#terraform

Rulesets (3)

secrets

Semgrep

Rules for detecting secrets checked into version control

terraform

Semgrep

Default ruleset for Terraform, curated by Semgrep.

Rules (5)

terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version

semgrep

terraform

Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set "tls_security_policy" equal to "Policy-Min-TLS-1-2-2019-07".

terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version

semgrep

terraform

Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set "security_policy" equal to "TLS_1_2".

terraform.aws.security.aws-opensearchserverless-encrypted-with-cmk.aws-opensearchserverless-encrypted-with-cmk

semgrep

terraform

Ensure opensearch serverless is encrypted at rest using AWS KMS (Key Management Service) CMK (Customer Managed Keys). CMKs give you control over the encryption key in terms of access and rotation.

terraform.gcp.security.gcp-insecure-load-balancer-tls-version.gcp-insecure-load-balancer-tls-version

semgrep

terraform

Detected GCP Load Balancer to be using an insecure version of TLS. To fix this set your "min_tls_version" to "TLS_1_2"

terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec

semgrep

terraform

Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.