Skip to main content
Version: 2.25 (dev)

terraform-tfsec


tfsec by Aqua Security

Backend: pants.backend.experimental.terraform.lint.tfsec

Config section: [terraform-tfsec]

Basic options

args

--terraform-tfsec-args="[<shell_str>, <shell_str>, ...]"
PANTS_TERRAFORM_TFSEC_ARGS
pants.toml
[terraform-tfsec]
args = [
<shell_str>,
<shell_str>,
...,
]
default: []

Arguments to pass directly to tfsec, e.g. --terraform-tfsec-args='--minimum-severity=MEDIUM'.

report_name

--terraform-tfsec-report-name=<str>
PANTS_TERRAFORM_TFSEC_REPORT_NAME
pants.toml
[terraform-tfsec]
report_name = <str>
default: None

If specified, will redirect the output to a file(s) under dist/lint/terraform-tfsec/ with the given name

skip

--[no-]terraform-tfsec-skip
PANTS_TERRAFORM_TFSEC_SKIP
pants.toml
[terraform-tfsec]
skip = <bool>
default: False

If true, don't use tfsec when running pants lint.

Advanced options

config

--terraform-tfsec-config=<file_option>
PANTS_TERRAFORM_TFSEC_CONFIG
pants.toml
[terraform-tfsec]
config = <file_option>
default: None

Path to the tfsec config file (https://aquasecurity.github.io/tfsec/latest/guides/configuration/config/)

Setting this option will disable config discovery for the config file. Use this option if the config is located in a non-standard location.

config_discovery

--[no-]terraform-tfsec-config-discovery
PANTS_TERRAFORM_TFSEC_CONFIG_DISCOVERY
pants.toml
[terraform-tfsec]
config_discovery = <bool>
default: True

If true, Pants will include all relevant config files during runs (.tfsec/config.json or .tfsec/config.yml). Note that you will have to tell Pants to include this file by adding "!.tfsec/" to [global].pants_ignore.add.

Use [terraform-tfsec].config and [terraform-tfsec].custom_check_dir instead if your config is in a non-standard location.

custom_check_dir

--terraform-tfsec-custom-check-dir=<dir_option>
PANTS_TERRAFORM_TFSEC_CUSTOM_CHECK_DIR
pants.toml
[terraform-tfsec]
custom_check_dir = <dir_option>
default: None

Path to the directory containing custom checks (https://aquasecurity.github.io/tfsec/latest/guides/configuration/custom-checks/#overriding-check-directory)

Setting this option will disable config discovery for custom checks. Use this option if the custom checks dir is located in a non-standard location.

known_versions

--terraform-tfsec-known-versions="['<str>', '<str>', ...]"
PANTS_TERRAFORM_TFSEC_KNOWN_VERSIONS
pants.toml
[terraform-tfsec]
known_versions = [
'<str>',
'<str>',
...,
]
default:
[
  "1.28.6|linux_x86_64|8cbd8d64cbd1f25b38f33fa04db602466dade79e99c99dc9da053b5962d34014|30175259",
  "1.28.6|linux_arm64|4bc7b0f0592be4fa384cff52af5b1cdd2066ba7a06001bea98690340851c0bce|27577217",
  "1.28.6|macos_x86_64|3b31e954819faa7d6151b999548cefb782f2f4dc64b355c8747e44d4b0b2faca|31168281",
  "1.28.6|macos_arm64|aa132b7e0e69e16f1c9320257841751e52c42d9791b7f900de72cf0b06ffe74c|30083056",
  "1.28.1|linux_x86_64|57b902b31da3eed12448a4e82a8aca30477e4bcd1bf99e3f65310eae0889f88d|26427634",
  "1.28.1|linux_arm64 |20daad803d2a7a781f2ef0ee72ba4ed4ae17dcb41a43a330ae7b98347762bec9|24299157",
  "1.28.1|macos_x86_64|6d9f5a747b1fcc1b6c314d30f4ff4d753371e5690309a99a5dd653d719d20d2d|27293876",
  "1.28.1|macos_arm64 |6d664dcdd37e2809d1b4f14b310ccda0973b4a29e4624e902286e4964d101e22|26478632"
]

Known versions to verify downloads against.

Each element is a pipe-separated string of version|platform|sha256|length or version|platform|sha256|length|url_override, where:

  • version is the version string
  • platform is one of [linux_arm64,linux_x86_64,macos_arm64,macos_x86_64]
  • sha256 is the 64-character hex representation of the expected sha256 digest of the download file, as emitted by shasum -a 256
  • length is the expected length of the download file in bytes, as emitted by wc -c
  • (Optional) url_override is a specific url to use instead of the normally generated url for this version

E.g., 3.1.2|macos_x86_64|6d0f18cd84b918c7b3edd0203e75569e0c7caecb1367bbbe409b44e28514f5be|42813. and 3.1.2|macos_arm64 |aca5c1da0192e2fd46b7b55ab290a92c5f07309e7b0ebf4e45ba95731ae98291|50926|https://example.mac.org/bin/v3.1.2/mac-aarch64-v3.1.2.tgz.

Values are space-stripped, so pipes can be indented for readability if necessary.

use_unsupported_version

--terraform-tfsec-use-unsupported-version=<UnsupportedVersionUsage>
PANTS_TERRAFORM_TFSEC_USE_UNSUPPORTED_VERSION
pants.toml
[terraform-tfsec]
use_unsupported_version = <UnsupportedVersionUsage>
one of: error, warning
default: error

What action to take in case the requested version of tfsec is not supported.

Supported tfsec versions: unspecified

version

--terraform-tfsec-version=<str>
PANTS_TERRAFORM_TFSEC_VERSION
pants.toml
[terraform-tfsec]
version = <str>
default: 1.28.6

Use this version of tfsec.

Deprecated options

None

None