Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.
- Documentation: https://docs.accurics.com/projects/accurics-terrascan
- Discuss: https://community.accurics.com
Features
- 500+ Policies for security best practices
- Scanning of Terraform (HCL2)
- Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
- Support for AWS, Azure, GCP, Kubernetes and GitHub
Quick Start
Step 1: Install
Terrascan's supports multiple ways to install, including brew.
Here, we will download the terrascan binary directly from the releases page. Make sure to select the right binary for your machine. Here's an example of how to install it:
$ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest, grep -o -E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
$ install terrascan /usr/local/bin && rm terrascan
$ terrascan
Step 2: Run
To scan your code for security issues you can run the following (defaults to scanning Terraform).
$ terrascan scan
Terrascan will exit 3 if any issues are found.
The following commands are available:
$ terrascan
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com
Usage:
terrascan [command]
Available Commands:
help Help about any command
init Initialize Terrascan
scan Detect compliance and security violations across Infrastructure as Code.
server Run Terrascan as an API server
version Terrascan version
Flags:
-c, --config-path string config file path
-h, --help help for terrascan
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml) (default "human")
Use "terrascan [command] --help" for more information about a command.
Step 3: Integrate with CI\CD
Please refer to our documentation to integrate with your pipeline.
Rule Suppression
If a resource should not be tested against a particular rule, you can tell terrascan to skip it.
Terraform
In Terraform scripts, you can tell terrascan to skip rules by inserting a comment with the phrase "ts:skip=RULENAME SKIP_REASON". The comment should be inside the resource.
Kubernetes
In Kubernetes yamls, you can tell terrascan to skip rules by adding an annotation as seen in the snippet below.
Broad Rule Suppression
Use our config file to manually pick which rules should be applied or suppressed from the entire scan. This is suitable for edge use cases. Please use in-file suppression to specify resources that shouldn't be tested against particular rules. This ensures that the rules are skipped only for particular resources, rather than all of the resources.
Sample Output
Other Installation Options
Install via brew
Homebrew users can install by:
$ brew install terrascan
Docker
Terrascan is also available as a Docker image and can be used as follows
$ docker run accurics/terrascan
Building Terrascan
Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.
$ git clone git@github.com:accurics/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan
To build your own docker, refer to this example (Alpine Linux):
FROM golang:alpine AS build-env
RUN apk add --update git
RUN git clone https://github.com/accurics/terrascan && cd terrascan \
&& CGO_ENABLED=0 GO111MODULE=on go build -o /go/bin/terrascan cmd/terrascan/main.go
Developing Terrascan
To learn more about developing and contributing to Terrascan refer to the contributing guide.
Code of Conduct
We believe having an open and inclusive community benefits all of us. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
License
Terrascan is licensed under the Apache 2.0 License.