SonarCloud can scan Terraform and CloudFormation files + cfn-lint support

Hello Terraform, CloudFormation developers,

IaC Engine

Today, we are happy to announce that SonarCloud can start helping you deploying safer infrastructures.
This is just the beginning of the journey with the first set of 10 rules targeting mainly AWS S3 buckets.

Security Hotspot Detections:

  • Allowing public ACLs or policies on a S3 bucket is security-sensitive
  • Authorizing HTTP communications with S3 buckets is security-sensitive
  • Disabling S3 server access logging is security-sensitive
  • Disabling server-side encryption of S3 buckets is security-sensitive
  • Granting access to S3 buckets to all or authenticated users is security-sensitive
  • Having policies granting anonymous access to S3 buckets is security-sensitive
  • Unversioned or suspended versioned S3 bucket is security-sensitive

Code Smell Detections:

  • “Log Groups” should be configured with a retention policy
  • “Log Groups” should be declared explicitly
  • AWS tag keys should comply with a naming convention

In order to enable this feature, you need to turn on the corresponding property in the Administration section of your project and run again your scan. Here is the property for CloudFormation (the same exists for Terraform):

AWS CloudFormation Linter Support

In addition to these rules, you can also load your cfn-lint issues into SonarCloud (JSON format) using this property:


More than ever because this is the first release our IaC Engine, we are waiting for your feedback.



Does this feature supports checking Terraform code against Azure?

@Raghu_Vamsi For the moment, the support of Terraform is limited to AWS and the 10 rules I mentioned. Definitely we want to add more rules for AWS and then start to look at Azure and GCP.


Can this plugin be installed in Sonarqube community as well ?

Do you have a link to the plugin ?

Best regards


The IaC Analyzer is not compatible yet with SonarQube but it’s part of 9.x roadmap to bring such features to SonarQube users.


1 Like

Update: if everything goes well, the IaC Analyzer will be embedded with SonarQube Community Edition 9.2


Is it possible to add custom rules? I don’t see it listed in the 9.2 documentation at Adding Coding Rules | SonarQube Docs

This is not yet possible to add custom rules. Still, you can contribute to the project by suggesting rule ideas.

Hello @Raghu_Vamsi,

We are currently working on Terraform Code Scanning for Azure resources; our work will be released soon! :grinning:

A post was split to a new topic: Custom rules for IaC?

Does this work when the Terraform is calling provider modules within the terraform code? If not, is this on the roadmap as Terraform Modules are best practice fo repetitive infrastructure.

1 Like