tfsec Interview Guide
🟢 Easy (Basics)
1. tfsec?
Terraform static security scanner.
2. Run?
tfsec ., JSON/SARIF outputs.
3. Ignore?
Inline #tfsec:ignore with reason.
4. Baseline?
Track existing findings; fail only on new.
5. CI?
Break build on high severity; PR annotations.
🟡 Medium (Hands‑on)
1. Config?
Central config to enable/disable rules.
2. Modules?
Resolves external modules; cache for speed.
3. Custom rules?
Write org‑specific policies.
4. Shift left?
Pre‑commit hooks/IDE extensions.
5. Metrics?
Export to BI/SIEM for trend.
🔴 Hard (Advanced)
1. Org rollout?
Start advisory, then enforce; publish standards.
2. Reduce bypasses?
Require justification & expiry on ignores.
🧪 Scenario Questions & Answers
1. Legacy sprawl.
Baseline then burn‑down; focus high‑risk first.
2. Developers ignore.
Education + gates; examples of secure patterns.
3. Need audit trail.
Store SARIF; sign results; retain for compliance.
Generated for quick interview revision — basics, hands-on, advanced, and scenarios.