How do I exclude specific security checks from tfsec scans?

Use the --exclude flag followed by the check ID to skip specific policies. For example, running tfsec with --exclude will ignore those particular checks and reduce the total number of reported issues accordingly.

What formats can tfsec output scan results in?

tfsec supports multiple output formats including JSON, which can be specified using command-line flags. This allows integration with other tools and automation workflows that consume structured data.

tfsec Security Scanner for Terraform: Features & Examples

Name: tfsec Security Scanner for Terraform: Features & Examples
Uploaded: 2026-03-29T07:26:24-04:00
Duration: 5 min 32 s
Description: TL;DR tfsec is an open-source security scanner for Terraform that performs static analysis to detect misconfigurations and security risks without requiring API access or external services The tool provides built-in policies with severity classification...

envzero

03/29/2026

0 (0%)

Report Like Favorite

Transcript

that. Let's clear here and look at our TFSEC guide here. So the command that you'd run for TFSEC is very simple. You just run TFSEC and then the directory that you want to scan. So in this case we are going to scan the Terraform directory. So once again here we go we got our TFSEC output and you can see that it gives you a summary, a nice summary at the very end. It tells you the results so we've got six past policies, zero ignored, five critical, 18 high, four medium and six low. So a total of 33 potential problems have been detected and this is all open source out of the box. There is no API or anything like that that I'm running so that is available completely open source. Now you can see each one of those policies, you can see the results, low security, this is a low vulnerability, security group rule does not have a description and gives you the file, exactly the location, an ID for this check, the impact, the resolution, add descriptions for all security group rules. So it's a nice touch here giving you the resolution right in the CLI and of course more information. And TFSEC is backed by Aqua security so you can see some of the docs have Aqua security in it right here and you can follow these links for more information. Now you can also similar to what we saw with checkoff, you can specify a particular output format. So in this case we are going to output everything in JSON as you can see here. And you can also exclude certain checks by specifying the check ID as shown in this command. So I can go ahead and run this command with the exclude flag and exclude a particular check and now we can see that we've ignored two checks right here. Okay and now we have only 31 potential problems. Alright so that's it for the built-in policies by TFSEC. Now let's take a look at a custom policy and we're going to do the same thing we did with checkoff. So basically the exact same scenario where we have a an S3 bucket that has a PCI requirement with scope PCI that tag we saw and also we have the public read in the ACL of that S3 bucket. So once again we can just run this and TFSEC against the Terraform folder and let's look for this PCI policy tfchecks.yaml in the .tfsec folder. So by default if you create a .tfsec folder inside the the folder that you're scanning which is the Terraform folder, it's going to create or you can put the PCI policy here that we just mentioned. So any custom policies that are here will be scanned automatically by .tfsec. And this is using YAML. There are two ways of using custom policy with .tfsec. You can use YAML or a Rego policy or Rego. It's spelled R-E-G-O but it's pronounced Rego from OPA. In this case I opted to use a YAML. It could be YAML or it could be JSON. I'm using YAML here and I give it the code or the check ID if you will of custom or CUS999 and give it a description. Make sure S3 bucket ACL is not public read if it has a scope equals to PCI tag. You can give it an impact, a message, a resolution. The required type is resource. The required label is AWS S3 bucket. Severity in this case I chose critical. And a match spec. So we're matching if any of these happen. So if it doesn't contain tags with the key scope and the value PCI or if it doesn't contain an ACL with a value of public read. So we're actually looking for this to pass right. So if any of this doesn't contain tags or it doesn't contain this public read it will pass the check right. So you got to think of it in the opposite way. And now if I go ahead and search for 999 I will see here we go our custom CUS999 check has failed and it's a critical check and the message that we put it in the description here shows up as well. And here is our resource and once again the particular file and so on. So this is how you create a custom check or custom policy inside of TFSEC.

TL;DR

tfsec is an open-source security scanner for Terraform that performs static analysis to detect misconfigurations and security risks without requiring API access or external services
The tool provides built-in policies with severity classifications (critical, high, medium, low) and offers detailed remediation guidance directly in the CLI output
Custom policies can be created using YAML or Rego (OPA) and are automatically detected when placed in a .tfsec folder within the scanned directory

Summary

This tutorial demonstrates tfsec, an open-source security scanner for Terraform infrastructure-as-code. The tool performs static analysis to detect misconfigurations and security risks before deployment. The demonstration covers basic scanning workflows, output formatting options, policy exclusion capabilities, and custom policy creation using YAML. tfsec is backed by Aqua Security and provides out-of-the-box security checks with severity classifications ranging from low to critical. The tutorial includes a practical example of creating a custom policy to enforce PCI compliance requirements for AWS S3 buckets, showing how organizations can extend the tool's built-in ruleset to meet specific security and compliance needs.

Chapters

0:00 - Introduction to tfsec
0:27 - Running Basic tfsec Scan
1:49 - Output Formats and Exclusions
2:28 - Custom Policy Creation with YAML

Key Quotes

0:56 "... a total of 33 potential problems have been detected and this is all open source out of the Box. There is no API or anything like that that I'm running so that is available completely open source."
1:28 "... it's a NICE touch here giving you the resolution right in the CLI ..."
1:38 "TFSEC is backed by Aqua security so you can see some of the docs have Aqua security in it ..."

Categories:

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

06/30/2026

01:00 PM

06/30/2026

Master Active Directory Certificate Services and Maintain Your Edge

https://www.truthinit.com/index.php/channel/2018/master-active-directory-certificate-services-and-maintain-your-edge/
07/01/2026

04:00 AM

07/01/2026

Integrating Security in AI: Automated Red Teaming Strategies for Private Models

https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
07/01/2026

04:00 AM

07/01/2026

Schutz von KI in Anwendungen, Agenten und APIs.

https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
07/01/2026

01:00 PM

07/01/2026

How to Prevent Your AI from Outsmarting You

https://www.truthinit.com/index.php/channel/2021/how-to-prevent-your-ai-from-outsmarting-you/
07/02/2026

10:00 AM

07/02/2026

Resilience Insights from Hybrid Threats in a Dark Cloud Environment

https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-in-a-dark-cloud-environment/
07/08/2026

02:00 PM

07/08/2026

Understanding the Crucial Role of Context in AI Data

https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
07/09/2026

01:00 PM

07/09/2026

The HUMAN Experience: Empowering Agentic Trust in Practice

https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
07/14/2026

01:00 PM

07/14/2026

Crafting a Championship-Worthy Security Team for Maximum Defense Effectiveness

https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-maximum-defense-effectiveness/
07/21/2026

04:00 AM

07/21/2026

Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
07/21/2026

01:00 PM

07/21/2026

HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
07/22/2026

06:30 AM

07/22/2026

Insights and Strategies from the DPDP Webinar

https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-from-the-dpdp-webinar/
07/28/2026

01:00 PM

07/28/2026

Illumio + Netskope: Zero Trust in the Age of AI Autonomy

https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
07/29/2026

04:00 AM

07/29/2026

Real-Time Strategies for Safeguarding Against Prompt Injections

https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
08/19/2026

12:00 PM

08/19/2026

Get Prepared to Thrive as an Agent in Just 30 Days

https://www.truthinit.com/index.php/channel/2036/get-prepared-to-thrive-as-an-agent-in-just-30-days/
09/30/2026

04:00 AM

09/30/2026

AI Command Center: Optimizing Visibility and Control in Your Operations

https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/