Linting and Static Code Analysis

Configure TFLint and Checkov to enforce code quality and security standards across your Terraform infrastructure.

Overview

The starter kit includes pre-configured linting and security scanning tools that run both locally and in CI/CD pipelines. These tools catch errors early, enforce best practices, and ensure security compliance before infrastructure reaches production.

Tools included:

  • TFLint — Lints Terraform code for syntax errors, naming conventions, and provider-specific issues
  • Checkov — Scans for security misconfigurations and compliance violations

Both tools run automatically via make validate-full and in GitHub Actions workflows.

TFLint configuration

The starter kit includes a .tflint.hcl file at the repository root:

plugin "aws" {
  enabled = true
  version = "0.32.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

plugin "terraform" {
  enabled = true
  preset  = "recommended"
}

rule "terraform_naming_convention" {
  enabled = true
  format  = "snake_case"
}

rule "terraform_documented_variables" {
  enabled = true
}

rule "terraform_documented_outputs" {
  enabled = true
}

rule "terraform_typed_variables" {
  enabled = true
}

rule "terraform_unused_declarations" {
  enabled = true
}

rule "terraform_deprecated_index" {
  enabled = true
}

rule "terraform_required_version" {
  enabled = true
}

rule "terraform_required_providers" {
  enabled = true
}

Key features

This configuration enforces:

  • Naming conventions — Uses snake_case for all Terraform identifiers
  • Documentation — Requires descriptions for variables and outputs
  • Type safety — Requires explicit type declarations
  • Code quality — Detects unused declarations and deprecated syntax
  • Version pinning — Ensures Terraform and provider versions are specified
  • AWS validation — Validates AWS-specific resources via the AWS plugin

Customization

To customize the configuration:

  1. Edit .tflint.hcl to enable/disable rules or update plugin versions
  2. Run tflint --init to download updated plugins
  3. Run make lint to validate with your new configuration

For complete documentation on all rules, plugin options, and advanced customization, see the TFLint reference.

Checkov configuration

The starter kit includes a .checkov.yml file at the repository root:

---
# Checkov configuration file
# https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html

# Framework to scan (terraform, cloudformation, kubernetes, etc.)
framework: terraform

# Skip specific checks (add check IDs as needed)
skip-check:
  # Example: Skip S3 bucket logging checks for demo buckets
  # - CKV_AWS_18  # S3 Bucket should have access logging enabled
  # - CKV_AWS_21  # S3 Bucket should have versioning enabled

# Run specific checks only (comment out to run all checks)
# check:
#   - CKV_AWS_*

# Exclude specific directories
skip-path:
  - .terraform/
  - .git/
  - tests/

# Enable downloading external modules
download-external-modules: true

# Quiet mode (only show failed checks)
# quiet: true

# Compact output
# compact: true

# Output format (cli, json, sarif, etc.)
# output: cli

# Show successful checks
# output-passed: false

# Show skipped checks
# output-skip: false

Key configuration options

  • framework — Specifies terraform as the IaC framework to scan
  • skip-check — List specific check IDs to skip (useful for false positives)
  • check — Optionally run only specific checks instead of all checks
  • skip-path — Exclude directories like .terraform/ from scanning
  • download-external-modules — Set to true to scan external module sources
  • Output options — Control output format and verbosity (quiet, compact, json, etc.)

Inline suppressions

You can suppress checks for specific resources directly in your Terraform code:

resource "aws_s3_bucket" "logs" {
  #checkov:skip=CKV_AWS_18:Access logging not required for log aggregation bucket
  bucket = "app-access-logs"
}

Always include a justification comment explaining why the check is skipped.

Customization

To customize the configuration:

  1. Edit .checkov.yml to skip checks, change output format, or add custom policies
  2. Run make security-scan to validate with your new configuration

For complete documentation on all configuration options, check IDs, compliance frameworks, and advanced customization, see the Checkov reference.

Running validation

Local validation

Run all validation checks before committing:

make validate-full

This runs Terraform format check, validate, TFLint, and Checkov.

Individual tools

Run tools separately:

make lint           # TFLint only
make security-scan  # Checkov only
make format         # Format code

CI/CD integration

Both tools run automatically in GitHub Actions via make validate-full. Failed checks block the deployment pipeline, ensuring only validated and secure infrastructure reaches production.

For details on how these tools integrate into the automated workflow, see the CI/CD Workflow documentation.

Next steps

CI/CD WorkflowGuides