Securing infrastructure starts long before deployment. Terraform scanning tools help detect misconfigurations, security risks, and policy violations before infrastructure is deployed.
In this article, we explore the top Terraform security scanners and how they help teams automate checks and prevent drift in every pipeline.
IaC scanning refers to the automated analysis of Terraform code to detect security, compliance, and configuration issues before deployment. It helps identify misconfigurations, hardcoded secrets, or policy violations in Infrastructure as Code files.
IaC scanning tools analyze .tf files to ensure that resources like IAM roles, security groups, or S3 buckets follow security and compliance best practices.
IaC scanning is typically integrated into CI/CD pipelines or Git workflows to prevent risky infrastructure from being deployed. It supports shift-left security by catching issues early in the development lifecycle.
Terrascan is an open-source IaC security scanner maintained by Tenable that analyzes Terraform code pre-deploy to catch misconfigurations against policy-as-code rules, supports multi-cloud targets, and plugs into developer workflows and CI/CD with machine-readable outputs and remote repo scanning.
It uses OPA/Rego policies (built-in and customizable), supports skipping/targeting rules, and can optionally surface container image vulnerabilities referenced in your IaC.
# Scan Terraform in the current directory (default IaC provider) and target AWS policies
terrascan scan -t aws -d .
# CI-friendly example: Terraform scan with SARIF output
terrascan scan -i terraform -o sarif -d .Key features
- Policy-as-code with OPA/Rego: Write or extend rules in Rego, manage metadata via rule JSON, update local/bundled policies with
terrascan init, and selectively skip rules when needed. - Broad Terraform & multi-cloud coverage: Scans Terraform (HCL2) with provider-specific policies (e.g.,
-t aws) and supports other IaC types when you need them. - Built for pipelines and developers: Integrates with GitHub/GitLab and pre-commit, outputs JSON/YAML/JUnit-XML/SARIF for automated gates, and can fetch vulnerability results from major container registries.
Official documentation: https://runterrascan.io/docs/
Read more: What is Terrascan? Features, Use Cases & Custom Policies
Checkov is an open-source static-analysis tool for Infrastructure as Code (IaC) that inspects templates (Terraform, CloudFormation, Kubernetes, Helm, ARM, Serverless, etc.) early in the delivery pipeline to detect misconfigurations, policy violations, and security gaps before deployment.
# Run Checkov against a Terraform directory
checkov -d ./infrastructure/terraform
# Example: scan a Terraform plan (JSON) with SARIF output
terraform plan -out tfplan
terraform show -json tfplan > tfplan.json
checkov -f tfplan.json --output sarifKey features
- Vast built-in policy library: Supports hundreds (750+) of pre-defined checks across major clouds and templates, including CIS, PCI-DSS and other compliance frameworks
- Graph-based resource relationship analysis: Beyond simple attribute checks, Checkov builds a graph of IaC resources and analyzes dependencies and connections to catch deeper configuration issues
- Flexible CI/CD & workflow integration: Easily plugs into GitHub, GitLab, pre-commit hooks, IDEs, and supports output formats like JSON, JUnit-XML, SARIF to fit DevOps pipelines
Official documentation: https://checkov.io
tfsec is an open-source Terraform security scanner (from Aqua Security) that performs static analysis on HCL to flag risky or non-compliant configurations before apply. It remains available as a standalone CLI, but its scanning engine has been folded into Aqua’s Trivy, so most new development happens there.
# Scan the current Terraform project and emit SARIF for CI code scanning
tfsec . --format sarifKey features
- Terraform-first analysis: Uses the official HCL parser, runs fast and locally without cloud creds or state, and targets misconfigurations across major providers.
- Flexible outputs & CI hooks: Exports results as JSON, CSV, Checkstyle, JUnit, and SARIF, and ships a ready-to-use GitHub Action for pipeline gating.
