Cloud-native security startup Aqua Security Software Ltd. has spent some of the money it raised earlier this year to acquire an open-source scanning tool called tfsec.

The company said that with today’s acquisition, it will immediately integrate tfsec and its “infrastructure as code” or IaC security scanning capability with its Aqua Trivy product. It will integrate tfsec with additional products later this year too. Meanwhile, tfsec’s co-founders Liam Galvin and Owen Rumney have joined Aqua as cloud engineers.

Aqua Security has attracted a lot of attention recently after joining the unicorn club following a $135 million Series E round of funding in March that took its value to more than $1 billion. As its name suggests, the company sells a comprehensive suite of security tools that are designed to help protect cloud-native, containerized and serverless applications from threats such as malware and hackers. The Aqua Platform is a collection of tools that help to automate and improve the security and compliance posture of cloud apps, monitor how they’re being used, and control who can access them.

Many of Aqua’s security tools are based on open-source software. Aqua Trivy, for instance, is based on the open-source Trivy vulnerability scanner, with the company throwing in a few premium features in the paid offering.

The open-source tfsec is a static analysis security scanner for Terraform code, which is used by some developers to express IaC in a simple, human-readable language called the HashiCorp Configuration Language. The Terraform tool reads configuration files and provides an execution plan of changes that can then be reviewed for safety and applied and provisioned.

Aqua explained it has acquired the intellectual property and rights related to the project from the team that built it, in addition to hiring its co-founders.

Aqua Security co-founder and Chief Technology Officer Amir Jerbi said tfsec is widely known as the leading tool Terraform code scanning. “We’re thrilled to bring its capabilities and intelligence under Aqua’s open source and commercial umbrella,” he added.

IaC security scanning helps developers to secure their infrastructure configurations before deploying applications onto it. By integrating tfsec with Trivy, users will be able to combine the latter’s speed with the former’s enhanced coverage, Aqua explained.

“With its run anywhere design, tfsec provides a download and run scanning solution that is fast, accurate, and flexible,” the company added. “The unique approach tfsec takes to loading your code ensures that your IaC is interpreted exactly as Terraform does; meaning that regardless of complexity, you get the best possible view of any vulnerabilities before you deploy.”

Constellation Research Inc. analyst Holger Mueller told SiliconANGLE that today’s acquisition, more than anything else, highlights the success of HashiCorp Inc.’s Terraform platform, with third-party software providers now looking to support and improve it with complementary offerings.

“This is what Aqua Security is doing with tfsec,” he explained. “Terraform code is super-sensitive as it’s used to set up complete systems in the cloud. So this is a good move for Aqua as it needs to follow the latest cloud trends thanks to its status as a cloud-native security provider.”

Aqua said tfsec will remain a standalone open-source project that anyone can use. However, the company is planning to integrate its IaC scanning capabilities into several of its cloud security tools, including Tracee, Starboard, Kube-bench and Kube-hunter.

“Aqua Trivy has become the industry standard for open source vulnerability scanning thanks to its simple user experience and rich functionality,” said Aqua Security Director of Open Source Itay Shakury. “Now Trivy brings the same superior experience into Infrastructure as Code scanning to provide even more value to container and code scanning.”

Image: Aqua Security