kb/security

Terraform security: sensitive, Checkov, Trivy, secrets

Terraform security covers sensitive values in variable, output, and local, static analysis of configs with Checkov and Trivy/tfsec, safe storage of secrets (AWS Secrets Manager, Vault, OIDC instead of access keys), and why `sensitive = true` is about logs and not about encryption.

tf-secrets-in-stateSecrets and Terraform state: where to store them and how to read them
State holds everything that passed through apply: passwords, keys, and tokens in plain text. The options are to store secrets in Secrets Manager, Vault, or KMS; read them through a data source; encrypt the backend (S3 SSE-KMS); and use OIDC instead of access keys for CI. "sensitive=true" affects log output, not encryption.
tf-trivy-tfsecTrivy and tfsec: HCL Security Scanners
tfsec, the original security scanner from Aqua, is written in Go and fast. In 2023 it was merged into Trivy, which now has a `trivy config` module for IaC using the same rule set (AVD-* identifiers). Compared to Checkov: fewer rules, but faster, single binary with no dependencies. In CI you typically use either Trivy/tfsec or Checkov, not both.

kb/security

Terraform security: sensitive, Checkov, Trivy, secrets

tf-secrets-in-stateSecrets and Terraform state: where to store them and how to read them
State holds everything that passed through apply: passwords, keys, and tokens in plain text. The options are to store secrets in Secrets Manager, Vault, or KMS; read them through a data source; encrypt the backend (S3 SSE-KMS); and use OIDC instead of access keys for CI. "sensitive=true" affects log output, not encryption.
tf-trivy-tfsecTrivy and tfsec: HCL Security Scanners
tfsec, the original security scanner from Aqua, is written in Go and fast. In 2023 it was merged into Trivy, which now has a `trivy config` module for IaC using the same rule set (AVD-* identifiers). Compared to Checkov: fewer rules, but faster, single binary with no dependencies. In CI you typically use either Trivy/tfsec or Checkov, not both.