Skip to content

The 30 Terraform Cloud security checks Black Cat runs

Black Cat SSPM evaluates 30 security policies against your Terraform Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalOrganization 2FA Not Enforced

Enable mandatory two-factor authentication for all organization members

highOrganization SAML Not Enabled

Configure SAML SSO to enforce centralized identity provider authentication

mediumOrganization Session Timeout Too Long

Reduce the session timeout to 24 hours or less to limit exposure from abandoned sessions

highTeam Excessive Permissions

Reduce the number of broad organization-level permissions granted to the team

mediumTeam Workspace Admin Access

Downgrade the team's workspace access from admin to a least-privilege level such as write or read

lowTeam Secret Visibility

Change team visibility from secret to organization to improve governance transparency

highUser 2FA Not Enabled

Require the user to enable two-factor authentication or enforce 2FA at the organization level

lowUser Pending Invitation

Resend or revoke pending user invitations that have not been accepted

change management

highWorkspace Auto Apply Enabled

Disable auto-apply to require manual approval before infrastructure changes are applied

mediumWorkspace Destroy Plan Allowed

Disable destroy plan permission to prevent accidental infrastructure deletion

configuration

mediumOrganization Force Delete Allowed

Disable force-delete to prevent accidental or malicious removal of workspaces with resources

lowOrganization Default Execution Mode Local

Change the default execution mode to remote to enable centralized state management and audit logging

mediumWorkspace No VCS Connection

Connect the workspace to a VCS repository to enable GitOps workflows and change traceability

lowWorkspace Drift Detection Disabled

Enable drift detection to automatically detect infrastructure changes outside of Terraform

mediumWorkspace Outdated Terraform Version

Upgrade the workspace to use Terraform 1.5.0 or later to receive security fixes and new features

mediumVariable Set Priority Override

Disable priority override on the variable set to prevent silent overriding of workspace-level variables

data security

criticalWorkspace Global Remote State

Restrict remote state sharing to specific workspaces instead of all workspaces

infrastructure security

mediumAgent Pool Organization Scoped

Restrict the agent pool to specific workspaces rather than making it available organization-wide

mediumVCS Connection Organization Scoped

Restrict the VCS connection to specific workspaces to limit credential exposure

highRun Task No HMAC Key

Configure an HMAC key on the run task to authenticate requests from Terraform Cloud

mediumRun Task Advisory Enforcement

Change the run task enforcement level from advisory to mandatory to block non-compliant runs

mediumNotification No HMAC Token

Add an HMAC token to the generic webhook notification to verify the authenticity of incoming payloads

lowSSH Key Present

Review whether the SSH key is still in use and rotate or remove it if not required

policy enforcement

mediumSentinel Policy Advisory Only

Change the Sentinel policy enforcement level from advisory to hard-mandatory or soft-mandatory

highPolicy Set Overridable

Disable the overridable flag on the policy set to prevent workspace owners from bypassing policies

mediumPolicy Set Not Global

Expand the policy set to apply globally or ensure all workspaces are explicitly covered

mediumPolicy Set Empty

Add policies to the empty policy set or remove it if it is no longer needed

secrets management

criticalVariable Not Marked Sensitive

Mark variables with sensitive names as sensitive to prevent plaintext exposure in logs and UI

mediumVariable Set Global Scope

Restrict the variable set scope to specific workspaces rather than the entire organization

criticalVariable Plaintext Credentials

Immediately rotate the exposed credential and re-create the variable as sensitive

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial