Aqua Security, the pure-play cloud native security provider, announces the acquisition of tfsec, an open source security scanner for Infrastructure as Code (IaC).
The acquisition brings an immediate integration of tfsec into Aqua Trivy, adding IaC security scanning capabilities, with additional Aqua platform integrations planned later this year. Tfsec’s co-founders will join Aqua following the acquisition.
Essential security capabilities
“Tfsec is the known leader in Terraform code scanning, and we’re thrilled to bring its capabilities and intelligence under Aqua’s open source and commercial umbrella,” said Amir Jerbi, CTO and co-founder of Aqua Security. “Aqua is committed to investing in open source cloud security tools and to providing users a frictionless way to assimilate essential security capabilities into their cloud native applications where they need them most.”
IaC security scanning is a critical step in helping users secure the configurations of the environments
IaC security scanning is a critical step in helping users secure the configurations of the environments in which they deploy their applications. The integration of Aqua Trivy and tfsec helps teams to shift left, combining the ease of use and scanning speed of Trivy with the enhanced IaC coverage with tfsec, without additional management overhead and as part of a unified workflow.
Run security checks
With its run anywhere design, tfsec provides a download and run scanning solution that is fast, accurate, and flexible. The unique approach tfsec takes to loading the code ensures that your IaC is interpreted exactly as Terraform does; meaning that regardless of complexity, one gets the best possible view of any vulnerabilities before it is deployed.
“We saw a need in the market for a more intelligent form of Terraform scanning,” said Liam Galvin, tfsec co-founder. “Building tfsec from community input, we were able to deliver on developers’ needs for a quicker, more efficient way to run security checks.”
Simple user experience
By integrating tfsec and Trivy, our users can scan code repositories and container images"
“Aqua Trivy has become the industry standard for open source vulnerability scanning thanks to its simple user experience and rich functionality. Now Trivy brings the same superior experience into Infrastructure as Code scanning to provide even more value to container and code scanning,” says Itay Shakury, Director of Open Source at Aqua Security.
“By integrating tfsec and Trivy, our users can scan code repositories and container images for vulnerabilities and IaC configuration issues – all using a single tool, that can integrate into their CI tool or even be used as a Github action.” While tfsec will remain a standalone project, in addition to its integration into Trivy, it will also be added to Aqua Security’s suite of open source cloud security tools, including Tracee, Starboard, Kube-bench and Kube-hunter.
Open source community
With this portfolio, users can also perform penetration tests of Kubernetes clusters, integrate disparate Kubernetes security tools into an aggregate security dataset that is available natively in Kubernetes, view runtime and forensics data for Linux, and more.
Tfsec Co-Founders Liam Galvin and Owen Rumney will join the Aqua team as Cloud Engineer
Tfsec Co-Founders Liam Galvin and Owen Rumney will join the Aqua team as Cloud Engineers bringing deep experience in both software and open source. Galvin is an experienced full stack engineer with more than 15 years of building software and contributing to the open source community. His most recent experience has been rooted in security, and he joins Aqua from FORM3 where he was a Lead Security Engineer.
Building cloud infrastructure
Galvin built tfsec having used Hashicorp’s Terraform to build cloud infrastructure for multiple startups after recognising the security gap. He also maintains many other open source projects, such as traitor: a local privilege escalation framework for Linux which has recently garnered significant attention from the community.
Rumney is a seasoned software engineer with experience in building repeatable, consistent deployments in large-scale, ephemeral data processing environments. In addition to his work with tfsec, most recently he served as Senior Platform and Security Engineer at FORM3, and he has held prior roles as a Lead Data Engineer at BP and Holland & Barrett. He has combined his background in IaC with a focus on cloud security risks, working to help individuals and organisations to intercept potential issues before they make it to production.