- Custom rules via simple JSON/YAML: Add org-specific policies with
*_tfchecks.json|yamlin.tfsec/, or load rules via--custom-check-dir/--custom-check-url.
Official documentation: https://github.com/aquasecurity/tfsec
Read more: What is tfsec? How to Install, Config, Ignore Checks
Note: tfsec is now part of Trivy.
KICS is a free, open-source static-analysis engine designed for Infrastructure as Code (IaC) that inspects your configuration files (Terraform, Kubernetes manifests, CloudFormation, Ansible, Pulumi, Helm charts and more) before deployment to detect misconfigurations, compliance issues and security risks across diverse platforms.
# Scan a directory of Terraform / IaC files with KICS
docker run -v "$(pwd)":/path checkmarx/kics:latest scan -p /path -o /path/results
# CLI-only example
kics scan -p ./infrastructure/terraform -o ./scan-output.json --report-formats jsonKey features
- Wide platform support & broad rule library: Works with Terraform, CloudFormation, Kubernetes, Pulumi, Dockerfile, Ansible and more, and ships with ~1900+ built-in queries for misconfiguration and compliance detection.
- Extensible query-engine: Every check is defined as a query you can edit, add or disable – enabling customised policies, specialised compliance frameworks and fine-tuned filtering.
- CI/CD / developer-friendly integrations: Easy to embed into pipelines (Docker, CLI, GitHub Actions/VSCode), produce JSON/SARIF/HTML outputs, and shift left IaC security into dev and PR workflows.
Official documentation: https://docs.kics.io/latest/getting-started/
TFLint is a pluggable linter for Terraform that statically analyzes HCL to catch provider-specific mistakes (e.g., invalid instance types), deprecated syntax, unused declarations, and best-practice drifts.
It works via rule plugins for major clouds (AWS, Azure, GCP) and lets you enable/disable rules or tune behavior in a .tflint.hcl config, with machine-readable outputs like JSON, JUnit, Checkstyle, and SARIF for CI.
# 1) Configure plugins in .tflint.hcl, then install them
tflint --init
# 2) Lint a Terraform project and emit SARIF for code scanning
tflint . --format sarifKey features
- Pluggable, cloud-aware rules: Add AWS/Azure/GCP rulesets to validate resource types, parameters, and provider quirks before terraform apply.
- Configurable policy control: Manage which rules run (or are skipped) in .tflint.hcl, with CLI flags like
--only,--enable-rule, and--disable-ruleto tailor signal to your repo. - CI-ready outputs: Choose formats including
json,checkstyle,junit, compact, andsarifto integrate with code scanning and quality gates.
Official documentation: https://github.com/terraform-linters/tflint
Read more: What is TFLint and How to Lint Your Terraform Code
Trivy is a unified open-source security scanner that goes beyond containers. It inspects code repositories, file systems, VM images, Kubernetes clusters, and Infrastructure as Code (IaC) files (Terraform, CloudFormation, ARM, Helm) to spot vulnerabilities and misconfigurations in one workflow. It’s the successor to tfsec for IaC checks.
# Scan a Terraform / IaC directory for misconfigurations and violations
trivy config ./infrastructure/terraform
# Scan with specific checks (vuln + misconfig) and JSON output for CI
trivy fs --security-checks vuln,config --format json ./infrastructureKey features
- All-in-one scanning coverage: Trivy supports IaC misconfigurations, container image vulnerabilities, secrets detection, and software licenses, so you don’t need multiple tools for DevOps security.
- Wide format & platform support: It detects Terraform (“.tf”/”.tfvars”), CloudFormation, Kubernetes YAML/JSON, Helm charts and more; it auto-detects file types and applies the right policies.
- CI/CD and workflow integration: Lightweight binary, no heavy dependencies, outputs like JSON/SARIF, easily integrates into GitHub Actions, pipelines and IDEs — supports ‘shift left’ security.
