tenable · cesar-rodriguez · Aug 4, 2021 · Jun 4, 2021 · Jun 8, 2021 · Jun 8, 2021
@@ -11,25 +11,25 @@
 
 ## Introduction
 
-Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allow you to:
+Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
 
-- seamlessly scan infrastructure as code for misconfigurations
-- monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
+- Seamlessly scan infrastructure as code for misconfigurations.
+- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
 - Detect security vulnerabilities and compliance violations.
 - Mitigate risks before provisioning cloud native infrastructure.
 - Offers flexibility to run locally or integrate with your CI\CD.
 
 ### Resources
 
 * To learn more about Terrascan's features and capabilities, see the documentation portal: https://runterrascan.io
-* Discuss: https://community.accurics.com
-* Join The Terrascan Community on Discord : https://discord.gg/DFwXEfbjzt 
+* Join The Terrascan Community on Discord : https://discord.gg/DFwXEfbjzt
 
 ## Key features
 * 500+ Policies for security best practices
 * Scanning of Terraform (HCL2)
 * Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
-* Support for AWS, Azure, GCP, Kubernetes and GitHub
+* Scanning of Dockerfiles
+* Support for AWS, Azure, GCP, Kubernetes, Dockerfiles, and GitHub
 
 ## Quick Start
 
@@ -38,8 +38,8 @@ Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allow
 3. [Integrate](#integrate)
 
 ### Step 1: Install
-Terrascan's supports multiple ways to install and is also available as a Docker image.
-See Terrascan's [releases](https://github.com/accurics/terrascan/releases) page for latest version of builds in all supported platforms. Select the correct binary for your platform.
+Terrascan supports multiple ways to install and is also available as a Docker image.
+See Terrascan's [releases](https://github.com/accurics/terrascan/releases) page for the latest version of builds in all supported platforms. Select the correct binary for your platform.
 
 #### Install as a native executable
 
@@ -81,7 +81,7 @@ Terrascan can be integrated into CI/CD pipelines to enforce security best practi
 Please refer to our [documentation to integrate with your pipeline](https://runterrascan.io/docs/integrations/).
 
 ## Terrascan Commands
-You can use terrascan command with the following options:
+You can use the `terrascan` command with the following options:
 
 ```sh
 $ terrascan
@@ -109,13 +109,13 @@ Use "terrascan [command] --help" for more information about a command.
 
 ## Policies
 Terrascan policies are written using the [Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). Every rego includes a JSON "rule" file which defines metadata for the policy.
-By default, Terrascan downloads policies from Terrascan repositories while scanning for the first time. However if you want to download the latest policies, you need to run the Initialization process. See [Usage](https://runterrascan.io/docs/usage/command_line_mode/) for information about the Initialization process.
+By default, Terrascan downloads policies from Terrascan repositories while scanning for the first time. However, if you want to download the latest policies, you need to run the Initialization process. See [Usage](https://runterrascan.io/docs/usage/command_line_mode/) for information about the Initialization process.
 
-Note: The scan command will implicitly run the initialization process there are no policies found.
+Note: The scan command will implicitly run the initialization process if there are no policies found.
 
 ## Customizing scans
 
-By default, Terrascan scans your entire configuration against all policies. However, Terrascan supports granular configuration of policies and resources. 
+By default, Terrascan scans your entire configuration against all policies. However, Terrascan supports granular configuration of policies and resources.
 
 Read more about [in-file instrumentation](https://runterrascan.io/docs/usage/in-file_instrumentation/) and [the config file](https://runterrascan.io/docs/usage/config_options/) on our documentation site.
 
@@ -173,7 +173,7 @@ RUN git clone https://github.com/accurics/terrascan && cd terrascan \
 ```
 
 ## Developing Terrascan
-To learn more about developing and contributing to Terrascan refer to the [contributing guide](CONTRIBUTING.md).
+To learn more about developing and contributing to Terrascan, refer to the [contributing guide](CONTRIBUTING.md).
 
 ## Code of Conduct
 We believe having an open and inclusive community benefits all of us. Please note that this project is released with a [Contributor Code of Conduct](code_of_conduct.md). By participating in this project you agree to abide by its terms.

@@ -69,7 +69,7 @@ The `scan` command supports flags to configure the following:
 - Directory path to policies
 - Specify policy type.
 
-The full list of flags for the scan command can be found by typing 
+The full list of flags for the scan command can be found by typing
 `terrascan scan -h`
 
 ### Scanning current directory containing terraform files for AWS Resources
@@ -99,12 +99,12 @@ When scanning Terraform code, Terrascan checks for the availability of the file
 
 ## Configuring the output format for a scan
 
-By default Terrascan output is displayed in human friendly format. Use the `-o` flag to change this to **YAML**, **JSON**, **XML**, **JUNIT-XML** and **SARIF** formats.
+By default, Terrascan output is displayed in a human friendly format. Use the `-o` flag to change this to **YAML**, **JSON**, **XML**, **JUNIT-XML** and **SARIF** formats.
 
