Skip to content
tfsec
Credits
Initializing search
aquasecurity/tfsec
HOME
Getting Started
Checks
tfsec
aquasecurity/tfsec
HOME
Getting Started
Getting Started
Installation
Signature Verification
Quick Start
Parameters
Credits
Configuration
Configuration
Config File
Custom Checks
Ignoring Checks
GitHub Actions
GitHub Actions
GitHub Action
PR Commenter
Checks
Checks
aws
aws
api-gateway
api-gateway
enable-access-logging
enable-cache-encryption
enable-tracing
no-public-access
use-secure-tls-policy
athena
athena
enable-at-rest-encryption
no-encryption-override
autoscaling
autoscaling
enable-at-rest-encryption
no-public-ip
cloudfront
cloudfront
enable-logging
enable-waf
enforce-https
use-secure-tls-policy
cloudtrail
cloudtrail
enable-all-regions
enable-at-rest-encryption
enable-log-validation
cloudwatch
cloudwatch
log-group-customer-key
codebuild
codebuild
enable-encryption
config
config
aggregate-all-regions
documentdb
documentdb
enable-log-export
enable-storage-encryption
encryption-customer-key
dynamodb
dynamodb
enable-at-rest-encryption
enable-recovery
table-customer-key
ebs
ebs
enable-volume-encryption
encryption-customer-key
ec2
ec2
enforce-http-token-imds
no-secrets-in-user-data
ecr
ecr
enable-image-scans
enforce-immutable-repository
no-public-access
repository-customer-key
ecs
ecs
enable-container-insight
enable-in-transit-encryption
no-plaintext-secrets
efs
efs
enable-at-rest-encryption
eks
eks
enable-control-plane-logging
encrypt-secrets
no-public-cluster-access-to-cidr
no-public-cluster-access
elastic-search
elastic-search
enable-domain-logging
enable-in-transit-encryption
enable-logging
encrypt-replication-group
enforce-https
use-secure-tls-policy
elastic-service
elastic-service
enable-domain-encryption
elasticache
elasticache
add-description-for-security-group
enable-backup-retention
enable-in-transit-encryption
elb
elb
drop-invalid-headers
elbv2
elbv2
alb-not-public
http-not-used
aws
iam
iam
block-kms-policy-wildcard
no-password-reuse
no-policy-wildcards
require-lowercase-in-passwords
require-numbers-in-passwords
require-symbols-in-passwords
require-uppercase-in-passwords
set-max-password-age
set-minimum-password-length
kinesis
kinesis
enable-in-transit-encryption
kms
kms
auto-rotate-keys
lambda
lambda
enable-tracing
restrict-source-arn
launch
launch
no-sensitive-info
misc
misc
no-exposing-plaintext-credentials
mq
mq
enable-audit-logging
enable-general-logging
no-public-access
msk
msk
enable-in-transit-encryption
enable-logging
neptune
neptune
enable-log-export
enable-storage-encryption
rds
rds
backup-retention-specified
enable-performance-insights
encrypt-cluster-storage-data
encrypt-instance-storage-data
no-classic-resources
no-public-db-access
redshift
redshift
add-description-to-security-group
encryption-customer-key
non-default-vpc-deployment
s3
s3
block-public-acls
block-public-policy
enable-bucket-encryption
enable-bucket-logging
enable-versioning
ignore-public-acls
no-public-access-with-acl
no-public-buckets
specify-public-access-block
sns
sns
enable-topic-encryption
sqs
sqs
enable-queue-encryption
no-wildcards-in-policy-documents
ssm
ssm
secret-use-customer-key
vpc
vpc
add-decription-to-security-group
add-description-to-security-group
disallow-mixed-sgr
no-default-vpc
no-excessive-port-access
no-public-egress-sg
no-public-egress-sgr
no-public-ingress-sg
no-public-ingress-sgr
no-public-ingress
use-secure-tls-policy
workspace
workspace
enable-disk-encryption
azure
azure
appservice
appservice
account-identity-registered
authentication-enabled
detailed-error-messages-enabled
dotnet-framework-version
enable-http2
enable-https-only
enforce-https
failed-request-tracing-enabled
ftp-deployments-disabled
http-logs-enabled
php-version
python-version
require-client-cert
use-secure-tls-policy
authorization
authorization
limit-role-actions
compute
compute
disable-password-authentication
enable-disk-encryption
no-secrets-in-custom-data
ssh-authentication
container
container
configured-network-policy
