How does audytx suppress false positives in Terraform security scans?

audytx pre-computes a relationship graph across all your Terraform resources and applies 17 cross-resource reasoning axes to determine when a finding is benign in context. A Lambda invoked only synchronously needs no dead-letter queue — audytx suppresses that finding and shows the rationale in the PR comment rather than flagging it as a violation. Result: 36× fewer false positives than Checkov on 21 clean production modules (33 vs 1,193).

How does audytx detect IAM privilege escalation in Terraform?

audytx implements an effective-permission engine that expands wildcard IAM actions, walks AssumeRole and PassRole chains, and finds privilege-escalation paths by graph reachability — not by hand-written patterns. It detects 100% of the 31 documented paths in the BishopFox iam-vulnerable corpus, matching Checkov (the only other tool that does). KICS detects 3%, Trivy 0%.

Can AI coding agents use audytx to check Terraform they generate?

Yes. audytx runs a stateless MCP server at https://audytx.com/mcp. Add it with: claude mcp add --transport http audytx https://audytx.com/mcp. The scan_terraform tool returns findings with file and line anchors, severity, context-suppressed false positives with rationale, and sound fixes. The autofix_terraform tool applies fixes, re-scans, and loops until clean — no setup, no token, no install.

audytx vs Checkov — which AWS Terraform security scanner should I use?

Both detect 100% of IAM privilege-escalation paths. audytx fires 36× fewer false positives on clean production modules because it reasons across resource relationships before flagging. Checkov has broader raw rule coverage. For teams whose scanner is ignored because of noise, audytx's precision matters more than Checkov's breadth.

Yes, audytx is free for every team. No credit card, no seat limits, no feature gates. All 247 rules, all 17 context-reasoning axes, the MCP server, and the autofix loop are included on public and private repos during the public beta.

Public beta · AWS + Terraform · context-aware

The AWS Terraform security scanner
that knows when not to flag.

Every IaC scanner flags a hundred things and the team mutes the bot within a week. audytx reasons across how your resources actually fit together, suppresses the false positives — and shows you why it dismissed each one, right in the PR.

Install on GitHub See audytx vs Checkov →

60-second install · no source upload · free for every team · also an MCP server for agents

audytxbot scanned 23 resources · aws-terraform now

critaws_security_group.weball ports open to 0.0.0.0/0

critaws_iam_role.appadmin policy → privilege-escalation path

highaws_db_instance.mainstorage not encrypted

🧠 audytx reasoned about 4 findings and suppressed them▸

· aws_lambda_function.api — DLQ not needed: sync-invoked via API Gateway

· aws_sqs_queue.jobs_dlq — is itself a dead-letter queue; DLQs don't need DLQs

· aws_dynamodb_table.sessions — PITR skipped: TTL set ⇒ intentionally ephemeral

247 rules · 17 cross-resource axes · SARIF uploaded to Code Scanning · engine v0.14.8

100%

of 31 IAM privesc paths detected — tied with Checkov (KICS 3%, Trivy 0%)

36×

fewer false positives than Checkov on 21 clean modules

247

rules across 17 cross-resource reasoning axes

0 setup

no CI step, no source upload — a GitHub App

Numbers are reproducible: see the methodology + raw data, or live engine stats at /status.

Same Terraform PR · two scanners

What a single-resource scanner posts

×aws_lambda_function.apiLambda DLQ missing

×aws_sqs_queue.jobs_dlqQueue has no DLQ

×aws_dynamodb_table.sessionsPITR not enabled

×aws_lb.internal_adminDeletion protection off

+real findings, mixed in with the noise

Every Lambda flagged for a missing DLQ — even the one nothing async invokes. A DLQ flagged for not having its own DLQ. 4 demonstrable false positives your team explains at standup.

What audytx posts

✓aws_lambda_function.apiReasoned away — sync via API GW

✓aws_sqs_queue.jobs_dlqReasoned away — it IS the DLQ

✓aws_dynamodb_table.sessionsReasoned away — TTL ⇒ ephemeral

✓aws_lb.internal_adminReasoned away — internal-only LB

⚠live findings: only the ones that matter

The loudest findings dismissed with stated reasons, in a collapsible block on the PR. Your team sees the reasoning — not silence, and not noise.

See the full side-by-side, with methodology and raw data →

⌘ MCP-native · for AI coding agents

The agent that writes your Terraform can check it.

