Home
Developer Tools & Resources
Terraform Security Scanner — Check .tf Files for Misconfigurations

Terraform Security Scanner — Check .tf Files for Misconfigurations

Paste your Terraform .tf file. Checks for the misconfigurations that show up in every cloud security audit: hardcoded credentials, open security groups, public S3 buckets, unencrypted RDS/EBS, and missing deletion protection.

Paste your Terraform .tf file. Checks for the most common infrastructure security misconfigurations: open security groups, unencrypted storage, public S3 buckets, deletion protection disabled, hardcoded credentials, and more.

Load example:

terraform {
  required_providers {
    aws = { source = “hashicorp/aws”, version = “~> 5.0” }
  }
}

provider “aws” {
  region     = “us-east-1”
  access_key = “AKIAIOSFODNN7EXAMPLE”
  secret_key = “wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY”
}

resource “aws_security_group” “web” {
  name = “web-sg”

ingress {
    from_port   = 22
    to_port     = 22
    protocol    = “tcp”
    cidr_blocks = [“0.0.0.0/0”]
  }

ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = “tcp”
    cidr_blocks = [“0.0.0.0/0”]
  }
}

resource “aws_s3_bucket” “data” {
  bucket = “my-company-data”
}

resource “aws_s3_bucket_acl” “data_acl” {
  bucket = aws_s3_bucket.data.id
  acl    = “public-read”
}

resource “aws_db_instance” “main” {
  identifier           = “prod-db”
  engine               = “mysql”
  instance_class       = “db.t3.medium”
  username             = “admin”
  password             = “SuperSecret123!”
  publicly_accessible  = true
  storage_encrypted    = false
  deletion_protection  = false
  skip_final_snapshot  = true
}

resource “aws_ebs_volume” “data” {
  availability_zone = “us-east-1a”
  size              = 100
  encrypted         = false
}

What gets flagged most often

Hardcoded AWS credentials (Critical): access_key and secret_key in the provider block end up in git history, Terraform state files, and CI logs. Use environment variables or IAM roles — never hardcode credentials.
SSH/database ports open to 0.0.0.0/0 (Critical): Port 22 open to the internet gets probed constantly. Database ports (5432, 3306, etc.) should only accept connections from your application tier security group, never from the internet directly.
S3 bucket without public access block (High): An account-level permission change or future misconfiguration can suddenly expose an unprotected bucket. Always attach aws_s3_bucket_public_access_block.
RDS skip_final_snapshot = true (Medium): Running terraform destroy destroys your database with no backup. Set to false and provide a final_snapshot_identifier.

For full static analysis with 200+ rules, use tfsec or Checkov. This tool catches the most common and critical issues quickly in the browser. For infrastructure-adjacent security: K8s YAML · Docker Compose · GitHub Actions.

Founded

2023 in London, UK

Contact

hello@releaserun.com

Terraform Security Scanner — Check .tf Files for Misconfigurations

What gets flagged most often

Founded

Contact

</> Embed Terraform Security Scanner — Check .tf Files for Misconfigurations