TFGaurd Docs
Everything you need to secure your Terraform infrastructure
Introduction
TFGaurd is a comprehensive Terraform security policy checker that helps you identify and fix security vulnerabilities in your Infrastructure-as-Code before deployment. With 112+ Built-in Free Rules (Community Edition) and 1,200+ Enterprise Rules (Secure-Stream), TFGaurd helps your team maintain security best practices and compliance requirements automatically.
Quick Start
Get started with TFGaurd in seconds. Choose the installation method that fits your workflow.
Python (PyPI)
Official distribution via pip. Best for developers and CI/CD pipelines.
pip install tfgaurd-engine
Python 3.8+ required
Linux / macOS
Standard bash one-liner. Downloads the latest portable CLI instantly.
curl -sSL https://tfgaurd.com/install.sh | bash
No installation required
Windows (PS)
Native PowerShell script for optimal performance on Windows machines.
Set-ExecutionPolicy Bypass -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072; irm https://tfgaurd.com/install.ps1 | iex
Command Prompt (CMD)
powershell -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s='https://tfgaurd.com/install.ps1'; (New-Object System.Net.WebClient).DownloadString($s) | iex"
Use elevated terminal if possible
Verify Installation
Once installed, run a local scan to verify the setup. No account or API key is required for basic AWS security checks.
tfgaurd scan .
How It Works
TFGaurd analyzes your Terraform HCL configuration through a multi-stage pipeline:
1. Parsing
Your Terraform code is parsed into a structured representation of resource blocks,
identifying each resource "type" "name" block and its attributes.
2. Rule Evaluation
Each resource is evaluated against all applicable rules in the Rule
Registry. Rules are organized by resource type (e.g.,
aws_s3_bucket, aws_db_instance).
# Example: This will trigger a violation resource "aws_s3_bucket" "my_bucket" { bucket = "my-data-bucket" acl = "public-read" # ← CRITICAL: Public access }
3. Violation Reporting
Any rule that a resource fails generates a violation with details including the resource name, rule violated, severity level, and a remediation recommendation.
4. Results & History
Results are displayed immediately and, for logged-in users, saved to your check history for tracking improvements over time.
Policy Rules
TFGaurd ships with built-in rules covering common AWS security misconfigurations.
Example Rules
| Rule | Resource | Severity | Description |
|---|---|---|---|
check_public_access |
aws_s3_bucket | CRITICAL | S3 bucket must not have public ACL |
check_encryption |
aws_s3_bucket | HIGH | S3 bucket must have server-side encryption enabled |
check_public_db |
aws_db_instance | CRITICAL | RDS instance must not be publicly accessible |
check_db_encryption |
aws_db_instance | HIGH | RDS storage must be encrypted |
check_open_ssh |
aws_security_group | CRITICAL | Security group must not allow open SSH (port 22) from 0.0.0.0/0 |
check_mfa_delete |
aws_s3_bucket | MEDIUM | S3 bucket versioning should have MFA delete enabled |
Severity Levels
TFGaurd uses a 4-tier severity system to help you prioritize remediation efforts:
Immediate risk of breach or compromise. Block deployment immediately.
Significant vulnerability that must be addressed urgently.
Moderate risk profile. Plan to remediate within 24-48 hours.
Best practice recommendations. Informational, low immediate risk.
Supported Resource Types
TFGaurd currently supports 190+ Cloud Terraform resource types, including:
aws_s3_bucket
aws_db_instance
aws_instance
aws_security_group
google_compute_instance
google_storage_bucket
azurerm_storage_account
azurerm_linux_virtual_machine
oci_core_instance
Custom Rules
Beyond the built-in rules, you can create custom rules tailored to your organization's requirements.
Form-Based Rules
Use the Rules Manager UI to create rules without writing code:
-
1Select a Resource Type (e.g., aws_s3_bucket)
-
2Choose a Condition (equals, not_equals, contains, etc.)
-
3Set the Field and expected Value
-
4Assign a Severity level and save
Code-Based Rules
For advanced scenarios, write rules as Python functions:
def check_resource(resource): """Ensure S3 buckets have versioning enabled.""" versioning = resource.get('versioning', {}) enabled = versioning.get('enabled', False) if not enabled: return 'S3 bucket versioning is not enabled' return None # None = passed
None to
indicate the rule passed.CI/CD Integration
Integrate TFGaurd into your automated pipelines in seconds. Our Portable CLI is the primary integration point, ensuring your source code never leaves your VPC.
pip install tfgaurd-engine to ensure you have the latest core engine. Authentication is handled entirely via environment variables.
name: TFGaurd Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install tfgaurd-engine
- run: tfgaurd scan ./terraform/ --fail-on CRITICAL
env:
TFGAURD_API_KEY: ${{ secrets.TFGAURD_API_KEY }}Configuration Options
The tfgaurd scan command accepts several flags for CI/CD optimization:
--fail-on SEVERITY— Control your pipeline status (e.g.CRITICAL,HIGH)--format [text|json|sarif]— Output format for security tabs or reporting--repo REPO_NAME— Label results in the Cloud Dashboard--no-sync— Run a 100% offline scan even if API key is present
API Usage
TFGaurd provides a REST API for programmatic access. See the full API Reference for all endpoints.
Quick Example
curl -X POST https://tfgaurd.com/api/check-files \ -H "Content-Type: multipart/form-data" \ -H "Authorization: Bearer YOUR_API_KEY" \ -F "files=@main.tf"
Login