AI writes .tf in seconds — and opens a verification gap nobody reviews. audytx is also a stateless MCP server: the same engine the GitHub App runs, callable by Claude Code, Cursor, and friends before the PR exists. The agent that generated the config gets the findings — and the sound, line-anchored fixes — at agent speed.

claude mcp add --transport http \
  audytx https://audytx.com/mcp

scan_terraform — findings with file/line, severity, fixes, and the context-suppressed false positives (each with its rationale).

autofix_terraform — applies only sound, precisely-anchored fixes, re-scans, loops until clean. Never a corrupting edit.

No CI, no token, no install — point your agent at the endpoint.
Same reasoning as the PR path — cross-resource context, not single-file pattern matching.
Optional plan input — hand it terraform plan JSON to resolve values behind variables, count, and module internals.
Closes the verification gap where AI-generated infra hides risk.

Why developers leave it on

The scanner stays trusted because every dismissal carries its rationale.

🧠 Visible reasoning

Shows its work, not just its verdicts

Every suppressed finding appears in the PR comment with the axis that drove it — "sync Lambda invoker", "DLQ identity", "data lifetime", "IMDSv2 inherited". You audit the engine's calls without reading its source.

↻ Context, not just rules

Reasons across your resources

A DLQ doesn't need a DLQ. A sync Lambda needs no async error path. A TTL'd table is intentionally ephemeral. 17 reasoning axes decide which of the 247 rules actually apply to your graph.

🛡 IAM that thinks in paths

Effective-permission attack paths

An effective-permission engine expands wildcard actions and walks AssumeRole / PassRole chains — finding privilege-escalation paths by reachability, not by a hand-written pattern. Detects all 31 paths on iam-vulnerable — tied with Checkov, the only other tool that does (KICS 3%, Trivy 0%).

What's in the engine today

247

Rules loaded

Reasoning axes

Surfaces: PR · SARIF · MCP

Lowest

FP rate of 5 tools

How it works

Install on GitHub

Click install, pick the repo. Read-only on Contents, write on Pull Requests (to post the comment). No CI step, no build webhook, no agent to run.

Open a PR

audytx fetches the whole-repo .tf tree via the GitHub API, runs the engine in a Cloudflare Worker at the edge, and posts one comment — reasoning block and all.

Or call it from your agent

Point Claude Code / Cursor at /mcp and scan or autofix Terraform before the PR exists — same engine, same reasoning, no setup.

Free. The whole engine.

No credit card, no seats, no "contact sales," no feature gates. Every rule, every axis, the MCP server, and the autofix loop — on public and private repos — at $0 while audytx is in public beta.

Everything below, on every repository. Install in ~60 seconds — there's no plan to choose.

Install free

✓ All 247 rules across 17 cross-resource reasoning axes

✓ Visible reasoning — every suppression shown with its rationale, never silently dropped

✓ IAM v2 attack-path engine — effective permissions by graph search, privilege-escalation + role-chaining

✓ MCP server — scan_terraform + autofix_terraform for your coding agent

✓ Plan-enhanced scans — feed a terraform plan for resolved-value precision

✓ One-click fixes on the PR + the sound autofix loop over MCP

✓ SARIF → Code Scanning — findings land in GitHub's Security tab

✓ Baseline suppressions with expiry, authored in your repo

✓ Cost opportunities surfaced in the same PR comment

✓ Unlimited repositories & PRs — public and private, no per-seat math

Why free? This is a depth-first public beta — the goal is the best AWS-Terraform review there is, not a pricing page. If a team-governance layer ships later (merge gates, org-wide baselines, compliance export), it'll be additive. The review you see here stays free.

How we handle your code

No source upload. audytx fetches the changed files via the GitHub Contents API at scan time. Processed in memory inside Cloudflare's edge, never persisted. The MCP path is the same — files in the request, nothing stored.
Least-privilege App permissions. Read-only on Contents and Metadata. Read/write on Pull Requests (to post the comment) and Code Scanning (for SARIF, when enabled).
No PII collected. The audit log records the App installation ID and the PR identifier. Source content never lands in our database.
You own the audit trail. Every comment carries the engine version and rule-catalog version. Reproducibility is a feature.

Stop ignoring your scanner.

Install audytx on one repo. Open the next PR. Watch the reasoning block.

Install on GitHub →

The AWS Terraform security scannerthat knows when not to flag.