IaC Security & Compliance Language
Policy as code, OPA/Sentinel, tfsec, checkov — vocabulary for IaC security scanning and policy enforcement. Advanced
0 / 5 completed
1 / 5
A platform engineer says: "We integrated tfsec into the CI pipeline — it blocked a PR last week for an open security group."
What does tfsec do?
tfsec (now integrated into Trivy as trivy config) is a static analysis security tool (SAST) for Terraform configurations. It detects misconfigurations before any infrastructure is deployed.
| Tool | Coverage | Integration |
|---|---|---|
| tfsec / Trivy | Terraform HCL scanning | GitHub Actions, GitLab CI, pre-commit hooks |
| checkov | Terraform, CloudFormation, Kubernetes, Dockerfile | Prisma Cloud, Bridgecrew, CI pipelines |
| terrascan | Terraform, Helm, Kubernetes | CLI, pipeline integration |
- IaC SAST — static application security testing applied to infrastructure code
- shift-left security — catching misconfigurations in PRs rather than discovering them in production
- misconfigurations as code — the class of vulnerabilities where the infrastructure definition itself is the security flaw