/terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Primary LanguageGoApache License 2.0Apache-2.0

Terrascan

GitHub release License: Apache 2.0 PRs Welcome CI codecov community Documentation Status Contributor Covenant

Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.

Features

  • 500+ Policies for security best practices
  • Scanning of Terraform (HCL2)
  • Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
  • Support for AWS, Azure, GCP, Kubernetes and GitHub

Quick Start

Step 1: Install

Terrascan's supports multiple ways to install, including brew. Here, we will download the terrascan binary directly from the releases page. Make sure to select the right binary for your machine. Here's an example of how to install it:

$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.3/terrascan_1.3.3_Darwin_x86_64.tar.gz --output terrascan.tar.gz
$ tar -xvf terrascan.tar.gz
  x CHANGELOG.md
  x LICENSE
  x README.md
  x terrascan
$ install terrascan /usr/local/bin
$ terrascan

Step 2: Run

To scan your code for security issues you can run the following (defaults to scanning Terraform).

$ terrascan scan

Terrascan will exit 3 if any issues are found.

The following commands are available:

$ terrascan
Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com

Usage:
  terrascan [command]

Available Commands:
  help        Help about any command
  init        Initialize Terrascan
  scan        Detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Terrascan version

Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml) (default "human")

Use "terrascan [command] --help" for more information about a command.

Step 3: Integrate with CI\CD

Please refer to our documentation to integrate with your pipeline.

Rule Suppression

If a resource should not be tested against a particular rule, you can tell terrascan to skip it.

Terraform

In Terraform scripts, you can tell terrascan to skip rules by inserting a comment with the phrase "ts:skip=RULENAME SKIP_REASON". The comment should be inside the resource.

tf

Kubernetes

In Kubernetes yamls, you can tell terrascan to skip rules by adding an annotation as seen in the snippet below.

k8s

Broad Rule Suppression

Use our config file to manually pick which rules should be applied or suppressed from the entire scan. This is suitable for edge use cases. Please use in-file suppression to specify resources that shouldn't be tested against particular rules. This ensures that the rules are skipped only for particular resources, rather than all of the resources.

config

Sample Output

Screenshot 2021-01-19 at 10 52 47 PM

Other Installation Options

Install via brew

Homebrew users can install by:

$ brew install terrascan

Docker

Terrascan is also available as a Docker image and can be used as follows

$ docker run accurics/terrascan

Building Terrascan

Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.

$ git clone git@github.com:accurics/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan

To build your own docker, refer to this example (Alpine Linux):

FROM golang:alpine AS build-env

RUN apk add --update git

RUN git clone https://github.com/accurics/terrascan && cd terrascan \
  && CGO_ENABLED=0 GO111MODULE=on go build -o /go/bin/terrascan cmd/terrascan/main.go

Developing Terrascan

To learn more about developing and contributing to Terrascan refer to the contributing guide.

Code of Conduct

We believe having an open and inclusive community benefits all of us. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

License

Terrascan is licensed under the Apache 2.0 License.