HEXL
Catalog/security-terraform

Security

Terraform/HCL misconfiguration scanner API

Scans PROVIDED Terraform/HCL text for tfsec/checkov-style misconfigs: security groups open to 0.0.0.0/0 or ::/0, public S3 ACLs, encrypted=false storage, RDS publicly_accessible=true, IAM '*' actions/resources, hardcoded secrets, disabled S3 versioning, CloudTrail log-validation off, and IMDSv1 (http_tokens=optional), returning findings + severity + line + snippet + remediation and a 0-100 score. Answers 'Does this Terraform open SSH to the world?','Is my S3 bucket public in IaC?'.

Price$0.01per request
MethodPOST
Route/v1/security/terraform
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securityterraformiachcltfsecawsmisconfigscoring
API URLhttps://x402.hexl.dev/v1/security/terraform
Integration docs
Example request
{
  "hcl": "resource \"aws_security_group\" \"web\" {\n  ingress {\n    from_port = 22\n    to_port = 22\n    cidr_blocks = [\"0.0.0.0/0\"]\n  }\n}\nresource \"aws_db_instance\" \"db\" {\n  publicly_accessible = true\n}"
}
Example response
{
  "score": 40,
  "findingsCount": 2,
  "criticalFindings": 2,
  "rulesChecked": 11,
  "findings": [
    {
      "id": "tf-sg-open-world",
      "severity": "critical",
      "title": "Security group/ingress open to 0.0.0.0/0",
      "remediation": "Restrict cidr_blocks to known source ranges; avoid 0.0.0.0/0 on ingress.",
      "line": 5,
      "snippet": "cidr_blocks = [\"0.0.0.0/0\"]"
    },
    {
      "id": "tf-rds-public",
      "severity": "critical",
      "title": "RDS/instance publicly_accessible = true",
      "remediation": "Set publicly_accessible = false and place the DB in a private subnet.",
      "line": 9,
      "snippet": "publicly_accessible = true"
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "hcl"
  ],
  "properties": {
    "hcl": {
      "type": "string",
      "minLength": 1,
      "description": "Raw Terraform/HCL text.",
      "examples": [
        "resource \"aws_security_group\" \"web\" {\n  ingress {\n    from_port = 22\n    to_port = 22\n    cidr_blocks = [\"0.0.0.0/0\"]\n  }\n}\nresource \"aws_db_instance\" \"db\" {\n  publicly_accessible = true\n}"
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}