

Note: Merged into Trivy. All tfsec checks are now available in Trivy's misconfiguration scanner. Users should migrate to Trivy for Terraform security scanning.

Frequently Asked Questions

What is tfsec?
tfsec was an open-source static analysis security scanner for Terraform code. It detected potential security misconfigurations in cloud infrastructure definitions before deployment. The project was acquired by Aqua Security and merged into Trivy in 2023.
Is tfsec still maintained?
No. tfsec development has stopped. Aqua Security merged all tfsec functionality into Trivy in 2024. The tfsec repository remains accessible for historical reference, but all engineering effort now focuses on Trivy. Users should migrate to Trivy for continued updates and support.
How do I migrate from tfsec to Trivy?
Install Trivy and replace tfsec commands with trivy config. All tfsec check IDs (like AVD-AWS-0086) work in Trivy without modification. Run trivy config on Terraform files to get the same checks tfsec provided. Trivy adds container scanning, secrets detection, and broader IaC format support in the same tool.