← All posts

Release: Static analysis for Terraform

Detect security issues in Terraform files with static analysis

Header image
By Srijan on 
Share on Twitter Share on LinkedIn Share on Facebook

If you are using Terraform to manage your infrastructure, DeepSource is here to help you write the terraform files efficiently, free from security issues.

DeepSource now supports continuous static analysis for Terraform files, detecting 30+ security issues.

Using the Terraform analyzer

To start analyzing your Terraform files, just enable the terraform analyzer in your .deepsource.toml file, and you are good to go.

By default, DeepSource analyzes all your terraform files ending with .tf.

Sample configuration

version = 1

[[analyzers]]
name = "terraform"
enabled = true

Look at the docs for more details.

Issues detected by the Terraform analyzer

At the time of writing this, the analyzer detects 30+ security issues in your Terraform files, which includes AWS, AZURE and GCP specific issues apart from the general ones. Here’s some of them to give you an idea:

General security issues:

  • Potentially sensitive data stored in block attribute
  • Potentially sensitive data stored in default value of variable

AWS specific security issues:

  • ACL defined for S3 Bucket allows public access
  • Use of an outdated SSL policy by a load balancer

GCP specific security issues:

  • Use of legacy ABAC permissions
  • Use of unencrypted storage bucket

AZURE specific security issues:

  • Use of password authentication instead of SSH keys
  • An inbound network security rule allowing traffic from /0

We’re super excited about this release, and are actively working on adding other issues to ensure best practices are followed in writing the terraform files. Head over to the docs or tell us what you think!

Keep reading...