macOS
brew install tfseclocal Homebrew formula metadata
sudo port install tfsecMacPorts ports tree · security/tfsec/Portfile · source: api.github.com
brew
Static analysis security scanner for your terraform code. Version 1.28.14 via Homebrew; verified from local package data.
install
brew install tfseclocal Homebrew formula metadata
sudo port install tfsecMacPorts ports tree · security/tfsec/Portfile · source: api.github.com
nix profile install nixpkgs#tfsecnixpkgs package indexes · pkgs/by-name/tf/tfsec/package.nix · source: api.github.com
choco install tfsecChocolatey community package catalog · tfsec · source: community.chocolatey.org
scoop install main/tfsecScoop official bucket manifest trees · bucket/tfsec.json · source: api.github.com
overview
Static analysis security scanner for your terraform code
history
tfsec is an Aqua Security command-line scanner for finding security misconfigurations in Terraform code. Its official README describes it as a static-analysis tool for Terraform and lists broad cloud-provider coverage, hundreds of built-in rules, multiple report formats, CI usage, Docker images, editor integrations, GitHub Actions, and Azure DevOps integration.
In 2023 Aqua announced that tfsec was joining the Trivy family. The project remained available, but Aqua directed users toward Trivy for ongoing engineering attention and a broader scanner ecosystem.
The project grew around Terraform-specific static analysis: scanning local and remote modules, evaluating HCL expressions and Terraform functions, checking relationships between Terraform resources, supporting Terraform CDK, and allowing user-defined Rego policies.
Aqua's tfsec-to-Trivy migration material frames tfsec as one of the foundations of Trivy's infrastructure-as-code and misconfiguration scanning support. The migration guide maps common tfsec commands to Trivy equivalents, such as replacing `tfsec <dir>` with `trivy config <dir>`.
The official README documents package-manager and binary distribution through Homebrew/Linuxbrew, Chocolatey, Scoop, Go install, release binaries, and Docker images. The input metadata also records Homebrew, Chocolatey, MacPorts, Nix, and Scoop packaging.
The README cites Thoughtworks Tech Radar's Adopt rating and describes tfsec as a default static-analysis tool for Terraform in Thoughtworks projects. Aqua's 2023 announcement shows the adoption inflection point: the Terraform scanning engine moved into the wider Trivy product and community path while tfsec stayed available.
The usual package-nerd workflow was `brew install tfsec` followed by `tfsec .` in a Terraform repository. The tool exits non-zero when it finds problems, which made it natural for CI gates.
tfsec supported machine-readable output such as JSON, SARIF, CSV, Checkstyle, and JUnit, plus GitHub Security Alerts via SARIF upload. It also supported inline ignore comments such as `tfsec:ignore:<rule>`, expiry dates for ignores, tfvars input, custom checks under `.tfsec`, and a root `.tfsec/config.json` or `.tfsec/config.yml` config file.
For Homebrew and other package-manager users, tfsec was a compact example of an IaC security tool that could be installed as a single CLI and dropped into editors, hooks, and CI without a service dependency.
Its later migration into Trivy is significant for package catalogs because it marks a common lifecycle for niche security CLIs: first a focused Terraform scanner, then an engine folded into a broader multi-surface scanner while the old binary remains packaged for existing automation.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.tfsec/config.json.tfsec/config.ymlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
tfsec | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/aquasecurity/tfsec
install metadata
| Package key | brew:tfsec |
|---|---|
| Version | 1.28.14 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/tfsec |
| Homepage | https://aquasecurity.github.io/tfsec/latest/ |
| Repository | https://github.com/aquasecurity/tfsec |
| Upstream docs | https://aquasecurity.github.io/tfsec/latest |
| License | MIT |
| Source archive | https://github.com/aquasecurity/tfsec/archive/refs/tags/v1.28.14.tar.gz |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | tfsec |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
tfsec
nix profile install nixpkgs#tfsectfsec
sudo port install tfsectfsec
choco install tfsecmain/tfsec
scoop install main/tfsecsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.