Skip to main content
Version: 2.20 (deprecated)

terraform-tfsec


tfsec by Aqua Security

Backend: pants.backend.experimental.terraform.lint.tfsec

Config section: [terraform-tfsec]

Basic options

args

--terraform-tfsec-args="[<shell_str>, <shell_str>, ...]"
PANTS_TERRAFORM_TFSEC_ARGS
pants.toml
[terraform-tfsec]
args = [
<shell_str>,
<shell_str>,
...,
]
default: []

Arguments to pass directly to tfsec, e.g. --terraform-tfsec-args='--minimum-severity=MEDIUM'.

skip

--[no-]terraform-tfsec-skip
PANTS_TERRAFORM_TFSEC_SKIP
pants.toml
[terraform-tfsec]
skip = <bool>
default: False

If true, don't use tfsec when running pants lint.

Advanced options

config

--terraform-tfsec-config=<file_option>
PANTS_TERRAFORM_TFSEC_CONFIG
pants.toml
[terraform-tfsec]
config = <file_option>
default: None

Path to the tfsec config file (https://aquasecurity.github.io/tfsec/latest/guides/configuration/config/)

Setting this option will disable [terraform-tfsec].config_discovery. Use this option if the config is located in a non-standard location.

config_discovery

--[no-]terraform-tfsec-config-discovery
PANTS_TERRAFORM_TFSEC_CONFIG_DISCOVERY
pants.toml
[terraform-tfsec]
config_discovery = <bool>
default: True

If true, Pants will include all relevant config files during runs (.tfsec/config.json or .tfsec/config.yml). Note that you will have to tell Pants to include this file by adding "!.tfsec/" to [global].pants_ignore.add.

Use [terraform-tfsec].config instead if your config is in a non-standard location.

known_versions

--terraform-tfsec-known-versions="['<str>', '<str>', ...]"
PANTS_TERRAFORM_TFSEC_KNOWN_VERSIONS
pants.toml
[terraform-tfsec]
known_versions = [
'<str>',
'<str>',
...,
]
default:
[
  "v1.28.1|linux_x86_64|57b902b31da3eed12448a4e82a8aca30477e4bcd1bf99e3f65310eae0889f88d|26427634"
]

Known versions to verify downloads against.

Each element is a pipe-separated string of version|platform|sha256|length or version|platform|sha256|length|url_override, where:

  • version is the version string
  • platform is one of [linux_arm64,linux_x86_64,macos_arm64,macos_x86_64]
  • sha256 is the 64-character hex representation of the expected sha256 digest of the download file, as emitted by shasum -a 256
  • length is the expected length of the download file in bytes, as emitted by wc -c
  • (Optional) url_override is a specific url to use instead of the normally generated url for this version

E.g., 3.1.2|macos_x86_64|6d0f18cd84b918c7b3edd0203e75569e0c7caecb1367bbbe409b44e28514f5be|42813. and 3.1.2|macos_arm64 |aca5c1da0192e2fd46b7b55ab290a92c5f07309e7b0ebf4e45ba95731ae98291|50926|https://example.mac.org/bin/v3.1.2/mac-aarch64-v3.1.2.tgz.

Values are space-stripped, so pipes can be indented for readability if necessary.

use_unsupported_version

--terraform-tfsec-use-unsupported-version=<UnsupportedVersionUsage>
PANTS_TERRAFORM_TFSEC_USE_UNSUPPORTED_VERSION
pants.toml
[terraform-tfsec]
use_unsupported_version = <UnsupportedVersionUsage>
one of: error, warning
default: error

What action to take in case the requested version of tfsec is not supported.

Supported tfsec versions: unspecified

version

--terraform-tfsec-version=<str>
PANTS_TERRAFORM_TFSEC_VERSION
pants.toml
[terraform-tfsec]
version = <str>
default: v1.28.1

Use this version of tfsec.

Deprecated options

None

None