Skip to content

Instantly share code, notes, and snippets.

@fkurz
Last active June 7, 2021 17:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fkurz/d9ce424d526752e1ac1c4a262f7bcf28 to your computer and use it in GitHub Desktop.
Save fkurz/d9ce424d526752e1ac1c4a262f7bcf28 to your computer and use it in GitHub Desktop.
tfsec: how to ignore multiple errors

How To Ignore Multiple tfsec Errors

I stumbled upon this today when I wanted to get a precommit hook running again that runs tfsec.

If we want to ignore multiple errors with tfsec, then we can use the -e flag and a comma separated string.

E.g. if we have a s3.tf violating AWS001, AWS002, and AWS017, we'll get the following output from tfsec:

$ tfsec

Problem 1

  [AWS001][WARNING] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
  /tmp/tfsec/s3.tf:2

       1 | resource "aws_s3_bucket" "bad_example" {
       2 | 	acl = "public-read"
       3 | }
       4 |

   See https://tfsec.dev/docs/aws/AWS001/ for more information.

Problem 2

  [AWS002][ERROR] Resource 'aws_s3_bucket.bad_example' does not have logging enabled.
  /tmp/tfsec/s3.tf:1-3

       1 | resource "aws_s3_bucket" "bad_example" {
       2 | 	acl = "public-read"
       3 | }
       4 |

   See https://tfsec.dev/docs/aws/AWS002/ for more information.

Problem 3

  [AWS017][ERROR] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
  /tmp/tfsec/s3.tf:1-3

       1 | resource "aws_s3_bucket" "bad_example" {
       2 | 	acl = "public-read"
       3 | }
       4 |

   See https://tfsec.dev/docs/aws/AWS017/ for more information.

  disk i/o             4.092889ms
  parsing HCL          15.898µs
  evaluating values    269.101µs
  running checks       685.51µs
  files loaded         1

3 potential problems detected.


/tmp/tfsec

Passing -e AWS001,AWS002,AWS017 however, tfsec will report no problems:

$ tfsec -e AWS001,AWS002,AWS017

  disk i/o             664.56µs
  parsing HCL          8.679µs
  evaluating values    41.577µs
  running checks       304.896µs
  files loaded         1

No problems detected!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment