| name | iac-scanner |
| description | Scans Infrastructure as Code for security misconfigurations. Wraps tfsec for Terraform and Checkov for multi-cloud IaC. Use when user asks to "scan Terraform", "IaC security", "infrastructure scan", "tfsec", "checkov", "Terraformセキュリティ", "インフラスキャン". |
IaC Scanner
Wrapper for tfsec and Checkov to scan Infrastructure as Code.
Prerequisites
# tfsec (Terraform focused)
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
# Checkov (multi-cloud)
pip install checkov
# or
brew install checkov
Usage
# Scan with auto-detection
npx iac-scanner .
# Force specific scanner
npx iac-scanner . --scanner tfsec
npx iac-scanner . --scanner checkov
# JSON output
npx iac-scanner . --json
# Check available scanners
npx iac-scanner --check
# Scan specific framework
npx iac-scanner . --framework terraform
npx iac-scanner . --framework kubernetes
npx iac-scanner . --framework cloudformation
Supported Frameworks
| Scanner |
Frameworks |
| tfsec |
Terraform |
| Checkov |
Terraform, CloudFormation, Kubernetes, ARM, Serverless, Helm |
Output Format
{
"tool": "tfsec",
"scanPath": ".",
"scanDate": "2024-01-15T10:30:00Z",
"findings": [
{
"id": "aws-s3-enable-bucket-encryption",
"severity": "high",
"message": "Bucket does not have encryption enabled",
"resource": "aws_s3_bucket.data",
"file": "main.tf",
"line": 15,
"resolution": "Enable bucket encryption"
}
],
"summary": {
"total": 5,
"critical": 1,
"high": 2,
"medium": 1,
"low": 1
}
}
Common Misconfigurations
| Category |
Example |
| Encryption |
S3 bucket without encryption |
| Access Control |
Public S3 bucket, open security groups |
| Logging |
Missing CloudTrail, no access logs |
| Network |
VPC without flow logs, open CIDR |
| IAM |
Overly permissive policies, wildcard actions |
| Secrets |
Hardcoded credentials in config |
Exit Codes
0: No issues found1: Issues detected2: Tool not installed or error