Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.
- Documentation: https://docs.accurics.com/projects/accurics-terrascan
- Discuss: https://community.accurics.com
- 500+ Policies for security best practices
- Scanning of Terraform (HCL2)
- Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
- Support for AWS, Azure, GCP, Kubernetes and GitHub
Terrascan's supports multiple ways to install, including brew. Here, we will download the terrascan binary directly from the releases page. Make sure to select the right binary for your machine. Here's an example of how to install it:
$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.0/terrascan_1.3.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz
$ tar -xvf terrascan.tar.gz
x CHANGELOG.md
x LICENSE
x README.md
x terrascan
$ install terrascan /usr/local/bin
$ terrascan
To scan your code for security issues you can run the following (defaults to scanning Terraform).
$ terrascan scan
Terrascan will exit 3 if any issues are found.
The following commands are available:
$ terrascan
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com
Usage:
terrascan [command]
Available Commands:
help Help about any command
init Initialize Terrascan
scan Detect compliance and security violations across Infrastructure as Code.
server Run Terrascan as an API server
version Terrascan version
Flags:
-c, --config-path string config file path
-h, --help help for terrascan
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml) (default "human")
Use "terrascan [command] --help" for more information about a command.
Please refer to our documentation to integrate with your pipeline.
If a resource should not be tested against a particular rule, you can tell terrascan to skip it.
In Terraform scripts, you can tell terrascan to skip rules by inserting a comment with the phrase "ts:skip=RULENAME SKIP_REASON". The comment should be inside the resource.
In Kubernetes yamls, you can tell terrascan to skip rules by adding an annotation as seen in the snippet below.
Use our config file to manually pick which rules should be applied or suppressed from the entire scan. This is suitable for edge use cases. Please use in-file suppression to specify resources that shouldn't be tested against particular rules. This ensures that the rules are skipped only for particular resources, rather than all of the resources.
Homebrew users can install by:
$ brew install terrascan
Terrascan is also available as a Docker image and can be used as follows
$ docker run accurics/terrascan
$ export GO111MODULE=on
$ go get -u github.com/accurics/terrascan/cmd/terrascan
go: downloading github.com/accurics/terrascan v1.3.0
go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.3.0
...
$ terrascan
Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.
$ git clone git@github.com:accurics/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan
To learn more about developing and contributing to Terrascan refer to the contributing guide.
Terrascan is licensed under the Apache 2.0 License.