Bird
Raised Fist0
Terraformcloud~10 mins

Terraform security scanning tools - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to run a basic security scan using tfsec.

Terraform
tfsec [1]
Drag options to blanks, or click blank then click option'
A--init
B--plan
C--apply
D.
Attempts:
3 left
💡 Hint
Common Mistakes
Using --init instead of specifying the directory
Using --apply which is not a tfsec option
Using --plan which is a Terraform command, not tfsec
2fill in blank
medium

Complete the code to run checkov on a Terraform directory.

Terraform
checkov -d [1]
Drag options to blanks, or click blank then click option'
Aterraform
B.
C/tmp
D/var/log
Attempts:
3 left
💡 Hint
Common Mistakes
Using unrelated directories that don't contain Terraform files
Confusing checkov flags with Terraform commands
3fill in blank
hard

Fix the error in the command to run tfsec with JSON output.

Terraform
tfsec --format [1]
Drag options to blanks, or click blank then click option'
Ajson
Bxml
Cyaml
Dtxt
Attempts:
3 left
💡 Hint
Common Mistakes
Using unsupported formats like xml or yaml
Using txt which is not a valid format flag
4fill in blank
hard

Fill both blanks to run checkov on a Terraform directory with output to a file.

Terraform
checkov -d [1] --output-file-path [2]
Drag options to blanks, or click blank then click option'
A.
Boutput.json
C--skip-check CKV_AWS_20
D--skip-check CKV_AWS_21
Attempts:
3 left
💡 Hint
Common Mistakes
Putting skip-check flags in place of directory or output file
Using invalid file names or paths
5fill in blank
hard

Fill all three blanks to run tfsec on a specific directory, output JSON, and exclude a rule.

Terraform
tfsec [1] --format [2] --exclude [3]
Drag options to blanks, or click blank then click option'
Aterraform
Bjson
CAWS001
Dterraform.tfstate
Attempts:
3 left
💡 Hint
Common Mistakes
Using a file instead of directory for first blank
Using unsupported formats
Using invalid or unrelated exclude values

Practice

(1/5)
1. What is the main purpose of Terraform security scanning tools like tfsec?
easy
A. To monitor cloud resource usage costs
B. To deploy Terraform infrastructure automatically
C. To write Terraform code faster with autocomplete
D. To find security risks in Terraform code before deployment

Solution

  1. Step 1: Understand Terraform security scanning tools

    These tools analyze Terraform code to detect potential security issues early.

  2. Step 2: Compare options with tool purpose

    Only To find security risks in Terraform code before deployment matches the purpose of finding security risks before deployment.

  3. Final Answer:

    To find security risks in Terraform code before deployment -> Option D

  4. Quick Check:

    Security scanning = find risks [OK]
Hint: Security tools find risks in code before cloud setup [OK]
Common Mistakes:
  • Confusing scanning tools with deployment tools
  • Thinking scanning tools write code
  • Assuming scanning tools track costs
2. Which command correctly runs tfsec to scan your Terraform project in the current folder?
easy
A. tfsec scan terraform
B. terraform scan
C. tfsec .
D. terraform tfsec run

Solution

  1. Step 1: Recall tfsec usage syntax

    The correct way to run tfsec is by specifying the folder, commonly the current folder with a dot.

  2. Step 2: Match command to syntax

    Only tfsec . correctly runs tfsec on the current directory.

  3. Final Answer:

    tfsec . -> Option C

  4. Quick Check:

    Run tfsec with folder path, dot means current folder [OK]
Hint: Run tfsec with dot for current folder scan [OK]
Common Mistakes:
  • Using terraform commands instead of tfsec
  • Adding extra words like 'scan' or 'run'
  • Not specifying folder or using wrong syntax
3. Given this tfsec output snippet:
Warning: AWS S3 bucket is publicly accessible
  File: main.tf:12
  Severity: HIGH

What does this output mean?
medium
A. The S3 bucket in main.tf line 12 allows public access, which is risky
B. The S3 bucket is encrypted and secure
C. The S3 bucket is missing from the Terraform code
D. The S3 bucket is private and safe

Solution

  1. Step 1: Interpret tfsec warning message

    The warning says the S3 bucket is publicly accessible, which means anyone can access it.

  2. Step 2: Understand security implication

    Public access to S3 buckets is a high-risk security issue, so this is a warning to fix it.

  3. Final Answer:

    The S3 bucket in main.tf line 12 allows public access, which is risky -> Option A

  4. Quick Check:

    Public access warning = risky bucket [OK]
Hint: Warnings show risky settings like public access [OK]
Common Mistakes:
  • Thinking warning means bucket is secure
  • Confusing missing resource with public access
  • Ignoring file and line number details
4. You ran tfsec . but got an error: command not found: tfsec. What is the most likely fix?
medium
A. Run terraform init first
B. Install tfsec on your system and ensure it's in your PATH
C. Change directory to the Terraform root folder
D. Update Terraform version to latest

Solution

  1. Step 1: Understand the error meaning

    The error means the system cannot find the tfsec command, so it is not installed or not accessible.

  2. Step 2: Fix by installing tfsec and adding to PATH

    Installing tfsec and ensuring the command is available in the system PATH fixes this error.

  3. Final Answer:

    Install tfsec on your system and ensure it's in your PATH -> Option B

  4. Quick Check:

    Command not found = install tool [OK]
Hint: Install tfsec if command not found error appears [OK]
Common Mistakes:
  • Running terraform commands instead of installing tfsec
  • Assuming directory change fixes command not found
  • Updating Terraform version unrelated to tfsec error
5. You want to automate security scanning in your CI pipeline using tfsec. Which approach best ensures security issues are caught before deployment?
hard
A. Run tfsec . before Terraform apply and fail pipeline on warnings
B. Run tfsec . after Terraform apply to check deployed resources
C. Run terraform plan and ignore tfsec
D. Run tfsec . only on production branch merges

Solution

  1. Step 1: Understand when to run security scans

    Security scanning should happen before deployment to catch issues early.

  2. Step 2: Choose pipeline behavior to enforce security

    Failing the pipeline on warnings ensures no risky code is deployed.

  3. Step 3: Evaluate other options

    Running after apply is too late; ignoring tfsec misses risks; scanning only production branch misses early detection.

  4. Final Answer:

    Run tfsec . before Terraform apply and fail pipeline on warnings -> Option A

  5. Quick Check:

    Scan before deploy and fail on warnings [OK]
Hint: Scan before deploy and fail on warnings to block risks [OK]
Common Mistakes:
  • Running scans after deployment
  • Ignoring tfsec in pipeline
  • Scanning only production branch too late