limit-authorized-ips
logging
use-rbac-permissions
database
database
enable-audit
enable-ssl-enforcement
mysql-threat-detection-enabled
no-public-access
no-public-firewall-access
postgres-configuration-log-checkpoints
postgres-configuration-log-connection-throttling
postgres-configuration-log-connections
retention-period-set
secure-tls-policy
datafactory
datafactory
no-public-access
datalake
datalake
enable-at-rest-encryption
functionapp
functionapp
authentication-enabled
enable-http2
azure
keyvault
keyvault
content-type-for-secret
ensure-key-expiry
ensure-secret-expiry
no-purge
specify-network-acl
monitor
monitor
activity-log-retention-set
capture-all-activities
capture-all-regions
mssql
mssql
all-threat-alerts-enabled
threat-alert-email-set
threat-alert-email-to-owner
network
network
disable-rdp-from-internet
no-public-egress
no-public-ingress
retention-policy-set
ssh-blocked-from-internet
security-center
security-center
alert-on-severe-notifications
defender-on-appservices
defender-on-container-registry
defender-on-keyvault
defender-on-kubernetes
defender-on-servers
defender-on-sql-servers-vms
defender-on-sql-servers
defender-on-storage
enable-standard-subscription
set-required-contact-details
storage
storage
allow-microsoft-service-bypass
container-activity-logs-not-public
default-action-deny
enforce-https
no-public-access
queue-services-logging-enabled
use-secure-tls-policy
synapse
synapse
virtual-network-enabled
cloudstack
cloudstack
compute
compute
no-sensitive-info
cloudstack
digitalocean
digitalocean
compute
compute
no-public-egress
no-public-ingress
droplet
droplet
use-ssh-keys
digitalocean
loadbalancing
loadbalancing
enforce-https
spaces
spaces
acl-no-public-read
disable-force-destroy
versioning-enabled
general
general
general
secrets
secrets
sensitive-in-attribute-value
sensitive-in-attribute
sensitive-in-local
sensitive-in-variable
github
github
github
repositories
repositories
private
require-signed-commits
vulnerability-alerts
google
google
bigquery
bigquery
no-public-access
compute
compute
disk-encryption-customer-key
disk-encryption-customer-keys
disk-encryption-required
enable-shielded-vm
enable-vpc-flow-logs
no-default-service-account
no-ip-forwarding
no-oslogin-override
no-plaintext-disk-keys
no-plaintext-vm-disk-keys
no-project-wide-ssh-keys
no-public-egress
no-public-ingress
no-public-ip
no-serial-port
project-level-oslogin
use-secure-tls-policy
vm-disk-encryption-customer-key
dns
dns
enable-dnssec
no-rsa-sha1
gke
gke
enable-auto-repair
enable-auto-upgrade
enable-ip-aliasing
enable-master-networks
enable-network-policy
enable-private-cluster
enable-stackdriver-logging
enable-stackdriver-monitoring
enforce-pod-security-policy
metadata-endpoints-disabled
no-legacy-auth
no-legacy-authentication
no-public-control-plane
node-metadata-security
node-pool-uses-cos
node-shielding-enabled
use-cluster-labels
use-rbac-permissions
use-service-account
google
iam
iam
no-folder-level-default-service-account-assignment
no-folder-level-service-account-impersonation
no-org-level-default-service-account-assignment
no-org-level-service-account-impersonation
no-privileged-service-accounts
no-project-level-default-service-account-assignment
no-project-level-service-account-impersonation
no-user-granted-permissions
kms
kms
rotate-kms-keys
project
project
no-default-network
sql
sql
enable-backup
enable-pg-temp-file-logging
encrypt-in-transit-data
mysql-no-local-infile
no-contained-db-auth
no-cross-db-ownership-chaining
no-public-access
pg-log-checkpoints
pg-log-connections
pg-log-disconnections
pg-log-errors
pg-log-lock-waits
pg-no-min-statement-logging
storage
storage
enable-ubla
no-public-access
kubernetes
kubernetes
kubernetes
network
network
no-public-egress
no-public-ingress
openstack
openstack
compute
compute
no-plaintext-password
fw
fw
no-public-access
openstack
oracle
oracle
compute
compute
no-public-ip
oracle
Authors
Liam Galvin
(liamg)
Owen Rumney
(owenrumney)
Contributors
Thanks to all
contributors