# Install tfsec with Homebrew, chocolatey, MacPorts, Nix, scoop

Static analysis security scanner for your terraform code. Version 1.28.14 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:tfsec
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install tfsec
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install tfsec
```

  Evidence: MacPorts ports tree: security/tfsec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#tfsec
```

  Evidence: nixpkgs package indexes: pkgs/by-name/tf/tfsec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- Chocolatey (92%):

```sh
choco install tfsec
```

  Evidence: Chocolatey community package catalog: tfsec from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','telegram.install'

- Scoop (92%):

```sh
scoop install main/tfsec
```

  Evidence: Scoop official bucket manifest trees: bucket/tfsec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:tfsec
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/tfsec>
- **Version:** 1.28.14
- **Source summary:** Static analysis security scanner for your terraform code
- **Homepage:** <https://aquasecurity.github.io/tfsec/latest/>
- **Repository:** <https://github.com/aquasecurity/tfsec>
- **Upstream docs:** <https://aquasecurity.github.io/tfsec/latest>
- **License:** MIT
- **Source archive:** <https://github.com/aquasecurity/tfsec/archive/refs/tags/v1.28.14.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- tfsec (cli)
- tfsec (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.28.14
- Local data: ok
- Upstream repository: https://github.com/aquasecurity/tfsec
- Upstream latest detected: v1.28.14 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

tfsec is an Aqua Security command-line scanner for finding security misconfigurations in Terraform code. Its official README describes it as a static-analysis tool for Terraform and lists broad cloud-provider coverage, hundreds of built-in rules, multiple report formats, CI usage, Docker images, editor integrations, GitHub Actions, and Azure DevOps integration.

In 2023 Aqua announced that tfsec was joining the Trivy family. The project remained available, but Aqua directed users toward Trivy for ongoing engineering attention and a broader scanner ecosystem.

### Project history

The project grew around Terraform-specific static analysis: scanning local and remote modules, evaluating HCL expressions and Terraform functions, checking relationships between Terraform resources, supporting Terraform CDK, and allowing user-defined Rego policies.

Aqua's tfsec-to-Trivy migration material frames tfsec as one of the foundations of Trivy's infrastructure-as-code and misconfiguration scanning support. The migration guide maps common tfsec commands to Trivy equivalents, such as replacing `tfsec <dir>` with `trivy config <dir>`.

### Adoption history

The official README documents package-manager and binary distribution through Homebrew/Linuxbrew, Chocolatey, Scoop, Go install, release binaries, and Docker images. The input metadata also records Homebrew, Chocolatey, MacPorts, Nix, and Scoop packaging.

The README cites Thoughtworks Tech Radar's Adopt rating and describes tfsec as a default static-analysis tool for Terraform in Thoughtworks projects. Aqua's 2023 announcement shows the adoption inflection point: the Terraform scanning engine moved into the wider Trivy product and community path while tfsec stayed available.

### How it is used

The usual package-nerd workflow was `brew install tfsec` followed by `tfsec .` in a Terraform repository. The tool exits non-zero when it finds problems, which made it natural for CI gates.

tfsec supported machine-readable output such as JSON, SARIF, CSV, Checkstyle, and JUnit, plus GitHub Security Alerts via SARIF upload. It also supported inline ignore comments such as `tfsec:ignore:<rule>`, expiry dates for ignores, tfvars input, custom checks under `.tfsec`, and a root `.tfsec/config.json` or `.tfsec/config.yml` config file.

### Why package nerds care

For Homebrew and other package-manager users, tfsec was a compact example of an IaC security tool that could be installed as a single CLI and dropped into editors, hooks, and CI without a service dependency.

Its later migration into Trivy is significant for package catalogs because it marks a common lifecycle for niche security CLIs: first a focused Terraform scanner, then an engine folded into a broader multi-surface scanner while the old binary remains packaged for existing automation.

### Timeline

- 2023-02-18: Aqua announced that tfsec was joining the Trivy family and encouraged the community to transition to Trivy.
- 2024-2025: The GitHub releases page shows continuing tfsec maintenance releases in the v1.28 series, including v1.28.14 on 2025-05-02.
- 2026: The input metadata still records tfsec in multiple package managers, including Homebrew, Chocolatey, MacPorts, Nix, and Scoop.

### Related projects

- Trivy is the successor path recommended by Aqua for Terraform and broader misconfiguration scanning.
- The README links related tfsec integrations including tfsec-pr-commenter-action, tfsec-sarif-action, the official Azure DevOps task, and editor plugins for JetBrains, VS Code, and Vim.

### Sources

- <https://aquasecurity.github.io/tfsec/v0.63.1/getting-started/configuration/config/>
- <https://github.com/aquasecurity/tfsec README>
- <https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md>
- <https://github.com/aquasecurity/tfsec/discussions/1994>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .tfsec/config.json, .tfsec/config.yml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** tfsec
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - tfsec: normalized package name match | nixpkgs package indexes: pkgs/by-name/tf/tfsec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- MacPorts - tfsec: normalized package name match | MacPorts ports tree: security/tfsec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Chocolatey - tfsec: normalized package name match | Chocolatey community package catalog: tfsec from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','telegram.install'
- Scoop - main/tfsec: normalized package name match | Scoop official bucket manifest trees: bucket/tfsec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Shares av.db curated category or tags: cli, security, static-analysis, terraform.
- [ghalint](https://www.automicvault.com/pkg/brew/ghalint/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [terrascan](https://www.automicvault.com/pkg/brew/terrascan/) - Security-sensitive metadata or terminology overlaps. Shared terms: analysis, cli, code, iac, security.

## Combined YAML source

View the package source record on GitHub. [combined/tfsec.yml](https://github.com/automic-vault/db/blob/main/combined/tfsec.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
