1. Codeac
  2. Docs
  3. TFSec configuration
Getting Started
Supported Languages
Security
ESLint configuration
TSLint configuration
PHPMD configuration
RuboCop configuration
PMD configuration
Detekt configuration
SCSS Lint configuration
Pylint configuration
Revive configuration
Ethlint configuration
Ansible Linter configuration
CloudFormation Linter configuration
TFSec configuration
OSV Scanner configuration
Copy/Paste Detector configuration
Pull requests
Issue Thresholds
Custom Configuration
Self-Hosted GitLab

TFSec configuration

TFSec analyzes your terraform templates to spot potential security issues. It requires configuration via a tfsec.yml configuration file as detailed in TFSec's documentation.

By default, all types of issues are enabled. However, there are occasions where you want to suppress specific problems. You can add simple configuration file like in the example below to the root of your repository and Codeac automatically picks it up and apply to all further analyzes. We suggest to add your own configuration file into your repository root directory to be able to specify your quality standards.

tfsec.yml 

---
exclude:
    - GCP002
    - AWS025

Ignoring specific issue

If you'd like to ignore only specific issue, you can simply add a comment containing tfsec:ignore:RULE to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block like in the examples below:

api.tf

resource "aws_security_group_rule" "backend" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}

resource "aws_security_group_rule" "api" {
    type = "ingress"
    #tfsec:ignore:AWS006
    cidr_blocks = ["0.0.0.0/0"]
}

You can also ignore multiple rules by concatenating tme with a space on a single line:

backend.tf

#tfsec:ignore:AWS017 tfsec:ignore:AWS002
resource "aws_s3_bucket" "backend" {
    bucket = "backend"
    acl    = "private"
}

Outdated SSL / TLS protocol Example

TLS 1.0 and 1.1 reached End of Life and were deprecated by several web browsers and cloud vendors. Using TLS 1.2 or newer is recommended for majority of applications. Codeac scans each change in your Infrastructure as Code repository and pinpoints potential security threads.

Terraform - Outdated SSL / TLS protocol Example