In this section of the IaC Scanning Tools Guide, we will be looking at Terrascan and discussing the benefits, key features, and looking at some real world examples. You can explore the other parts of this guide below.
Jump to section:
What is Terrascan?
Terrascan is a tool that helps you to scan your Infrastructure as Code for security and compliance policy violations. It supports various IaC languages such as Terraform, Kubernetes, Dockerfile, and more. It also integrates with different cloud platforms such as AWS, Azure, and GCP. Terrascan can detect over 500 policies for best practices and prevent risks before provisioning cloud infrastructure. You can run Terrascan locally or in your CI/CD pipeline to automate the scanning process.
Benefits and Key Features of using Terrascan
Some of the benefits and key features of using Terrascan are:
How to get started with Terrascan
Installing Terrascan
There are several ways to install Terrascan, depending on your preference and platform. You can download the binary from the GitHub releases page, install it using Homebrew or run it as a Docker image. For example, to install Terrascan on macOS using Homebrew, you can run the following command:
To verify that Terrascan is installed correctly, you can run:
You should see the output similar to this:
If you’re following along in our GitHub repo with codespaces, terrascan is already installed for you.
Scanning your IaC code
To scan your IaC code for security issues, you can use the terrascan scan command. By default, Terrascan will scan the current directory for Terraform files and report any violations found. You can also specify the type of IaC using the -i flag, such as -i k8s for Kubernetes or -i dockerfile for Dockerfile.
For example, to scan a single Terraform file, you can run:
You should see the output similar to this:
As you can see, Terrascan has detected one high-severity violation that indicate that the S3 bucket versioning is recommended for easy recovery from unintended user actions.
Example use cases of Terrascan
Use case 1: Scan Terraform Files
Now let’s scan our same Terraform files using Terrascan. Run the following commands:
Let’s examine the output:
Use case 2: Scanning Kubernetes manifests
Let’s see how terrascan performs when it comes to Kubernetes manifests. Run the following commands:
And here is the output:
Terrascan Custom Policies
Once again, let’s create a custom policy. We will use Rego with Terrascan to check if an S3 bucket has an ACL that is public-read with a tag Scope=”PCI”.
First, you will need to install the OPA binary. On Linux you can use the following script:
And on Mac use:
Once again, if you are following along with GitHub codespaces, it will already be installed for you.
Now let’s examine the files you will need. You need to files, a .json one where you specify a few attributes of the policy and a .rego file where you define the actual policy.
We’ve included these 2 files in the terrascan_custom_policy folder in our repo under the Terraform folder.
Below is the content of the pci_policy_terrascan.json file:
And below is the content of the pci_policy_terrascan.rego file:
An easy way to generate the above two files is to use the Terrascan Rego Editor VS Code extension.
Now we’re ready to run our scan, you can use the command below that will do it for us. Notice how we use the --policy-path to point to the directory where our custom rego policies live. The second --policy-path flag points to the general place where terrascan stores all its policies. If you omit the last --policy-path you will only run the scans for the custom policy that we created.
Finally, the output will be as shown below:
In this section of the IaC Scanning Tools Guide, we will be looking at Terrascan and discussing the benefits, key features, and looking at some real world examples. You can explore the other parts of this guide below.
Jump to section:
What is Terrascan?
Terrascan is a tool that helps you to scan your Infrastructure as Code for security and compliance policy violations. It supports various IaC languages such as Terraform, Kubernetes, Dockerfile, and more. It also integrates with different cloud platforms such as AWS, Azure, and GCP. Terrascan can detect over 500 policies for best practices and prevent risks before provisioning cloud infrastructure. You can run Terrascan locally or in your CI/CD pipeline to automate the scanning process.
Benefits and Key Features of using Terrascan
Some of the benefits and key features of using Terrascan are:
How to get started with Terrascan
Installing Terrascan
There are several ways to install Terrascan, depending on your preference and platform. You can download the binary from the GitHub releases page, install it using Homebrew or run it as a Docker image. For example, to install Terrascan on macOS using Homebrew, you can run the following command:
To verify that Terrascan is installed correctly, you can run:
You should see the output similar to this:
If you’re following along in our GitHub repo with codespaces, terrascan is already installed for you.
Scanning your IaC code
To scan your IaC code for security issues, you can use the terrascan scan command. By default, Terrascan will scan the current directory for Terraform files and report any violations found. You can also specify the type of IaC using the -i flag, such as -i k8s for Kubernetes or -i dockerfile for Dockerfile.
For example, to scan a single Terraform file, you can run:
You should see the output similar to this:
As you can see, Terrascan has detected one high-severity violation that indicate that the S3 bucket versioning is recommended for easy recovery from unintended user actions.
Example use cases of Terrascan
Use case 1: Scan Terraform Files
Now let’s scan our same Terraform files using Terrascan. Run the following commands:
Let’s examine the output:
Use case 2: Scanning Kubernetes manifests
Let’s see how terrascan performs when it comes to Kubernetes manifests. Run the following commands:
And here is the output:
Terrascan Custom Policies
Once again, let’s create a custom policy. We will use Rego with Terrascan to check if an S3 bucket has an ACL that is public-read with a tag Scope=”PCI”.
First, you will need to install the OPA binary. On Linux you can use the following script:
And on Mac use:
Once again, if you are following along with GitHub codespaces, it will already be installed for you.
Now let’s examine the files you will need. You need to files, a .json one where you specify a few attributes of the policy and a .rego file where you define the actual policy.
We’ve included these 2 files in the terrascan_custom_policy folder in our repo under the Terraform folder.
Below is the content of the pci_policy_terrascan.json file:
And below is the content of the pci_policy_terrascan.rego file:
An easy way to generate the above two files is to use the Terrascan Rego Editor VS Code extension.
Now we’re ready to run our scan, you can use the command below that will do it for us. Notice how we use the --policy-path to point to the directory where our custom rego policies live. The second --policy-path flag points to the general place where terrascan stores all its policies. If you omit the last --policy-path you will only run the scans for the custom policy that we created.
Finally, the output will be as shown below: