Aqua Blog

Taking IaC Security to the Next Level: Why TFsec Joined Aqua

Coming from a software engineering background, we built tfsec to help developers like us scan their infrastructure-as-code (IaC) templates and prevent cloud misconfigurations from being deployed. Teams at the world’s leading organizations are now leveraging tfsec to “shift left” and introduce security earlier in the development cycle. When we were presented with the chance to join the leader in cloud native security along with the amazing team doing great things, we didn’t think too long. As we’re joining Aqua and starting a new chapter for tfsec, let’s reflect together on our journey to this point.

TFsec is born: A better approach to Terraform scanning

While IaC is a rapidly growing trend today, a few years ago it was just taking off. Organizations were starting to automate the infrastructure provisioning to overcome the hassle created by manual setup and configurations. But when everything is managed via code and you can set up the new infrastructure in the cloud in only a few seconds, it’s extremely easy to create a misconfigured cloud resource. Simple mistakes can leave your data exposed publicly, open your organization to an attack, and lead to a security breach. As always with the new technology, security was left behind.

As seasoned engineers with extensive cloud experience, we saw this firsthand and recognized the developers’ pain when trying to intercept potential security issues before they make it to production. Although a few IaC security scanning tools were emerging at that time, none of the existing technologies could scan the new Hashicorp Configuration Language version 2 that had just been released. Beyond that, the available tools were limited in functionality and didn’t fully address our needs. We realized there was a better, more intelligent, more efficient way to do Terraform scanning.

That’s why we created tfsec.

From the beginning, our goal was to build a useful tool that solves the problem – but we didn’t expect such a mass adoption by the community. Once we put tfsec out there, thousands of developers from large companies began downloading and using it to scan their IaC code. The project quickly grew and evolved. In less than two years, tfsec has become the well-known leader in Terraform code scanning, with more than 150 checks available across AWS, Azure and GCP and an impressive 250,000 downloads. This is also reflected in the strong community support and input the tool is getting, boasting 3,000 stars and more than 60 contributors on GitHub. Clearly, we couldn’t have imagined this when we first started.

Why did tfsec become so popular? Not only is it easy to use, it’s also significantly faster than competitors and provides more accurate scanning results, often picking up issues that other tools miss. What makes tfsec unique is that it examines Terraform code itself, by simulating how the infrastructure will be deployed in the cloud. Unlike static IaC file scanners, which scan individual files separately, tfsec scans Terraform projects in context using the Hashicorp HCL engine. It’s the only IaC scanner that does this.

So why Aqua?

Open source DNA

As the core team behind tfsec, we are passionate about open source and are long-time contributors and maintainers of several projects. Naturally, we were immediately attracted by the fact that, of all security vendors in the cloud native space, Aqua is the most active player in the open source community. With a dedicated open source team, the company heavily invests in open source, offering the largest portfolio of open source security tools, including the stellar and widely adopted Trivy, Tracee, kube-bench, kube-hunter, and Starboard, many of which became the de facto industry standards.

It was clear from the get-go that we share the same core belief with Aqua: Open source is hugely important, and if you can engage with the developers and solve their needs, the commercial side will come. As famous Steve Jobs quote goes, “If you keep your eye on the profit, you’re going to skimp on the product. But if you focus on making really great products, then the profits will follow.”

Deep expertise

We were also impressed by Aqua’s outstanding technology edge. As a cloud native security pioneer, the company was one of the earliest to focus on securing container deployments, over time expanding its platform to cover the entire cloud native stack. Only five years old, Aqua is already the recognized technology leader in a hyper-growth and booming cloud security space, constantly defying the competition and bringing groundbreaking innovation to the market.

As we transition into our new roles, we’re looking forward to embracing the knowledge and expertise of the Aqua team and applying it to drive tfsec forward.

Inspiring professional path

Finally, it’s the direction that joining Aqua is going to take us professionally. Throughout our career, we have been software engineers with a keen interest in security. Last year, we officially broke into this field and became security engineers at a financial company. When the COVID-19 pandemic hit, we found ourselves spending evenings writing an open source IaC scanning tool (there’s not much to do in a lockdown, right?). Our new positions as cloud engineers at Aqua will allow us to carry on with the software engineering career and explore the exciting security space.

In a nutshell, for us, Aqua ticks all the boxes. We get to work at the industry leader in the hottest tech market, further building and improving our own open source project (now full-time), with a winning team guiding and supporting us along the way. What else can one dream of?

Above all this, the current pace of innovation in our industry makes it impossible to pull ahead alone. Let’s face it, you can’t keep up with the competition while working on the tool as a side project for a few hours at night. TFsec has a huge potential, and we as creators want it to become as powerful as it can be. We are confident Aqua will help us on this path.

What will we be doing?

First off, we’re going to ramp up the development of tfsec and enhance it with even more investment from Aqua’s open source team. TFsec has already been integrated with Trivy, the leading open source vulnerability scanner, allowing everyone to combine the ease of use and scanning speed of Trivy with the enhanced IaC coverage.

On the features side, we plan to continue expanding the number of checks to build a comprehensive list so that tfsec covers everything that’s considered the industry standard.

Finally, we’ll be bringing our expertise in IaC to further advance Aqua’s cloud security footprint. While tfsec will continue to be available as a standalone open source project, the larger strategy includes integrating its capabilities into Aqua’s commercial products as well.

Closing thoughts

With a dramatic increase in IaC usage and the possibility of human error, developers need a quick and efficient way to run security checks and avoid risky misconfigurations. To close this security gap, we built tfsec, a developer-focused open source IaC scanner, which has become a cornerstone of many teams’ toolkits. Now at Aqua, we get to be part of the broader mission, as we work to solve our customers’ cloud security challenges while bringing tfsec to more developers around the globe.

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.