Blog · Tool Comparison

TFGaurd vs tfsec:
Which Terraform Scanner Should You Use in 2026?

March 21, 2026 TFGaurd Team 9 min read Terraform · tfsec · Trivy · DevSecOps

tfsec has been a staple of Terraform security for years — a blazing-fast Go-based CLI scanner with strong CI/CD integration. TFGaurd takes a different path: a zero-setup, browser-based scanner with 1200+ curated rules and a clean compliance dashboard.

With tfsec being deprecated in favour of Aqua's Trivy, 2026 is the perfect time to evaluate whether you should migrate. This comparison covers rules depth, ease of use, CI/CD integration, custom checks, and long-term support outlook.

🛡️

TFGaurd

Privacy-first, local-execution CLI scanner. Zero-dependency binary ensures your code never leaves your VPC.

Free Local Scan · Secure Premium Rules
🔍

tfsec

Open-source Go CLI scanner for Terraform. Now maintained as part of Aqua's Trivy project.

Open Source · CLI · Go Binary
⚠️
tfsec Deprecation Notice

As of 2024, Aqua Security has merged tfsec into Trivy. The standalone tfsec binary still works, but new rules and features are being developed in Trivy's Terraform scanning module. Teams currently using tfsec should plan a migration path.

TL;DR: TFGaurd is the better long-term bet for Terraform-focused teams — actively developed, no setup, and compliance-ready. tfsec/Trivy wins for teams already in the Aqua ecosystem or wanting a local Go binary for offline scanning.

What is tfsec?

tfsec is an open-source static analysis tool originally created by Liamg (now Aqua Security). It scans Terraform source code — not plan JSON — meaning it works without running terraform init or terraform plan. This makes it extremely fast and simple to integrate.

tfsec uses a library of ~150 built-in checks mapped to CIS benchmarks and AWS/GCP/Azure security best practices, with support for custom checks written in JSON/YAML or Rego. Results are outputted in the terminal, JSON, SARIF, or JUnit XML.

Running tfsec Against Terraform

Shell # Install tfsec (Go binary) brew install tfsec # or go install github.com/aquasecurity/tfsec/cmd/tfsec@latest # Scan current directory tfsec . # Output as SARIF (GitHub Code Scanning) tfsec . --format sarif --out results.sarif # Exclude a specific check tfsec . --exclude aws-s3-block-public-acls # Minimum severity threshold tfsec . --minimum-severity HIGH

Custom Check in YAML

YAML # .tfsec/my-checks.yml checks: - code: CUS001 description: S3 bucket must have versioning enabled impact: Data loss risk without versioning resolution: Enable versioning on the bucket requiredTypes: - resource requiredLabels: - aws_s3_bucket severity: HIGH matchSpec: name: versioning action: isPresent errorMessage: S3 bucket does not have versioning block relatedLinks: - https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Pros
  • Extremely fast (compiled Go binary)
  • No terraform init needed
  • YAML/JSON/Rego custom checks
  • SARIF output for GitHub Security tab
  • Works fully offline / air-gapped
  • Source-code level scanning (no plan needed)
Cons
  • Deprecated — merged into Trivy
  • Only ~150 built-in checks
  • No web UI or dashboard
  • No compliance report generation
  • Requires Go or Brew install
  • Limited multi-cloud rule coverage

What is TFGaurd?

TFGaurd is a Terraform-native security scanner that works entirely in the browser — no installation, no CLI, no config files. Upload your .tf files or a ZIP archive and get a structured security report in seconds.

TFGaurd evaluates your infrastructure against 1200+ built-in rules covering AWS (free), GCP, Azure, and Oracle Cloud (premium), with results mapped to compliance frameworks including CIS Benchmarks, SOC 2, and ISO 27001.

Pros
  • Local-First Privacy — code stays on your infrastructure
  • Portable 50KB CLI (Runs anywhere, zero dependencies)
  • 1,200+ Secure-Stream rules for Multi-Cloud
  • Compliance mapping: CIS, SOC 2, ISO 27001
  • Custom rules via no-code UI or Python expressions
  • Advanced Analytics via Metadata-only cloud sync
Cons
  • Terraform-only (not multi-framework like Trivy)
  • GCP / Azure / OCI rules require API key
  • Requires Python runtime (bundled with CLI)

Head-to-Head Comparison

Feature 🛡️ TFGaurd 🔍 tfsec
Primary Interface Portable CLI + Dashboard Go binary (CLI only)
Privacy Model Local-First (Code stays on-prem) Local-First (Open Source)
Rule Delivery Secure In-Memory Stream Static Compiled Rules
Built-in Rules 1200+ (AWS free, multi-cloud premium) ~150 (all free)
Scan Speed <5s via API <1s local (Go binary)
Custom Rules No-code form + Python expressions YAML / JSON / Rego files
Maintenance Status ✓ Actively developed ⚠ Deprecated → Trivy
CI/CD Integration GitHub Action (Standard/Premium) Native CLI + GitHub Action
Output Formats JSON, Web Dashboard CLI, JSON, SARIF, JUnit XML
Offline / Air-Gap No (cloud-hosted) Yes (local Go binary)
Scan History Built-in dashboard None (file output only)
Pricing Free (AWS) / Premium (multi-cloud) Free / Open Source

CI/CD Integration

TFGaurd GitHub Action (Standard & Premium)

Instead of manual API calls, TFGaurd provides native GitHub Actions for seamless pipeline integration. Choose the tier that fits your needs.

