IaC Scanner
Wrapper for tfsec and Checkov to scan Infrastructure as Code.
Prerequisites
bash
# tfsec (Terraform focused) brew install tfsec # or go install github.com/aquasecurity/tfsec/cmd/tfsec@latest # Checkov (multi-cloud) pip install checkov # or brew install checkov
Usage
bash
# Scan with auto-detection npx iac-scanner . # Force specific scanner npx iac-scanner . --scanner tfsec npx iac-scanner . --scanner checkov # JSON output npx iac-scanner . --json # Check available scanners npx iac-scanner --check # Scan specific framework npx iac-scanner . --framework terraform npx iac-scanner . --framework kubernetes npx iac-scanner . --framework cloudformation
Supported Frameworks
| Scanner | Frameworks |
|---|---|
| tfsec | Terraform |
| Checkov | Terraform, CloudFormation, Kubernetes, ARM, Serverless, Helm |
Output Format
json
{
"tool": "tfsec",
"scanPath": ".",
"scanDate": "2024-01-15T10:30:00Z",
"findings": [
{
"id": "aws-s3-enable-bucket-encryption",
"severity": "high",
"message": "Bucket does not have encryption enabled",
"resource": "aws_s3_bucket.data",
"file": "main.tf",
"line": 15,
"resolution": "Enable bucket encryption"
}
],
"summary": {
"total": 5,
"critical": 1,
"high": 2,
"medium": 1,
"low": 1
}
}
Common Misconfigurations
| Category | Example |
|---|---|
| Encryption | S3 bucket without encryption |
| Access Control | Public S3 bucket, open security groups |
| Logging | Missing CloudTrail, no access logs |
| Network | VPC without flow logs, open CIDR |
| IAM | Overly permissive policies, wildcard actions |
| Secrets | Hardcoded credentials in config |
Exit Codes
- •
0: No issues found - •
1: Issues detected - •
2: Tool not installed or error