Going to AWS re:Invent 2024?

➡️ Book a meeting with Spacelift

Terraform

What is Terrascan? Features, Use Cases & Custom Policies

What is Terrascan

In this article, we will take a look at Terrascan – what it is, why you might use it, how to install it, and how to make use of its features. We will then take a look at some use case examples, showing how to use it to scan Terraform, Kubernetes (K8S), and Helm charts. We will also define some custom policies and see how Terrascan compares to other similar products, like Chekov and TFSec.

We will cover:

  1. What is Terrascan?
  2. What is Terrascan used for?
  3. Terrascan features
  4. How to install Terrascan
  5. How to use Terrascan to scan the IaC code
  6. Terrascan use cases — examples
  7. Terrascan custom policies
  8. Terrascan vs Checkov
  9. Terrascan vs tfsec

What is Terrascan?

Terrascan is a flexible and powerful open-source static code analysis tool designed for scanning infrastructure as code (IaC) templates and configurations. It helps identify security vulnerabilities, compliance violations, and best practice issues in the IaC code. It can be used with multiple types of configuration files, provides built-in policies, and also allows the use of custom policies using Rego. It can also be used in pipelines with CI/CD systems.

What is Terrascan used for?

Terrascan helps developers and DevOps teams ensure that their infrastructure code adheres to best practices, security standards, and compliance requirements. Terrascan provides 500+ out-of-the-box policies so that you can scan IaC against common policy standards such as the CIS Benchmark.

The Terrascan website tagline summarises Terrascan:

Detect compliance and security violations across Infrastructure as Code (IaC) to mitigate risk before provisioning cloud native infrastructure.

One of the keywords here is before. The goal of the Terrascan tool is to alert you to any compliance or security problems before the infrastructure is provisioned so you can remedy them and avoid any issues.

Terrascan features

Here are some of the most important Terrascan features:

1. Support for multiple IaC frameworks

Terrascan can be used with various cloud providers and types of code, including AWS, Azure, Google Cloud Platform (GCP), K8S, ArgoCD, Atlantis, GitHub, and Docker, making it versatile for cross-cloud infrastructure deployments.

2. Policies

Terrascan provides a library of predefined security and compliance rules that can be customized to match specific requirements. These rules cover various aspects of infrastructure security and compliance, such as encryption, access controls, resource configurations, and more. To view more on which policies are used by default, you can check the Terrascan policies documentation page.

3. Automated scanning

Terrascan can be integrated into CI/CD pipelines, IDEs (Integrated Development Environments), and other development and deployment workflows. This enables automated scanning and validation of IaC code as part of the development process.

4. Continuous monitoring of cloud infrastructure

Terrascan can be used for continuous monitoring of cloud infrastructure. It can be set up to regularly scan and check for any drifts or configuration changes that may introduce vulnerabilities or compliance issues.

5. Reporting and remediation

Terrascan generates detailed reports that highlight issues found during the analysis. It also provides guidance on how to remediate these issues, helping teams address security and compliance concerns effectively.

How to install Terrascan

Installing Terrascan on Windows

You can use the popular Windows package manager Chocolately or download and install it manually.

choco install terrascan

To install it manually:

  1. Download Terrascan from the release page.
  2. Extract the files from the zip file and add to the Windows path.
  3. Right-click on the Start Button.
  4. Select “System” from the context menu.
  5. Click “Advanced system settings”
  6. Go to the “Advanced” tab.
  7. Click “Environment Variables…”
  8. Click the variable called “Path” and click “Edit…”
  9. Click “New”
  10. Enter the path to the folder containing the Terrascan files you want on your PATH.

Installing Terrascan on MacOs

For macOs use:

curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
sudo install terrascan /usr/local/bin

Installing Terrascan on Linux

For Linux:

curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
sudo install terrascan /usr/local/bin

Installing Terrascan with Docker

You can also pull the image from the Docker Hub:

$ docker run --rm tenable/terrascan version

Once installed run terrascan on your command line to check it is installed.

terrascan install

How to use Terrascan to scan the IaC code

To scan your code, simply navigate to the folder that contains your configuration files and run:

terrascan scan

You can also pass in the directory you want to scan with the --c option.

