In this article, we will take a look at Terrascan – what it is, why you might use it, how to install it, and how to make use of its features. We will then take a look at some use case examples, showing how to use it to scan Terraform, Kubernetes (K8S), and Helm charts. We will also define some custom policies and see how Terrascan compares to other similar products, like Chekov and TFSec.
We will cover:
Terrascan is a flexible and powerful open-source static code analysis tool designed for scanning infrastructure as code (IaC) templates and configurations. It helps identify security vulnerabilities, compliance violations, and best practice issues in the IaC code. It can be used with multiple types of configuration files, provides built-in policies, and also allows the use of custom policies using Rego. It can also be used in pipelines with CI/CD systems.
Terrascan helps developers and DevOps teams ensure that their infrastructure code adheres to best practices, security standards, and compliance requirements. Terrascan provides 500+ out-of-the-box policies so that you can scan IaC against common policy standards such as the CIS Benchmark.
The Terrascan website tagline summarises Terrascan:
Detect compliance and security violations across Infrastructure as Code (IaC) to mitigate risk before provisioning cloud native infrastructure.
One of the keywords here is before. The goal of the Terrascan tool is to alert you to any compliance or security problems before the infrastructure is provisioned so you can remedy them and avoid any issues.
Here are some of the most important Terrascan features:
1. Support for multiple IaC frameworks
Terrascan can be used with various cloud providers and types of code, including AWS, Azure, Google Cloud Platform (GCP), K8S, ArgoCD, Atlantis, GitHub, and Docker, making it versatile for cross-cloud infrastructure deployments.
2. Policies
Terrascan provides a library of predefined security and compliance rules that can be customized to match specific requirements. These rules cover various aspects of infrastructure security and compliance, such as encryption, access controls, resource configurations, and more. To view more on which policies are used by default, you can check the Terrascan policies documentation page.
3. Automated scanning
Terrascan can be integrated into CI/CD pipelines, IDEs (Integrated Development Environments), and other development and deployment workflows. This enables automated scanning and validation of IaC code as part of the development process.
4. Continuous monitoring of cloud infrastructure
Terrascan can be used for continuous monitoring of cloud infrastructure. It can be set up to regularly scan and check for any drifts or configuration changes that may introduce vulnerabilities or compliance issues.
5. Reporting and remediation
Terrascan generates detailed reports that highlight issues found during the analysis. It also provides guidance on how to remediate these issues, helping teams address security and compliance concerns effectively.
Installing Terrascan on Windows
You can use the popular Windows package manager Chocolately or download and install it manually.
choco install terrascanTo install it manually:
- Download Terrascan from the release page.
- Extract the files from the zip file and add to the Windows path.
- Right-click on the Start Button.
- Select “System” from the context menu.
- Click “Advanced system settings”
- Go to the “Advanced” tab.
- Click “Environment Variables…”
- Click the variable called “Path” and click “Edit…”
- Click “New”
- Enter the path to the folder containing the Terrascan files you want on your PATH.
Installing Terrascan on MacOs
For macOs use:
curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
sudo install terrascan /usr/local/binInstalling Terrascan on Linux
For Linux:
curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
sudo install terrascan /usr/local/binInstalling Terrascan with Docker
You can also pull the image from the Docker Hub:
$ docker run --rm tenable/terrascan versionOnce installed run terrascan on your command line to check it is installed.
To scan your code, simply navigate to the folder that contains your configuration files and run:
terrascan scanYou can also pass in the directory you want to scan with the --c option.
The first time using Terrascan, if the -p flag is not specified, Terrascan will download the latest policies from the Terrascan repository. You can update your local environment to the latest policies published in the repository by running terrascan init.
You can use Terrascan with multiple types of configuration files. Here are a few examples to get you up and running.
Example 1 — Scanning Terraform code
Let’s look at an example Terraform configuration for Azure that simply creates a resource group:
main.tf
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "East US"
}Save the file, navigate to the directory that contains it, and run terrascan scan.
In the output, you should see that Terrscan detects one policy violation and advises that resource locks should be enabled on the resource group with a LOW severity.
Example 2 — Scanning Helm charts
To test Terrascan with a Helm chart, we will create a new chart called demo-chart:
helm create demo-chartNext, we will edit the values.yaml file to include the following lines to add some extra vulnerabilities that Terrscan can report:
Navigate to the directory that contains your values.yaml file and run terrascan scan. You should see multiple reported violated policies, including two with HIGH severity that we caused by adding the securityContext lines above.
Example 3 — Scanning Kubernetes manifests
To test scan Kubernetes manifests with Terrascan, we will create a simple file for an nginx deployment:
nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80Navigate to the folder containing the nginx.yaml file and run terrascan scan.
