[Cheat Sheet] Static Analysis for IaC: Terraform & Pulumi (2026)
![[Cheat Sheet] Static Analysis for IaC: Terraform & Pulumi (2026)](/assets/thumbnails/post-static-analysis-iac-terraform-pulumi-cheat-sheet-og.png)
Bottom Line
Static analysis for IaC is no longer an optional add-on; integrating tools like Checkov, tfsec, and Pulumi CrossGuard into your local pre-commit hooks and CI/CD pipelines is mandatory to prevent 90% of common cloud misconfigurations.
Key Takeaways
- ›Shift security left by running Checkov v3.2+ or tfsec locally to catch errors before they reach the main branch.
- ›Use TFLint specifically for HCL-specific logic errors that generic security scanners often overlook.
- ›Leverage Pulumi CrossGuard to write 'Policy as Code' in TypeScript or Python for more complex validation logic.
- ›Integrate scans into CI/CD with a non-zero exit code to automatically block insecure infrastructure PRs.
Infrastructure as Code (IaC) has revolutionized how we deploy cloud resources, but it also introduces the risk of scaling security flaws instantly across global environments. Static analysis tools act as the first line of defense, scanning Terraform HCL and Pulumi TypeScript/Python code for misconfigured S3 buckets, open security groups, and unencrypted databases. This 2026 reference guide provides a comprehensive breakdown of the essential commands, tools, and configuration patterns needed to secure your infrastructure from the very first line of code.
1. Essential Tools Comparison
Choosing the right tool depends on your stack and the depth of analysis required. While Checkov offers the broadest coverage, tools like tfsec (now integrated into Trivy) provide specialized speed for HCL environments.
| Tool | Primary Scope | Language Support | Edge |
|---|---|---|---|
| Checkov | Broad Security/Compliance | HCL, Pulumi, K8s, Bicep | Graph-based analysis |
| tfsec | Terraform-specific Security | HCL only | Execution speed |
| TFLint | Code Quality & Provider Errors | HCL only | Cloud provider validation |
| CrossGuard | Policy as Code | TS, JS, Python, Go | Native Pulumi integration |
Bottom Line
For modern DevOps teams, the winning combo is Checkov for broad multi-cloud security and TFLint for infrastructure-specific logic. If you are a Pulumi-first shop, invest heavily in CrossGuard to enforce compliance using the same programming language as your infrastructure.
2. Keyboard Shortcuts for CLI Efficiency
When running these tools in an interactive terminal or reviewing scan reports, speed is essential. Most 2026-era CLI tools support these standard navigation keys:
| Shortcut | Action |
|---|---|
/ |
Open live search/filter within report output |
j / k |
Navigate down/up through violation rules |
s |
Show suppression snippet for the current violation |
Ctrl + C |
Graceful exit and return to prompt |
3. Commands Grouped by Purpose
Installation & Setup
# Install Checkov via pip
pip install checkov
# Install tfsec via brew
brew install tfsec
# Initialize TFLint for your current directory
tflint --initRunning Scans
- Standard Scan: Run
checkov -d .ortfsec .to scan the current directory and all sub-directories. - Targeted Scan: Run
checkov -f main.tfto scan a specific file. - External Modules: Use
--download-external-modules truein Checkov to analyze remote sources. - Soft Fail: Use
--soft-failduring initial setup to report errors without breaking the build.
Output Formats
# Output as JSON for machine consumption
checkov -d . -o json > report.json
# Human-friendly lovely format for tfsec
tfsec . --format lovely
# JUnit XML for CI/CD integration
checkov -d . -o junitxml4. Configuration & Suppression
No tool is perfect. You will occasionally encounter false positives or legacy resources that cannot be immediately fixed. Use configuration files and inline comments to manage these exceptions.
Inline Suppression (Terraform)
# tfsec:ignore:aws-s3-specify-public-access-block
resource "aws_s3_bucket" "public_bucket" {
bucket = "public-assets-2026"
# ...
}Global Config File (.checkov.yaml)
check:
- CKV_AWS_1
- CKV_AWS_2
skip-check:
- CKV_AWS_144 # Skip IAM policy check for specific dev role
soft-fail: false
compact: true5. Advanced Usage & CI Integration
Static analysis is most effective when it prevents insecure code from being merged. Integrate your chosen tools into GitHub Actions, GitLab CI, or Pulumi Cloud.
GitHub Action Example
- name: Run Checkov action
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
quiet: true
soft_fail: falsePulumi CrossGuard (Policy as Code)
Pulumi allows you to write actual code to enforce rules. This is powerful for enforcing complex logic, such as ensuring all resources have a specific Owner tag or that S3 buckets are only created in us-east-1.
import { PolicyPack, validateResourceOfType } from "@pulumi/policy";
import { Bucket } from "@pulumi/aws/s3";
new PolicyPack("s3-security", {
policies: [{
name: "s3-no-public-read",
description: "Prohibits public read access to S3 buckets.",
enforcementLevel: "mandatory",
validateResource: validateResourceOfType(Bucket, (bucket, args, report) => {
if (bucket.acl === "public-read") {
report("S3 buckets cannot be public-read.");
}
}),
}],
});--soft-fail in production CI pipelines. While it prevents developer frustration during early adoption, it often leads to "security debt" where critical vulnerabilities are ignored indefinitely.
Frequently Asked Questions
Can I use Checkov to scan Pulumi code? +
pulumi preview --json > plan.json and then run Checkov against that JSON file using the --framework pulumi flag.Does tfsec support OpenTofu? +
How do I suppress a specific security check globally? +
.checkov.yaml or .tfsec.yaml and adding the IDs of the checks you wish to skip under the skip-check or exclude headers.What is the difference between static analysis and dynamic analysis in IaC? +
Get Engineering Deep-Dives in Your Inbox
Weekly breakdowns of architecture, security, and developer tooling — no fluff.