I stumbled upon this today when I wanted to get a precommit hook running again that runs tfsec.
If we want to ignore multiple errors with tfsec, then we can use the -e
flag and a comma separated string.
E.g. if we have a s3.tf violating AWS001, AWS002, and AWS017, we'll get the following output from tfsec:
$ tfsec
Problem 1
[AWS001][WARNING] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
/tmp/tfsec/s3.tf:2
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
See https://tfsec.dev/docs/aws/AWS001/ for more information.
Problem 2
[AWS002][ERROR] Resource 'aws_s3_bucket.bad_example' does not have logging enabled.
/tmp/tfsec/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
See https://tfsec.dev/docs/aws/AWS002/ for more information.
Problem 3
[AWS017][ERROR] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/tmp/tfsec/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
See https://tfsec.dev/docs/aws/AWS017/ for more information.
disk i/o 4.092889ms
parsing HCL 15.898µs
evaluating values 269.101µs
running checks 685.51µs
files loaded 1
3 potential problems detected.
/tmp/tfsec
Passing -e AWS001,AWS002,AWS017
however, tfsec will report no problems:
$ tfsec -e AWS001,AWS002,AWS017
disk i/o 664.56µs
parsing HCL 8.679µs
evaluating values 41.577µs
running checks 304.896µs
files loaded 1
No problems detected!