YAML # .github/workflows/tfgaurd-scan.yml name: TFGaurd Security Scan on: [push, pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install TFGaurd Engine run: pip install tfgaurd-engine - name: Run TFGaurd Scan run: tfgaurd scan . --fail-on CRITICAL env: TFGAURD_API_KEY: ${{ secrets.TFGAURD_API_KEY }}

tfsec Native GitHub Action

YAML # .github/workflows/tfsec-scan.yml name: tfsec Security Scan on: [push, pull_request] jobs: tfsec: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run tfsec uses: aquasecurity/tfsec-action@v1.0.0 with: working_directory: ./terraform format: sarif soft_fail: false - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif
Migration tip: Replacing tfsec with Trivy in CI? Use trivy config . as a drop-in replacement for tfsec .. The results and severity scoring are nearly identical since Aqua ported all tfsec checks.

Speed Benchmarks

Benchmarks across three Terraform codebases. TFGaurd times include API round-trip; tfsec is local.

Small (~20 resources)

TFGaurd
1.4s
tfsec
0.3s

Medium (~150 resources)

TFGaurd
3.8s
tfsec
1.1s

Large (800+ resources)

TFGaurd
14s
tfsec
4.2s
Context matters: tfsec's raw speed advantage is offset by its smaller rule set (~150 vs 1200+). TFGaurd may flag 8× more issues in the same scan because it checks far more security dimensions.

tfsec → Trivy Migration

If you're currently using tfsec, Aqua Security recommends migrating to Trivy. Here's a quick side-by-side on what changes:

Action tfsec command Trivy equivalent
Scan directory tfsec . trivy config .
SARIF output tfsec . --format sarif trivy config . --format sarif
Exclude check --exclude aws-s3-... --skip-check AVD-AWS-...
Custom checks dir --custom-check-dir .tfsec --config-policy ./policies
Trivy's Terraform scanner inherits all tfsec checks under the AVD-AWS-* check ID namespace. GitHub Actions can simply swap aquasecurity/tfsec-action for aquasecurity/trivy-action with scan-type: config.

Our Verdict

🛡️

Choose TFGaurd if…

You want maximum rule coverage (1200+), compliance reporting, a no-setup experience, or stakeholder-friendly dashboards. TFGaurd is also the safer long-term choice — it's actively developed with no deprecation risk, and new multi-cloud rules are added regularly.

🔍

Choose tfsec / Trivy if…

You need offline / air-gapped scanning, sub-second local feedback during development, or you're already invested in the Aqua Security ecosystem. If you're on tfsec today, migrate to Trivy rather than continuing with the deprecated binary.

Use Both for Maximum Coverage

Run Trivy locally as a pre-commit hook for instant feedback, and use TFGaurd in CI/CD for deep compliance scanning, custom business rules, and audit-ready reports. The tools have virtually no overlap in the problems they're best at.

Frequently Asked Questions

Is tfsec the same as Trivy?

Not exactly. tfsec is the standalone tool; Trivy is Aqua's universal scanner that has absorbed tfsec's Terraform scanning capabilities. Trivy scans containers, filesystems, Git repos, and IaC (Terraform, CloudFormation, Kubernetes), making it a superset of tfsec.

Does tfsec support Terraform modules?

Yes. tfsec resolves local module references and scans them as part of the main codebase. Remote registry modules require a separate download. TFGaurd parses module usage within uploaded .tf files against the rule set without fetching remote sources.

How do I suppress a tfsec false positive inline?

HCL # terraform/main.tf resource "aws_s3_bucket" "public_assets" { bucket = "my-public-assets" #tfsec:ignore:aws-s3-block-public-acls #tfsec:ignore:aws-s3-no-public-buckets acl = "public-read" }

Will TFGaurd support Kubernetes / CloudFormation in future?

TFGaurd is intentionally focused on Terraform to provide the deepest possible rule coverage for HCL. Multi-framework IaC support (K8s, CF) is on the product roadmap but Terraform coverage remains the top priority for 2026.

🛡️ Try TFGaurd Free — No Setup, Instant Results

Get 8× more security checks than tfsec with zero installation. Upload your Terraform files now.

Scan Your Terraform Now
No account required  ·  Results in <5s  ·  1200+ rules