 > **Note**: Terrascan exits with error code 3 if any issues are found during a scan.
 
 
-Terrascan's output is a list of security violations present in the scanned IaC files. The example below is terrascan's out in YAML.
+Terrascan's output is a list of security violations present in the scanned IaC files. The example below is terrascan's output in YAML.
 ``` Bash
 $ terrascan scan -t aws
 results:
@@ -134,7 +134,7 @@ Helm chart can be scanned by specifying "helm" on the -i flag as follows:
 $ terrascan scan -i helm
 ```
 
-This command will recursively look for `Chart.yaml` files in the current directory and scans rendered `.yaml`, `.yml`, `.tpl` template files found under the corresponding `/templates` directory.
+This command will recursively look for `Chart.yaml` files in the current directory and scan rendered `.yaml`, `.yml`, `.tpl` template files found under the corresponding `/templates` directory.
 
 A specific directory to scan can be specified using the `-d` flag. The Helm IaC provider does not support scanning of individual files using the `-f` flag.
 
@@ -149,6 +149,17 @@ $ terrascan scan -i kustomize
 This command looks for a `kustomization.yaml` file in the current directory and scans rendered .yaml or .yml template files.
 
 A specific directory to scan can be specified using the `-d` flag. The Kustomize IaC provider does not support scanning of individual files using the `-f` flag.
+### Scanning a Dockerfile
+
+A Dockerfile can be scanned by specifying "docker" on the -i flag as follows:
+
+```
+$ terrascan scan -i docker
+```
+
+This command looks for a `Dockerfile` in the current directory and scans that file.
+
+A specific directory to scan can be specified using the `-d` flag. With the `-d` flag, it will check for all the docker files (named as `Dockerfile`) in the provided directory recursively. A specific dockerfile can be scanned using `-f` flag by providing a path to the file.
 
 ### Resource Config
 While scanning a IaC, Terrascan loads all the IaC files, creates a list of resource configs and then processes this list to report violations. For debugging purposes, you can print this resource configs list as an output by using the `--config-only` flag to the `terrascan scan` command.
@@ -185,8 +196,8 @@ aws_ecr_repository:
 | -h | Help for scan command | See list of all flags supported with descriptions, default options in all commands are highlighted in bold|
 | -d | Use this to scan a specific directory. Use "." for current directory | AWS, GCP, Azure, and GitHub|
 | -f | Use this command to scan a specific file | <tbd any formats/limitations for example file size> |
-| -i type  | Use this to change the IaC provider | helm, k8s, kustomize, **terraform**|
-| -i version  | Use this in conjuntion with `- i type` to specify the version of IaC provider | Supported versions of each IaC are: `helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14`|
+| -i type  | Use this to change the IaC provider | arm, cft, docker, helm, k8s, kustomize, **terraform**|
+| -i version  | Use this in conjunction with `- i type` to specify the version of IaC provider | Supported versions of each IaC are: `arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14, v15`|
 | -p | Use this to specify directory path for policies | By default policies are installed here: <tbd specify a default path> |
 | -t  | Use this to specify individual cloud providers | **all**, aws, azure, gcp, github, k8s|
 | -r | Use this to specify directory path for remote backend | git, s3, gcs, http |
@@ -201,7 +212,7 @@ aws_ecr_repository:
 | -c | Use this to specify config file settings | Format supported is `*.TOML` |
 | -l | Use this to specify what log settings | debug, **info**, warn, error, panic, fatal  |
 | -x | Use this to specify the log file format | **console**, json |
-| -o | Use this to specify the scan output type | **human**, json, yaml, xml |
+| -o | Use this to specify the scan output type | **human**, json, yaml, xml, junit-xml, sarif, github-sarif |
 
 
 
@@ -218,17 +229,21 @@ Usage:
   terrascan scan [flags]
 
 Flags:
+     --categories strings        list of categories of violations to be reported by terrascan (example: --categories="category1,category2")
       --config-only               will output resource config (should only be used for debugging purposes)
   -h, --help                      help for scan
   -d, --iac-dir string            path to a directory containing one or more IaC files (default ".")
   -f, --iac-file string           path to a single IaC file
-  -i, --iac-type string           iac type (helm, k8s, kustomize, terraform)
-      --iac-version string        iac version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14)
+  -i, --iac-type string           iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan)
+      --iac-version string        iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14, v15, tfplan: v1)
+      --non-recursive             do not scan directories and modules recursively
   -p, --policy-path stringArray   policy path directory
   -t, --policy-type strings       policy type (all, aws, azure, gcp, github, k8s) (default [all])
-  -r, --remote-type string        type of remote backend (git, s3, gcs, http)
+  -r, --remote-type string        type of remote backend (git, s3, gcs, http, terraform-registry)
   -u, --remote-url string         url pointing to remote IaC repository
       --scan-rules strings        one or more rules to scan (example: --scan-rules="ruleID1,ruleID2")
+      --severity string           minimum severity level of the policy violations to be reported by terrascan
+      --show-passed               display passed rules, along with violations
       --skip-rules strings        one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2")
       --use-colors string         color output (auto, t, f) (default "auto")
   -v, --verbose                   will show violations with details (applicable for default output)
@@ -237,5 +252,5 @@ Global Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml) (default "human")
-```
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
+```
@@ -1,19 +1,19 @@
 # In-file Instrumentation
 
