/terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Primary LanguageGoApache License 2.0Apache-2.0

Terrascan

GitHub release License: Apache 2.0 PRs Welcome CI codecov community Documentation Status

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Features

  • 500+ Policies for security best practices
  • Scanning of Terraform 12+ (HCL2)
  • Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
  • Support for AWS, Azure, GCP, Kubernetes and GitHub

Installing

Terrascan's binary for your architecture can be found on the releases page. Here's an example of how to install it:

$ curl --location https://github.com/accurics/terrascan/releases/download/v1.2.0/terrascan_1.2.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz
$ tar -xvf terrascan.tar.gz
  x CHANGELOG.md
  x LICENSE
  x README.md
  x terrascan
$ install terrascan /usr/local/bin
$ terrascan

If you have go installed, Terrascan can be installed with go get

$ export GO111MODULE=on
$ go get -u github.com/accurics/terrascan/cmd/terrascan
  go: downloading github.com/accurics/terrascan v1.2.0
  go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.2.0
  ...
$ terrascan

Install via brew

Homebrew users can install by:

$ brew install terrascan

Docker

Terrascan is also available as a Docker image and can be used as follows

$ docker run accurics/terrascan

Building Terrascan

Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.

$ git clone git@github.com:accurics/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan

Getting started

To scan your code for security issues you can run the following (defaults to scanning Terraform).

$ terrascan scan

Terrascan will exit 3 if any issues are found.

The following commands are available:

$ terrascan
Terrascan

An advanced IaC (Infrastructure-as-Code) file scanner written in Go.
Secure your cloud deployments at design time.
For more information, please visit https://www.accurics.com

Usage:
  terrascan [command]

Available Commands:
  help        Help about any command
  init        Initialize Terrascan
  scan        Scan IaC (Infrastructure-as-Code) files for vulnerabilities.
  server      Run Terrascan as an API server

Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output-type string   output type (json, yaml, xml) (default "yaml")
  -v, --version              version for terrascan

Use "terrascan [command] --help" for more information about a command.

Documentation

To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a breakdown of it's commands, and a deep dive into policies.

Developing Terrascan

To learn more about developing and contributing to Terrascan refer to the contributing guide.

License

Terrascan is licensed under the Apache 2.0 License.