Parameters
tfsec can be run with no arguments and will act on the current folder.
For a richer experience, there are many additional command line arguments that you can make use of.
Argument | Short Code | Description |
---|---|---|
--allow-checks-to-panic |
-p |
Allow panics to propagate up from rule checking |
--concise-output |
Reduce the amount of output and no metrics | |
--config-file [path to config file] |
Config file to use during run | |
--custom-check-dir [path to checks dir] |
Explicitly the custom checks dir location | |
--debug |
Enable verbose logging, same as --verbose but for people who prefer to say debug |
|
--exclude [comma,separated,rule,ids] |
-e |
Provide comma-separated list of rule IDs to exclude from run. |
--exclude-path strings |
Path to exclude from parser, can be used multiple times | |
--exclude-downloaded-modules |
Remove results for downloaded modules in .terraform folder | |
--filter-results [comma,separated,riles,to,check] |
Filter results to return specific checks only (supports comma-delimited input). | |
--force-all-dirs |
Don't search for tf files, include everything below provided directory. | |
--format [default,json,csv,checkstyle,junit,sarif,gif] |
-f |
Select output format: default, json, csv, checkstyle, junit, sarif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout. |
--help |
-h |
help for tfsec |
--ignore-hcl-errors |
Stop and report an error if an HCL parse error is encountered | |
--include-ignored |
Ignore comments with have no effect and all resources will be scanned | |
--include-passed |
Resources that pass checks are included in the result output | |
--migrate-ignores |
Migrate ignore codes to the new ID structure eg; AWS077 to aws-s3-enable-versioning | |
--minimum-severity |
-m |
The minimum severity of results to report. One of CRITICAL, HIGH, MEDIUM, LOW. |
--no-color |
Disable colored output (American style!) | |
--no-colour |
Disable coloured output | |
--no-module-downloads |
Do not download remote modules. | |
--out [filepath to output to] |
Set output file. This filename will have a format descriptor appended if multiple formats are specified with --format | |
--run-statistics |
View statistics table of current findings. | |
--soft-fail |
-s |
Runs checks but suppresses error code |
--sort-severity |
Sort the results by severity from highest to lowest | |
--tfvars-file strings |
Path to .tfvars file, can be used multiple times and evaluated in order of specification | |
--update |
Update to latest version | |
--var-file strings |
Path to .tfvars file, can be used multiple times and evaluated in order of specification. Same action as -tfvars-file but more consistent with Terraform | |
--verbose |
Enable verbose logging | |
--version |
-v |
Show version information and exit |
--workspace [terraform workspace] |
-w |
Specify a workspace for ignore limits |
This list can also be found by running tfsec --help