Here, in the output, yuu should see multiple recommendations from Terrascan, including two HIGH priority issues (‘Minimize Admission of Root Containers’ and ‘Containers Should Not Run with AllowPrivilegeEscalation’).
Example 4 — Integrating Terrascan with ArgoCD
Terrascan can be integrated with popular CI/CD systems, such as Azure DevOps, GitHub, GitLab, and Argo.
In the case of ArgoCD, Terrascan can integrated in two ways:
- Configured as an Argo CD job during the application pre-sync process using ArgoCD’s resource hook.
- Using Terrascan’s K8S admission controller along with a pre-sync that scans a configured repository with the admission controller webhook.
Terrascan leverages the Open Policy Agent (OPA) engine so that you can easily create custom policies using the Rego query language. With each rego policy, a JSON “rule” file is included, which defines metadata for the policy. Policies included within Terrascan are stored in the pkg/policies/opa/rego directory.
The rule.json file is a configuration file that references the custom policies defined in Rego files. It allows you to control which policies are applied and their severity levels during a Terrascan scan. Your custom policy logic and rules are defined in the .rego file, while the rule.json file specifies how to apply and configure those policies.
The policy example below enforces Azure resources to be in “UK South” or “UK West” only. If resources are found elsewhere, it will be reported by Terrascan.
azure_region_policy.rego
package main
import input.tfplan as tfplan
default allow = false
allowed_regions = ["UK South", "UK West"]
# Iterate over all Azure resources in the Terraform plan.
azure_resources[resource_name] {
resource_name = input.tfplan.resource_changes[_].address
input.tfplan.resource_changes[_].type == "azurerm_resource"
}
# Check if the region of each Azure resource is allowed.
allow {
resource_name
resource_config := input.tfplan.resource_changes[resource_name].change.after
resource_config.location == allowed_region
allowed_region = allowed_regions[_]
}To enable the custom policy the rule.json file is used to configure the behavior of Terrascan and specify which policies should be applied during a scan.
rule.json
{
"rules": {
"azure_region_policy": {
"severity": "HIGH",
"message": "Azure resources should be deployed in 'UK South' or 'UK West' regions.",
"rules_file": "azure_region_policy.rego"
}
}
}Finally, to scan using the custom policy, navigate to the directory you want to scan and use the -rules flag to specify the path to your JSON file.
terrascan scan -rules /path/to/rule.jsonTerrascan also allows you to exclude policies if you don’t want to comply with them.
For example, if I did not want to use resource locks with my Azure resource group that I configured in Example 1, and I did not consider that a violation, I could exclude that policy from the scan so it was no longer flagged as an issue. To do this, use the -skip-rules flag or using in-file instrumentation to skip policies on a particular resource.
On the face of it, Terrascan and Checkov are very similar. They are both open-source static code analysis tools designed for IaC security and compliance scanning.
Checkov focuses more on Terraform but is capable of scanning multiple types of files, including CloudFormation (and AWS SAM), Azure Resource Manager (ARM), Serverless framework, Helm charts, K8S, and Docker. Checkov is a community-driven project with active contributions and a strong presence in the DevSecOps community.
Checkov is built using Python, whereas Terrascan uses Go, and custom policies are written using Rego. If you would prefer using Rego to build your custom policies, then Terrascan is a good choice.
To learn more, check out What is Checkov.
Tfsec is another open-source static code analysis tool, and another major option to consider.
Like Terrascan, TFSec is written in GO and uses YAML definitions for its custom policies as opposed to Rego used by Terrascan. Users familiar with K8S may prefer to write policies using YAML rather than learning Rego, which might be a reason to select TFSec.
It is also the most popular project than both Checkov and Terrascan in the community, having the most GitHub stars.
Read more about What is tfsec and how to integrate these tools with Spacelift using custom inputs.
As we’ve seen in this article, Terrascan is a versatile open-source static code analysis tool specialized in scanning IaC templates and configurations, effectively detecting security vulnerabilities and compliance breaches.
We encourage you also to explore how Spacelift makes it easy to work with Terraform. If you need any help managing your Terraform infrastructure, building more complex workflows based on Terraform, and managing AWS credentials per run, instead of using a static pair on your local machine, Spacelift is a fantastic tool for this. It supports Git workflows, policy as code, programmatic configuration, context sharing, drift detection, and many more great features right out of the box.
The most flexible management platform for Infrastructure as Code
Spacelift allows you to automate, audit, secure, and continuously deliver your infrastructure. It helps overcome common state management issues and adds several must-have features for infrastructure management.