-Terrascan can be instrumented using special commands inside your IaC files (Terraform and K8s)
+Terrascan can be instrumented using special commands inside your IaC files (Terraform, K8s and dockerfile)
 
 Today, Terrascan supports these instrumentations:
 
 * Rule Skipping
 * Resource Prioritization
 
 ## Rule Skipping
-Rule skipping allows you to specify a rule that should not be applied to a particular resource. 
+Rule skipping allows you to specify a rule that should not be applied to a particular resource.
 
-> Note:  In-file instrumentation will skip the rule only for the resource it is defined in. The `skip_rules` parameter in config file will skip the rule for the entire scan.
+> Note:  In-file instrumentation will skip the rule only for the resource it is defined in. The `skip_rules` parameter in the config file will skip the rule for the entire scan.
 
 ### In Terraform
-Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource. 
+Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.
 
 #### Example
 ``` HCL
@@ -30,7 +30,7 @@ resource "aws_db_instance" "PtShGgAdi4" {
 }
 ```
 ### In Kubernetes
-Use the annotation 
+Use the annotation
 `runterrascan.io/skip:[{\"rule\": \RuleID\", \"comment\": \"reason to skip the rule\"}] ` inside a resource to skip the rule for that resource.
 
 #### Example
@@ -48,9 +48,20 @@ spec:
         paths:
           - backend:
               serviceName: nginx
-              servicePort: 80  
+              servicePort: 80
 ```
+### In Dockerfile
+Use the syntax `#ts:skip=RuleID optional_comment` inside the dockerfile to skip the rule for that resource.
 
+#### Example
+``` dockerfile
+FROM runatlantis/atlantis:v0.16.1
+#ts:skip=AC_DOCKER_0001 skip this rule.
+ENV DEFAULT_TERRASCAN_VERSION=1.5.1
+RUN terrascan init
+ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
+CMD ["server"]
+```
 ## Resource Prioritization
 Resource prioritization allows you set maximum and minimum severities for violations in a given resource. Are you configuring a very sensitive resource? Set the minimum severity to `High`, so low and medium violations will be escalated. Need to suppress all violations from a particular resource? Set the maximum severity to `None`.
 
@@ -59,7 +70,7 @@ For maximum severity, meaningful options are Medium, Low, and None.
 For minimum severity, meaningful options are High and Medium.
 
 ### In Terraform
-Use the syntax `#ts:maxseverity=SEVERITY`, or `#ts:minseverity=SEVERITY` inside a resource to skip the rule for that resource. 
+Use the syntax `#ts:maxseverity=SEVERITY`, or `#ts:minseverity=SEVERITY` inside a resource to skip the rule for that resource.
 
 #### Example
 ``` HCL
@@ -76,7 +87,7 @@ resource "aws_db_instance" "PtShGgAdi4" {
 }
 ```
 ### In Kubernetes
-Use the annotation 
+Use the annotation
 `runterrascan.io/minseverity: SEVERITY`, or `runterrascan.io/maxseverity: SEVERITY` inside a resource to skip the rule for that resource.
 
 #### Example
@@ -94,6 +105,17 @@ spec:
         paths:
           - backend:
               serviceName: nginx
-              servicePort: 80 
+              servicePort: 80
 ```
+### In Dockerfile
+Use the syntax `#ts:maxseverity=SEVERITY`, or `#ts:minseverity=SEVERITY` inside a dockerfile to skip the rule for that resource.
 
+#### Example
+``` dockerfile
+#ts:maxseverity=None
+FROM runatlantis/atlantis:v0.16.1
+ENV DEFAULT_TERRASCAN_VERSION=1.5.1
+RUN terrascan init
+ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
+CMD ["server"]
+```
@@ -29,6 +29,7 @@ require (
 	github.com/itchyny/gojq v0.12.1
 	github.com/mattn/go-isatty v0.0.12
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/moby/buildkit v0.8.3
 	github.com/onsi/ginkgo v1.15.1
 	github.com/onsi/gomega v1.11.0
 	github.com/open-policy-agent/opa v0.22.0