Claude Code + tfsec Terraform Security (2026)
Claude Code Tfsec Terraform Security Guide
Infrastructure-as-code has transformed how teams deploy and manage cloud resources. Terraform leads this space, but writing secure Terraform configurations requires vigilance. tfsec, an open-source security scanner for Terraform, catches common misconfigurations before they reach production. Integrating tfsec into your Claude Code workflow automates security checks and keeps your infrastructure code safe.
This guide shows developers and power users how to combine Claude Code with tfsec for continuous Terraform security scanning.
What tfsec Brings to Your Workflow
tfsec analyzes Terraform code statically, detecting issues like exposed secrets, insecure storage configurations, and overly permissive IAM policies. It supports AWS, Azure, Google Cloud, and Kubernetes resources. Unlike dynamic security tools, tfsec works directly on your .tf files without requiring cloud credentials.
The tool parses HCL syntax, understands provider-specific resource attributes, and applies hundreds of built-in security checks. Each finding includes a severity level, description, and remediation guidance. Running tfsec in your development pipeline catches problems early when they’re cheapest to fix.
Typical tfsec findings include:
- S3 buckets allowing public access
- RDS instances without encryption
- Security groups with overly wide port ranges
- IAM policies granting excessive permissions
- Lambda functions running with outdated runtimes
Setting Up tfsec in Your Project
Install tfsec via your preferred package manager:
macOS with Homebrew
brew install tfsec
Linux (AMD64)
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
Windows with Chocolatey
choco install tfsec
For containerized workflows, use the official Docker image:
docker run --rm -v $(pwd):/src aquasec/tfsec /src
Verify installation by running tfsec --version. You should see output confirming the release.
Running tfsec With Claude Code
Claude Code excels at executing shell commands and analyzing output. The bash tool runs tfsec and parses results, enabling you to iterate on fixes quickly.
Create a simple scan workflow:
Scan the current directory
tfsec .
Scan a specific directory
tfsec ./modules/networking
Output results as JSON for programmatic parsing
tfsec . --format json --out tfsec-results.json
Exit with non-zero code only on high severity findings
tfsec . --minimum-severity HIGH
Integrate tfsec into your Claude Code sessions by calling it after any Terraform modifications:
After editing Terraform files, run:
tfsec . --include-with-passed --no-colour
The --include-with-passed flag shows passed checks too, giving confidence that the scan ran completely.
Automating Security Scans With Custom Scripts
For recurring workflows, wrap tfsec in a shell script that Claude Code can invoke:
#!/bin/bash
tfsec-scan.sh - Automated Terraform security scanning
set -e
TERRAFORM_DIR="${1:-.}"
echo "Running tfsec on: $TERRAFORM_DIR"
Check if tfsec is installed
if ! command -v tfsec &> /dev/null; then
echo "tfsec not found. Install: brew install tfsec"
exit 1
fi
Run tfsec with exit code handling
tfsec "$TERRAFORM_DIR" \
--format json \
--out "tfsec-report-$(date +%Y%m%d-%H%M%S).json" \
--minimum-severity MEDIUM
echo "Scan complete. Review results above."
Make the script executable and use it from Claude Code:
chmod +x tfsec-scan.sh
./tfsec-scan.sh ./infrastructure
Using Claude Code to Interpret tfsec Results
tfsec outputs human-readable text by default, but JSON format unlocks programmatic analysis. Parse JSON results to extract specific findings:
Extract high-severity findings
jq '.results[] | select(.severity == "HIGH")' tfsec-results.json
Feed these results back to Claude Code for natural language explanation:
I've run tfsec on my Terraform configuration. The scan found 3 HIGH severity issues in main.tf. Can you explain each finding and provide corrected Terraform code?
Claude Code can translate technical tfsec output into actionable guidance, generating fixed resource configurations that address each finding.
CI/CD Integration Patterns
For automated pipelines, combine tfsec with your CI system. GitHub Actions example:
name: Terraform Security Scan
on: [push, pull_request]
jobs:
tfsec:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run tfsec
uses: aquasecurity/[email protected]
with:
soft_fail: true
The soft_fail: true setting prevents blocking merges on warnings while still reporting findings. Adjust based on your team’s security posture.
Combining tfsec With Other Claude Skills
The tfsec workflow pairs well with other Claude capabilities. Use the pdf skill to generate security reports suitable for compliance documentation. If you’re building infrastructure tests, the tdd skill helps create test cases that verify your Terraform configurations meet security requirements.
