Automic VaultAutomic Vault

brew

Install tfsec with Homebrew, chocolatey, MacPorts, Nix, scoop

Static analysis security scanner for your terraform code. Version 1.28.14 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install tfsec

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install tfsec

MacPorts ports tree · security/tfsec/Portfile · source: api.github.com

Linux

Nixverified · 92%
nix profile install nixpkgs#tfsec

nixpkgs package indexes · pkgs/by-name/tf/tfsec/package.nix · source: api.github.com

overview

Package summary

Static analysis security scanner for your terraform code

Commands and aliases

  • tfsec

history

Project history and usage

tfsec is an Aqua Security command-line scanner for finding security misconfigurations in Terraform code. Its official README describes it as a static-analysis tool for Terraform and lists broad cloud-provider coverage, hundreds of built-in rules, multiple report formats, CI usage, Docker images, editor integrations, GitHub Actions, and Azure DevOps integration.

In 2023 Aqua announced that tfsec was joining the Trivy family. The project remained available, but Aqua directed users toward Trivy for ongoing engineering attention and a broader scanner ecosystem.

Project history

The project grew around Terraform-specific static analysis: scanning local and remote modules, evaluating HCL expressions and Terraform functions, checking relationships between Terraform resources, supporting Terraform CDK, and allowing user-defined Rego policies.

Aqua's tfsec-to-Trivy migration material frames tfsec as one of the foundations of Trivy's infrastructure-as-code and misconfiguration scanning support. The migration guide maps common tfsec commands to Trivy equivalents, such as replacing `tfsec <dir>` with `trivy config <dir>`.

Adoption history

The official README documents package-manager and binary distribution through Homebrew/Linuxbrew, Chocolatey, Scoop, Go install, release binaries, and Docker images. The input metadata also records Homebrew, Chocolatey, MacPorts, Nix, and Scoop packaging.

The README cites Thoughtworks Tech Radar's Adopt rating and describes tfsec as a default static-analysis tool for Terraform in Thoughtworks projects. Aqua's 2023 announcement shows the adoption inflection point: the Terraform scanning engine moved into the wider Trivy product and community path while tfsec stayed available.

How it is used

The usual package-nerd workflow was `brew install tfsec` followed by `tfsec .` in a Terraform repository. The tool exits non-zero when it finds problems, which made it natural for CI gates.

tfsec supported machine-readable output such as JSON, SARIF, CSV, Checkstyle, and JUnit, plus GitHub Security Alerts via SARIF upload. It also supported inline ignore comments such as `tfsec:ignore:<rule>`, expiry dates for ignores, tfvars input, custom checks under `.tfsec`, and a root `.tfsec/config.json` or `.tfsec/config.yml` config file.

Why package nerds care

For Homebrew and other package-manager users, tfsec was a compact example of an IaC security tool that could be installed as a single CLI and dropped into editors, hooks, and CI without a service dependency.

Its later migration into Trivy is significant for package catalogs because it marks a common lifecycle for niche security CLIs: first a focused Terraform scanner, then an engine folded into a broader multi-surface scanner while the old binary remains packaged for existing automation.

Timeline

  • 2023-02-18: Aqua announced that tfsec was joining the Trivy family and encouraged the community to transition to Trivy.
  • 2024-2025: The GitHub releases page shows continuing tfsec maintenance releases in the v1.28 series, including v1.28.14 on 2025-05-02.
  • 2026: The input metadata still records tfsec in multiple package managers, including Homebrew, Chocolatey, MacPorts, Nix, and Scoop.

Related projects

  • Trivy is the successor path recommended by Aqua for Terraform and broader misconfiguration scanning.
  • The README links related tfsec integrations including tfsec-pr-commenter-action, tfsec-sarif-action, the official Azure DevOps task, and editor plugins for JetBrains, VS Code, and Vim.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 8 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
.tfsec/config.json.tfsec/config.yml

executables

Installed executables

CommandKindExposureNote
tfseccliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.28.14
manager updated
local dataok
upstreamcurrent
latest detectedv1.28.14

https://github.com/aquasecurity/tfsec

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:tfsec
Version1.28.14
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/tfsec
Homepagehttps://aquasecurity.github.io/tfsec/latest/
Repositoryhttps://github.com/aquasecurity/tfsec
Upstream docshttps://aquasecurity.github.io/tfsec/latest
LicenseMIT
Source archivehttps://github.com/aquasecurity/tfsec/archive/refs/tags/v1.28.14.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nametfsec
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

tfsec

nix profile install nixpkgs#tfsec
  • normalized package name match
  • Matched by: Tfsec
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/tf/tfsec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
MacPorts95%

tfsec

sudo port install tfsec
  • normalized package name match
  • Matched by: Tfsec
MacPorts ports tree · api.github.com · MacPorts ports tree: security/tfsec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Chocolatey95%

tfsec

choco install tfsec
  • normalized package name match
  • Matched by: Tfsec
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: tfsec from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','telegram.install'
Scoop95%

main/tfsec

scoop install main/tfsec
  • normalized package name match
  • Matched by: Tfsec
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/tfsec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment