Overview
The starter kit includes pre-configured linting and security scanning that runs both locally and in CI/CD. These tools catch errors early, enforce best practices, and ensure security compliance before infrastructure reaches production.
Tools included
| Tool | Purpose |
|---|---|
| TFLint | Lints Terraform code for syntax errors, naming conventions, provider-specific issues |
| Checkov | Scans for security misconfigurations and compliance violations |
Both tools run automatically via make validate-full and in GitHub Actions workflows.
TFLint configuration
The starter kit includes .tflint.hcl at the repository root:
plugin "aws" {
enabled = true
version = "0.32.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
plugin "terraform" {
enabled = true
preset = "recommended"
}
rule "terraform_naming_convention" {
enabled = true
format = "snake_case"
}
rule "terraform_documented_variables" {
enabled = true
}
rule "terraform_documented_outputs" {
enabled = true
}
rule "terraform_typed_variables" {
enabled = true
}
rule "terraform_unused_declarations" {
enabled = true
}
rule "terraform_deprecated_index" {
enabled = true
}
rule "terraform_required_version" {
enabled = true
}
rule "terraform_required_providers" {
enabled = true
}
What it enforces
| Rule | Description |
|---|---|
| Naming conventions | Uses snake_case for all Terraform identifiers |
| Documentation | Requires descriptions for variables and outputs |
| Type safety | Requires explicit type declarations |
| Code quality | Detects unused declarations and deprecated syntax |
| Version pinning | Ensures Terraform and provider versions are specified |
| AWS validation | Validates AWS-specific resources via the AWS plugin |
Customization
- Edit
.tflint.hclto enable/disable rules or update plugin versions - Run
tflint --initto download updated plugins - Run
make lintto validate with new configuration
See the TFLint reference for complete documentation.
Checkov configuration
The starter kit includes .checkov.yml at the repository root:
---
framework: terraform
skip-check:
# Example: Skip checks as needed
# - CKV_AWS_18 # S3 access logging
# - CKV_AWS_21 # S3 versioning
skip-path:
- .terraform/
- .git/
- tests/
download-external-modules: true
Configuration options
| Option | Description |
|---|---|
framework | Specifies terraform as the IaC framework |
skip-check | List specific check IDs to skip |
check | Run only specific checks instead of all |
skip-path | Exclude directories from scanning |
download-external-modules | Scan external module sources |
Inline suppressions
Suppress checks for specific resources in your Terraform code:
resource "aws_s3_bucket" "logs" {
#checkov:skip=CKV_AWS_18:Access logging not required for log aggregation bucket
bucket = "app-access-logs"
}
Always include a justification explaining why the check is skipped.
Customization
- Edit
.checkov.ymlto skip checks or change output format - Run
make security-scanto validate with new configuration
See the Checkov reference for complete documentation.
Running validation
Full validation
Run all checks before committing:
make validate-full
This runs:
- Terraform format check
- Terraform validate
- TFLint
- Checkov
Individual tools
Run tools separately:
make lint # TFLint only
make security-scan # Checkov only
make format # Format code
CI/CD integration
Both tools run automatically in GitHub Actions. Failed checks block the deployment pipeline, ensuring only validated and secure infrastructure reaches production.
See CI/CD Workflows for integration details.
Next steps
- TFLint Reference - Detailed rules and configuration
- Checkov Reference - Security checks and compliance
- Makefile Reference - All available commands
- CI/CD Workflows - Pipeline integration