What's Changed
tfsec now uses rules which are defined as part of the defsec project. This means the same rules you're used to from tfsec can now be applied to other technologies (such as CloudFormation via cfsec). The main responsibility of tfsec is now to translate Terraform code into a format that defsec understands in order to apply it's own rules.
The v1 version is largely the summit of a mountain of refactoring efforts. From this point forward we don't expect huge changes to the general architecture of the project, or the way it is used, but instead hope to focus on adding lots more rules and driving up the quality and intelligence of existing rules.
Breaking Changes
- The
--detailed-exit-codeflag has been removed. The detailed exit code is now provided by default. - As before, tfsec indicates a failure with a non-zero exit code, but not necessarily 1.
- The deprecated
--include,ignore-warnings, and--ignore-infoflags have been removed. - The behaviour of
--outand--formathave changed slightly - please read the usage help for more information. - The
--sort-severityflag has been removed - results are now sorted by severity by default.
Notable Changes
New Features
- Add
--migrate-ignoreswhich will replace all legacy ignore rules with up-to-date IDs by @owenrumney in #1259 - Add support for grouping of results when they originate in the same module, the same
for_eachor the samecount(disable with-G) by @liamg in #1410 - Add arm docker images by @owenrumney in #1375
- Terraform v1.1 Support: Add support for moved blocks tf 1.1.0+ by @martijnvdp in #1204
- Terraform v1.1 Support: Init module sources by @martijnvdp in #1206
Custom Checks
- Add recursive loading of child directories for custom checks by @japan-p in #1071
- Only load custom checks once by @owenrumney in #1305
- Custom checks: requiresPresence's subMatches now get processed too by @gabrielleecredera in #1340
- Fix issue where custom check regexMatches action wasn't being handled correctly by @gabrielleecredera in #1343
- Add optional "assignVariable" attribute to "matchSpec" by @gabrielleecredera in #1338
Rule Changes
- Add support for unlimited retention policy for azurerm_sql_server by @atombrella in #1243
- Remove false positive in vault pki by @liamg in #1254
- Fix elastic search domain logging by @liamg in #1400
- Whitelist kubernetes_service_account token by @liamg in #1317
Other Changes
- Ignores can now be specified at any level - attribute, block or module definition by @liamg in #1409
New Contributors
Thanks to all of our awesome new contributors!
- @arbourd made their first contribution in #1183
- @zyellowhorse made their first contribution in #1181
- @vanesasejdiu made their first contribution in #1197
- @m00lecule made their first contribution in #1180
- @martijnvdp made their first contribution in #1204
- @chaspy made their first contribution in #1223
- @japan-p made their first contribution in #1071
- @gabrielchl made their first contribution in #1263
- @ewelch16 made their first contribution in #1292
- @kaitoii11 made their first contribution in #1344
- @gabrielleecredera made their first contribution in #1340
- @Yajo made their first contribution in #1389
Special Thanks
- @vanesasejdiu for all of their hard work on the defsec rule transition.
- @gabrielleecredera for their massive contribution to custom checks.
- @martijnvdp for their quick reaction in getting support added for Terraform v1.1.
- @atombrella For various changes and suggestions.
Full Changelog: v0.63.1...v1.0.0