Skip to content

tfsec

Credits

Initializing search

aquasecurity/tfsec

HOME
Getting Started
Checks

tfsec

aquasecurity/tfsec

HOME
Getting Started
Getting Started
- Installation
- Signature Verification
- Quick Start
- Parameters
- Credits
- Configuration
  Configuration
- GitHub Actions
  GitHub Actions
  - GitHub Action
  - PR Commenter
Checks
Checks
- aws
  aws
  - api-gateway
    api-gateway
    
    enable-access-logging
    
    enable-cache-encryption
    
    enable-tracing
    
    index
    
    no-public-access
    
    use-secure-tls-policy
  - athena
    athena
    
    enable-at-rest-encryption
    
    index
    
    no-encryption-override
  - autoscaling
    autoscaling
    
    enable-at-rest-encryption
    
    enforce-http-token-imds
    
    index
    
    no-public-ip
    
    no-secrets-in-user-data
    
    no-sensitive-info
  - cloudfront
    cloudfront
    
    enable-logging
    
    enable-waf
    
    enforce-https
    
    index
    
    use-secure-tls-policy
  - cloudtrail
    cloudtrail
    
    enable-all-regions
    
    enable-at-rest-encryption
    
    enable-log-validation
    
    index
  - cloudwatch
    cloudwatch
    
    index
    
    log-group-customer-key
  - codebuild
    codebuild
    
    enable-encryption
    
    index
  - config
    config
    
    aggregate-all-regions
    
    index
  - documentdb
    documentdb
    
    enable-log-export
    
    enable-storage-encryption
    
    encryption-customer-key
    
    index
  - dynamodb
    dynamodb
    
    enable-at-rest-encryption
    
    enable-recovery
    
    index
    
    table-customer-key
  - ebs
    ebs
    
    enable-volume-encryption
    
    encryption-customer-key
    
    index
  - ec2
    ec2
    
    enable-at-rest-encryption
    
    enforce-http-token-imds
    
    index
    
    no-secrets-in-user-data
  - ecr
    ecr
    
    enable-image-scans
    
    enforce-immutable-repository
    
    index
    
    no-public-access
    
    repository-customer-key
  - ecs
    ecs
    
    enable-container-insight
    
    enable-in-transit-encryption
    
    index
    
    no-plaintext-secrets
  - efs
    efs
    
    enable-at-rest-encryption
    
    index
  - eks
    eks
    
    enable-control-plane-logging
    
    encrypt-secrets
    
    index
    
    no-public-cluster-access
    
    no-public-cluster-access-to-cidr
  - elastic-search
    elastic-search
    
    enable-domain-encryption
    
    enable-domain-logging
    
    enable-in-transit-encryption
    
    enforce-https
    
    index
    
    use-secure-tls-policy
  - elasticache
    elasticache
    
    add-description-for-security-group
    
    enable-at-rest-encryption
    
    enable-backup-retention
    
    enable-in-transit-encryption
    
    index
  - elb
    elb
    
    alb-not-public
    
    drop-invalid-headers
    
    http-not-used
    
    index
    
    use-secure-tls-policy
  - iam
    iam
    
    enforce-mfa
    
    index
    
    no-password-reuse
    
    no-policy-wildcards
    
    require-lowercase-in-passwords
    
    require-numbers-in-passwords
    
    require-symbols-in-passwords
    
    require-uppercase-in-passwords
    
    set-max-password-age
    
    set-minimum-password-length
  - aws
  - kinesis
    kinesis
    
    enable-in-transit-encryption
    
    index
  - kms
    kms
    
    auto-rotate-keys
    
    index
  - lambda
    lambda
    
    enable-tracing
    
    index
    
    restrict-source-arn
  - mq
    mq
    
    enable-audit-logging
    
    enable-general-logging
    
    index
    
    no-public-access
  - msk
    msk
    
    enable-in-transit-encryption
    
    enable-logging
    
    index
  - neptune
    neptune
    
    enable-log-export
    
    enable-storage-encryption
    
    encryption-customer-key
    
    index
  - rds
    rds
    
    enable-performance-insights
    
    encrypt-cluster-storage-data
    
    encrypt-instance-storage-data
    
    index
    
    no-classic-resources
    
    no-public-db-access
    
    specify-backup-retention
  - redshift
    redshift
    
    encryption-customer-key
    
    index
    
    use-vpc
  - s3
    s3
    
    block-public-acls
    
    block-public-policy
    
    enable-bucket-encryption
    
    enable-bucket-logging
    
