Documentation

Policy Engine Docs

Everything you need to secure your Terraform infrastructure

Getting Started Core Concepts Advanced

Introduction

Policy Engine is a comprehensive Terraform security policy checker that helps you identify and fix security vulnerabilities in your Infrastructure-as-Code before deployment.

With 1200+ built-in security rules across 190+ Cloud resource types, Policy Engine helps your team maintain security best practices and compliance requirements automatically.

1200+ Rules
Built-in security checks
190+ Resources
Cloud resource types
Real-time
Instant analysis

Quick Start

Start checking your Terraform code for security vulnerabilities in 3 easy steps.

  1. 1
    Sign Up / Login
    Create a free account to save your results and access API features.
  2. 2
    Paste Your Terraform Code
    Navigate to the dashboard and paste your .tf configuration into the code editor.
  3. 3
    Review Results
    Instantly see detected violations grouped by severity — Critical, High, Medium, and Low.
No sign-up required for basic checks via the home page. Sign up to save results and get API access.

How It Works

Policy Engine analyzes your Terraform HCL configuration through a multi-stage pipeline:

1. Parsing

Your Terraform code is parsed into a structured representation of resource blocks, identifying each resource "type" "name" block and its attributes.

2. Rule Evaluation

Each resource is evaluated against all applicable rules in the Rule Registry. Rules are organized by resource type (e.g., aws_s3_bucket, aws_db_instance).

Terraform HCL # Example: This will trigger a violation resource "aws_s3_bucket" "my_bucket" { bucket = "my-data-bucket" acl = "public-read" # ← CRITICAL: Public access }

3. Violation Reporting

Any rule that a resource fails generates a violation with details including the resource name, rule violated, severity level, and a remediation recommendation.

4. Results & History

Results are displayed immediately and, for logged-in users, saved to your check history for tracking improvements over time.

Policy Rules

Policy Engine ships with built-in rules covering common AWS security misconfigurations.

Example Rules

Rule Resource Severity Description
check_public_access aws_s3_bucket CRITICAL S3 bucket must not have public ACL
check_encryption aws_s3_bucket HIGH S3 bucket must have server-side encryption enabled
check_public_db aws_db_instance CRITICAL RDS instance must not be publicly accessible
check_db_encryption aws_db_instance HIGH RDS storage must be encrypted
check_open_ssh aws_security_group CRITICAL Security group must not allow open SSH (port 22) from 0.0.0.0/0
check_mfa_delete aws_s3_bucket MEDIUM S3 bucket versioning should have MFA delete enabled

Severity Levels

Policy Engine uses a 4-tier severity system to help you prioritize remediation efforts:

CRITICAL

Immediate risk of data breach or security compromise. Fix before deployment.

HIGH

Significant vulnerability that should be addressed urgently.

MEDIUM

Should be addressed but poses moderate risk. Plan to fix soon.

LOW

Best practice recommendations. Informational, low immediate risk.

Supported Resource Types

Policy Engine currently supports 190+ Cloud Terraform resource types, including:

aws_s3_bucket
15+ rules
aws_db_instance
10+ rules
aws_instance
10+ rules
aws_security_group
6 rules
google_compute_instance
25 rules
google_storage_bucket
20 rules
azurerm_storage_account
10+ rules
azurerm_linux_virtual_machine
8+ rules
oci_core_instance
5+ rules

Custom Rules

Beyond the built-in rules, you can create custom rules tailored to your organization's requirements.

Form-Based Rules

Use the Rules Manager UI to create rules without writing code:

  1. 1
    Select a Resource Type (e.g., aws_s3_bucket)
  2. 2
    Choose a Condition (equals, not_equals, contains, etc.)
  3. 3
    Set the Field and expected Value
  4. 4
    Assign a Severity level and save

Code-Based Rules

For advanced scenarios, write rules as Python functions:

Python def check_resource(resource): """Ensure S3 buckets have versioning enabled.""" versioning = resource.get('versioning', {}) enabled = versioning.get('enabled', False) if not enabled: return 'S3 bucket versioning is not enabled' return None # None = passed
Return a string message to report a violation, or None to indicate the rule passed.

CI/CD Integration

Integrate Policy Engine into your CI/CD pipeline to automatically check Terraform code on every pull request.

GitHub Actions Example

YAML name: Terraform Security Check on: [push, pull_request] jobs: security-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Check Terraform Security run: | curl -X POST https://tfgaurd.com/api/check \ -H "Authorization: Bearer ${{ secrets.PE_API_KEY }}" \ -H "Content-Type: application/json" \ -d "{\"code\": \"$(cat main.tf | jq -Rs .)\"}"
Store your API key as a GitHub Secret and never commit it to your repository.

API Usage

Policy Engine provides a REST API for programmatic access. See the full API Reference for all endpoints.

Quick Example

cURL curl -X POST https://tfgaurd.com/api/check \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_API_KEY" \ -d '{ "code": "resource \"aws_s3_bucket\" \"b\" { acl = \"public-read\" }", "filename": "main.tf" }'
Get your API key from your Profile page after logging in.

Next Steps

Ready to get started? Explore more resources:

API Reference Get Support Sign Up Free