Official documentation: https://trivy.dev/latest/
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets you write policy-as-code using a high-level declarative language called Rego and evaluate those policies across your infrastructure, applications, CI/CD pipelines, and cloud environment.
It decouples the “what-can-happen” questions from the business logic of services, enabling teams to manage and update policies in one place, push changes instantly, and ensure consistent enforcement across multiple systems.
OPA itself is not a Terraform “scanner”, as it evaluates policies. Enforcement is typically wired in via tools like Conftest, CI steps, or platform integrations (e.g., HCP Terraform or Spacelift).
package terraform.safe_resources
deny[msg] {
input.resource_changes[_].type == "aws_instance"
not input.resource_changes[_].change.after.tags["Owner"]
msg := sprintf("Resource %v missing Owner tag", [input.resource_changes[_].address])
}Using the above example, OPA evaluates a Terraform plan (in JSON form) and returns the deny messages if any AWS instances don’t include an Owner tag.
Key features
- Unified policy language across systems: Write Rego once and apply it to Kubernetes, APIs, infrastructure, microservices, and pipelines, avoiding fragmented rule sets.
- Separation of policy decision-making and enforcement: OPA handles the logic, while your services focus on execution, so policy updates don’t require redeploying application code.
- Enterprise-ready auditing and governance: OPA gives you decision logs, reusable policy bundles, and the ability to test policies in isolation, offering transparency and traceability for compliance.
Official documentation: https://www.openpolicyagent.org/docs/
Read more: How to Use Open Policy Agent (OPA) with Terraform
A platform like Spacelift can help you and your organization fully manage cloud resources within minutes. Spacelift is an infrastructure management platform that supports tools like OpenTofu, Terraform, Ansible, Pulumi, Kubernetes, and more.
You can run scanners in Spacelift via run hooks (before/after init/plan), reusable Contexts (to provide binaries/config), custom runner images, and Rego policies for gating.
Security is one of Spacelift’s biggest priorities, so there are also state-of-the-art security solutions that are embedded inside the product, like Policy as Code, Encryption, Single Sign-On (SSO), MFA, and Private Worker Pools.
Would you like to see this in action? Check out the video below:
Spacelift includes drift detection capabilities that periodically check your infrastructure for discrepancies compared to your repository’s state. It can then launch reconciliation jobs to restore the correct state, ensuring your infrastructure operates predictably and reliably.
With Spacelift, you get:
- Policies to control what kind of resources engineers can create, what parameters they can have, how many approvals you need for a run, what kind of task you execute, what happens when a pull request is open, and where to send your notifications
- Stack dependencies to build multi-infrastructure automation workflows with dependencies, having the ability to build a workflow that, for example, generates your EC2 instances using Terraform and combines it with Ansible to configure them
- Self-service infrastructure via Blueprints, enabling your developers to do what matters – developing application code while not sacrificing control
- Creature comforts such as contexts (reusable containers for your environment variables, files, and hooks), and the ability to run arbitrary code
- Drift detection and optional remediation
Read more about integrating security tools with Spacelift. And if you want to learn more about Spacelift, create a free account or book a demo with one of our engineers.
Terraform scanning is about proactive security and reliability, not just about syntax.
The tools we’ve reviewed in the article automate policy enforcement, catch errors before deployment, and integrate directly into developer workflows. By shifting checks left, they turn security into part of daily coding, helping teams deliver infrastructure faster and safer without manual reviews or last-minute surprises.
Terraform management made easy
Spacelift effectively manages Terraform state, more complex workflows, supports policy as code, programmatic configuration, context sharing, drift detection, resource visualization and includes many more features.
![How to Enforce Policy as Code in Terraform [Sentinel & OPA]](/_next/image?url=https%3A%2F%2Fspaceliftio.wpcomstaging.com%2Fwp-content%2Fuploads%2F2024%2F07%2F413.terraform-policy-as-code.png&w=3840&q=75)
