As Infrastructure as Code (IaC) adoption grows, so does the need for security, standardization, and quality checks, just like we do with application code.
Tools like tfsec, Checkov, and TFLint Offer a powerful trio to help you lint, secure, and enforce policies in your Terraform projects.
Let’s break down what and whereabouts of how to set them up, and how to integrate them into the workflow.
The Tools We'll Cover
TFLint => Catches Terraform syntax issues and best-practice violations
tfsec => Flags security risks in your Terraform code
Checkov => Perfect for compliance and policy enforcement
1. Setting Up TFLint
What is TFLint?
TFLint helps detect:
Catch deprecated or misused resources
Detect unused variables
Enforce clean, DRY Terraform code
Install TFLint
macOS:
brew install tflintLinux:
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bashBasic Usage
In your Terraform project root:
tflintTFLint will auto-detect your configuration and run checks.
Example .tflint.hcl Configuration
plugin "aws" {
enabled = true
version = "0.12.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
config {
aws_region = "us-east-1"
}Run:
tflint --init
tflint2. Scan Code with tfsec (Security Scans)
What is tfsec?
tfsec performs static code analysis on Terraform to catch:
Open security groups
Unencrypted storage
Public S3 buckets
Missing logging on cloud resources
Install tfsec
macOS:
brew install tfsecLinux:
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bashUsage Example
tfsecExample output:
[AWS017][CRITICAL] Resource 'aws_security_group.example' defines a fully open ingress security group rule.Customize tfsec with .tfsec.yaml
severity-overrides:
AWS017: LOW
exclude-checks:
- AWS0023. Using Checkov for Deep IaC Analysis
What is Checkov?
Checkov is a powerful IaC security scanner from Bridgecrew (by Prisma Cloud). It’s often used in enterprise pipelines due to its rich ruleset and extensibility.
Install Checkov
pip install checkovRun a Check
checkov -d .Sample output:
Check: CKV_AWS_20: "Ensure S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.dataCustomize with checkov.yml
skip_checks:
- CKV_AWS_20
- CKV_AWS_145
framework:
- terraformCI/CD Integration Examples
GitHub Actions Workflow
name: Terraform Security and Linting
on: [pull_request]
jobs:
security-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
- name: Set up Python for Checkov
uses: actions/setup-python@v2
- name: Install tfsec, tflint, and Checkov
run: |
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
pip install checkov
- name: Run TFLint
run: tflint
- name: Run tfsec
run: tfsec .
- name: Run Checkov
run: checkov -d .When to Use Which?
Use Case | Best Tool |
|---|---|
Linting + syntax checks | TFLint |
Quick, easy security checks | tfsec |
Deep security + compliance scan | Checkov |
Enterprise policy enforcement | Checkov + OPA (optional) |
Additional Tips
Use pre-commit hooks to run tfsec/tflint/checkov before every commit
Combine all tools in GitHub Actions or GitLab CI/CD
Add config files to version control:
.tflint.hcl,.tfsec.yaml,checkov.yml
Sample Pre-Commit Hook
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0
hooks:
- id: terraform_fmt
- id: terraform_validate
- id: terraform_tflint
- id: terraform_tfsecConclusion
Security and best practices are no longer optional in Infrastructure as Code. With TFLint, tfsec, and Checkov You're not only improving your Terraform code — you're building trustable, production-grade infrastructure
EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!
Share this post