For teams using infrastructure testing frameworks like Terratest, incorporate tfsec as a pre-deployment check. Run the scanner before applying changes:
Validate and scan before apply
terraform validate && tfsec .
terraform apply -auto-approve
Best Practices for Terraform Security
Beyond automated scanning, adopt these practices:
Version control your Terraform state. Use remote backends like S3 with versioning enabled. Enable state encryption for sensitive environments.
Review tfsec findings in context. Some warnings is acceptable for specific use cases. Document exceptions with clear reasoning.
Keep tfsec updated. New security checks release regularly as cloud services evolve. Update tfsec frequently to catch the latest issues.
Scan early and often. Add tfsec to pre-commit hooks, CI pipelines, and deployment workflows. Catch issues before they reach production.
Use module versioning. Pin Terraform module versions to known-good releases. Review module source code before importing.
Common tfsec Rules and Fixes
Understanding frequent findings helps prevent them in future code:
| Rule ID | Issue | Fix |
|---|---|---|
| AWS001 | S3 bucket has no versioning | Add versioning { enabled = true } |
| AWS017 | RDS instance not encrypted | Add storage_encrypted = true |
| AWS021 | Missing age constraint on IAM policy | Add max_age = "90d" condition |
| AWS038 | Lambda permission grants public access | Restrict principal to specific service |
| AWS089 | EC2 instance has public IP | Remove associate_public_ip_address |
Claude Code can auto-generate fixes for many of these issues once you understand the pattern.
Conclusion
tfsec brings professional-grade security scanning to your Terraform workflow without requiring cloud credentials or complex setup. Combined with Claude Code’s natural language processing and tool execution, you have a powerful system for maintaining secure infrastructure as code.
Start by installing tfsec and running it against your current Terraform projects. Integrate it into your development workflow using the scripts and patterns from this guide. The initial effort pays dividends through reduced security incidents and compliance confidence.
Related Reading
- Claude Code Terraform Module Development Guide
- Claude Code Terraform State Management Guide
- Claude Code disallowedTools Security Configuration
Built by theluckystrike. More at zovo.one
Try it: Paste your error into our Error Diagnostic for an instant fix.
Set it up → Build your permission config with our Permission Configurator.
Frequently Asked Questions
What tfsec Brings to Your Workflow?
tfsec is an open-source static security scanner for Terraform that detects misconfigurations like exposed secrets, insecure S3 buckets, unencrypted RDS instances, overly permissive IAM policies, and wide security group port ranges. It supports AWS, Azure, Google Cloud, and Kubernetes resources, working directly on .tf files without requiring cloud credentials. Each finding includes severity level, description, and remediation guidance. Running tfsec early in development catches problems when they are cheapest to fix.
What is Setting Up tfsec in Your Project?
Install tfsec via Homebrew (brew install tfsec on macOS), the official Linux install script, Chocolatey (choco install tfsec on Windows), or Docker (docker run --rm -v $(pwd):/src aquasec/tfsec /src). Verify with tfsec --version. For containerized CI/CD workflows, the Docker image eliminates installation dependencies. The tool parses HCL syntax, understands provider-specific resource attributes, and applies hundreds of built-in security checks across all major cloud providers out of the box.
What is Running tfsec With Claude Code?
Claude Code runs tfsec via its bash tool and parses results for iterative fixes. Basic commands include tfsec . for a current-directory scan, tfsec ./modules/networking for targeted scans, tfsec . --format json --out tfsec-results.json for programmatic output, and tfsec . --minimum-severity HIGH to filter by severity. After editing Terraform files, run tfsec . --include-with-passed --no-colour to show both passed and failed checks, confirming the scan ran completely against all resources.
What is Automating Security Scans With Custom Scripts?
Automation uses a shell script (tfsec-scan.sh) that accepts a Terraform directory argument, checks tfsec is installed, runs the scan with JSON output to a timestamped report file, and filters by minimum MEDIUM severity. Make the script executable with chmod +x and invoke it from Claude Code. For CI/CD, use the aquasecurity/[email protected] GitHub Action with soft_fail: true to report findings without blocking merges on warnings, adjustable based on your team’s security posture.
What is Using Claude Code to Interpret tfsec Results?
Claude Code translates tfsec JSON output into actionable guidance by parsing results with jq (jq '.results[] | select(.severity == "HIGH")') and generating corrected Terraform configurations. Feed findings to Claude Code with a prompt like “The scan found 3 HIGH severity issues in main.tf. Explain each finding and provide corrected Terraform code.” Claude Code maps tfsec rule IDs (e.g., AWS001 for unversioned S3, AWS017 for unencrypted RDS) to specific resource attribute fixes like versioning { enabled = true } or storage_encrypted = true.