Parameters
tfsec can be run with no arguments and will act on the current folder.
For a richer experience, there are many additional command line arguments that you can make use of.
Argument | Short Code | Description |
---|---|---|
--code-theme string |
Theme for annotated code. Either 'light' or 'dark'. (default "dark") | |
--concise-output |
Reduce the amount of output and no statistics | |
--config-file string |
Config file to use during run | |
--custom-check-dir string |
Explicitly the custom checks dir location | |
--debug |
Enable debug logging (same as verbose) | |
--disable-grouping |
-G |
Disable grouping of similar results |
--exclude string |
-e |
Provide comma-separated list of rule IDs to exclude from run. |
--exclude-downloaded-modules |
Remove results for downloaded modules in .terraform folder | |
--exclude-path strings |
Folder path to exclude, can be used multiple times and evaluated in order of specification | |
--filter-results string |
Filter results to return specific checks only (supports comma-delimited input). | |
--force-all-dirs |
Don't search for tf files, include everything below provided directory. | |
--format string |
-f |
Select output format: lovely, json, csv, checkstyle, junit, sarif, text, gif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout. (default "lovely") |
--help |
-h |
help for tfsec |
--ignore-hcl-errors |
Do not report an error if an HCL parse error is encountered | |
--include-ignored |
Include ignored checks in the result output | |
--include-passed |
Include passed checks in the result output | |
--migrate-ignores |
Migrate ignore codes to the new ID structure | |
--minimum-severity string |
-m |
The minimum severity to report. One of CRITICAL, HIGH, MEDIUM, LOW. |
--no-code |
Don't include the code snippets in the output. | |
--no-color |
Disable colored output (American style!) | |
--no-colour |
Disable coloured output | |
--no-ignores |
Do not apply any ignore rules - normally ignored checks will fail | |
--no-module-downloads |
Do not download remote modules. | |
--out string |
-O |
Set output file. This filename will have a format descriptor appended if multiple formats are specified with --format |
--print-rego-input |
Print a JSON representation of the input supplied to rego policies. | |
--rego-only |
Run rego policies exclusively. | |
--rego-policy-dir string |
Directory to load rego policies from (recursively). | |
--run-statistics |
View statistics table of current findings. | |
--single-thread |
Run checks using a single thread | |
--soft-fail |
-s |
Runs checks but suppresses error code |
--tfvars-file strings |
Path to .tfvars file, can be used multiple times and evaluated in order of specification | |
--update |
Update to latest version | |
--var-file strings |
Path to .tfvars file, can be used multiple times and evaluated in order of specification (same functionaility as --tfvars-file but consistent with Terraform) | |
--verbose |
Enable verbose logging (same as debug) | |
--version |
-v |
Show version information and exit |
--workspace string |
-w |
Specify a workspace for ignore limits (default "default") |
This list can also be found by running tfsec --help