    enable-versioning
    
    encryption-customer-key
    
    ignore-public-acls
    
    index
    
    no-public-access-with-acl
    
    no-public-buckets
    
    specify-public-access-block
  - sns
    sns
    
    enable-topic-encryption
    
    index
  - sqs
    sqs
    
    enable-queue-encryption
    
    index
    
    no-wildcards-in-policy-documents
  - ssm
    ssm
    
    index
    
    secret-use-customer-key
  - vpc
    vpc
    
    add-description-to-security-group
    
    add-description-to-security-group-rule
    
    index
    
    no-default-vpc
    
    no-excessive-port-access
    
    no-public-egress-sgr
    
    no-public-ingress-acl
    
    no-public-ingress-sgr
  - workspaces
    workspaces
    
    enable-disk-encryption
    
    index
- azure
  azure
  - appservice
    appservice
    
    account-identity-registered
    
    authentication-enabled
    
    enable-http2
    
    enforce-https
    
    index
    
    require-client-cert
    
    use-secure-tls-policy
  - authorization
    authorization
    
    index
    
    limit-role-actions
  - compute
    compute
    
    disable-password-authentication
    
    enable-disk-encryption
    
    index
    
    no-secrets-in-custom-data
  - container
    container
    
    configured-network-policy
    
    index
    
    limit-authorized-ips
    
    logging
    
    use-rbac-permissions
  - database
    database
    
    all-threat-alerts-enabled
    
    enable-audit
    
    enable-ssl-enforcement
    
    index
    
    no-public-access
    
    no-public-firewall-access
    
    postgres-configuration-connection-throttling
    
    postgres-configuration-log-checkpoints
    
    postgres-configuration-log-connections
    
    retention-period-set
    
    secure-tls-policy
    
    threat-alert-email-set
    
    threat-alert-email-to-owner
  - datafactory
    datafactory
    
    index
    
    no-public-access
  - datalake
    datalake
    
    enable-at-rest-encryption
    
    index
  - azure
  - keyvault
    keyvault
    
    content-type-for-secret
    
    ensure-key-expiry
    
    ensure-secret-expiry
    
    index
    
    no-purge
    
    specify-network-acl
  - monitor
    monitor
    
    activity-log-retention-set
    
    capture-all-activities
    
    capture-all-regions
    
    index
  - network
    network
    
    disable-rdp-from-internet
    
    index
    
    no-public-egress
    
    no-public-ingress
    
    retention-policy-set
    
    ssh-blocked-from-internet
  - security-center
    security-center
    
    alert-on-severe-notifications
    
    enable-standard-subscription
    
    index
    
    set-required-contact-details
  - storage
    storage
    
    allow-microsoft-service-bypass
    
    default-action-deny
    
    enforce-https
    
    index
    
    no-public-access
    
    queue-services-logging-enabled
    
    use-secure-tls-policy
  - synapse
    synapse
    
    index
    
    virtual-network-enabled
- cloudstack
  cloudstack
  - compute
    compute
    
    index
    
    no-sensitive-info
  - cloudstack
- digitalocean
  digitalocean
  - compute
    compute
    
    enforce-https
    
    index
    
    kubernetes-auto-upgrades-not-enabled
    
    no-public-egress
    
    no-public-ingress
    
    surge-upgrades-not-enabled
    
    use-ssh-keys
  - digitalocean
  - spaces
    spaces
    
    acl-no-public-read
    
    disable-force-destroy
    
    index
    
    versioning-enabled
- general
  general
  - general
  - secrets
    secrets
    
    index
    
    no-plaintext-exposure
- github
  github
  - actions
    actions
    
    index
    
    no-plain-text-action-secrets
  - github
  - repositories
    repositories
    
    index
    
    private
- google
  google
- kubernetes
  kubernetes
  - kubernetes
  - network
    network
    
    index
    
    no-public-egress
    
    no-public-ingress
- openstack
  openstack
  - compute
    compute
    
    index
    
    no-plaintext-password
    
    no-public-access
  - openstack
- oracle
  oracle
  - compute
    compute
    
    index
    
    no-public-ip
  - oracle

Authors

Liam Galvin (liamg)
Owen Rumney (owenrumney)

Contributors

Thanks to all contributors

Previous Parameters

Next Config File