The first time using Terrascan, if the -p flag is not specified, Terrascan will download the latest policies from the Terrascan repository. You can update your local environment to the latest policies published in the repository by running terrascan init.

Terrascan use cases — examples

You can use Terrascan with multiple types of configuration files. Here are a few examples to get you up and running.

Example 1 — Scanning Terraform code

Let’s look at an example Terraform configuration for Azure that simply creates a resource group:

main.tf

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US"
}

Save the file, navigate to the directory that contains it, and run terrascan scan.

In the output, you should see that Terrscan detects one policy violation and advises that resource locks should be enabled on the resource group with a LOW severity.

terrascan software

Example 2 — Scanning Helm charts

To test Terrascan with a Helm chart, we will create a new chart called demo-chart:

helm create demo-chart

Next, we will edit the values.yaml file to include the following lines to add some extra vulnerabilities that Terrscan can report:

terrascan

Navigate to the directory that contains your values.yaml file and run terrascan scan. You should see multiple reported violated policies, including two with HIGH severity that we caused by adding the securityContext lines above.

terrascan helm

Example 3 — Scanning Kubernetes manifests

To test scan Kubernetes manifests with Terrascan, we will create a simple file for an nginx deployment:

nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

Navigate to the folder containing the nginx.yaml file and run terrascan scan.

Here, in the output, yuu should see multiple recommendations from Terrascan, including two HIGH priority issues (‘Minimize Admission of Root Containers’ and ‘Containers Should Not Run with AllowPrivilegeEscalation’).

terrascan manual

Example 4 — Integrating Terrascan with ArgoCD

Terrascan can be integrated with popular CI/CD systems, such as Azure DevOps, GitHub, GitLab, and Argo.

In the case of ArgoCD, Terrascan can integrated in two ways:

  • Configured as an Argo CD job during the application pre-sync process using ArgoCD’s resource hook.
  • Using Terrascan’s K8S admission controller along with a pre-sync that scans a configured repository with the admission controller webhook.

 

Terrascan custom policies

Terrascan leverages the Open Policy Agent (OPA) engine so that you can easily create custom policies using the Rego query language. With each rego policy, a JSON “rule” file is included, which defines metadata for the policy. Policies included within Terrascan are stored in the pkg/policies/opa/rego directory.

The rule.json file is a configuration file that references the custom policies defined in Rego files. It allows you to control which policies are applied and their severity levels during a Terrascan scan. Your custom policy logic and rules are defined in the .rego file, while the rule.json file specifies how to apply and configure those policies.

The policy example below enforces Azure resources to be in “UK South” or “UK West” only. If resources are found elsewhere, it will be reported by Terrascan.

azure_region_policy.rego

package main

import input.tfplan as tfplan

default allow = false

allowed_regions = ["UK South", "UK West"]

# Iterate over all Azure resources in the Terraform plan.
azure_resources[resource_name] {
    resource_name = input.tfplan.resource_changes[_].address
    input.tfplan.resource_changes[_].type == "azurerm_resource"
}

# Check if the region of each Azure resource is allowed.
allow {
    resource_name
    resource_config := input.tfplan.resource_changes[resource_name].change.after
    resource_config.location == allowed_region
    allowed_region = allowed_regions[_]
}

To enable the custom policy the rule.json file is used to configure the behavior of Terrascan and specify which policies should be applied during a scan.

rule.json

{
  "rules": {
    "azure_region_policy": {
      "severity": "HIGH",
      "message": "Azure resources should be deployed in 'UK South' or 'UK West' regions.",
      "rules_file": "azure_region_policy.rego"
    }
  }
}

Finally, to scan using the custom policy, navigate to the directory you want to scan and use the -rules flag to specify the path to your JSON file.

terrascan scan -rules /path/to/rule.json

Terrascan also allows you to exclude policies if you don’t want to comply with them.

For example, if I did not want to use resource locks with my Azure resource group that I configured in Example 1, and I did not consider that a violation, I could exclude that policy from the scan so it was no longer flagged as an issue. To do this, use the -skip-rules flag or using in-file instrumentation to skip policies on a particular resource.

Terrascan vs Checkov

On the face of it, Terrascan and Checkov are very similar. They are both open-source static code analysis tools designed for IaC security and compliance scanning.

Checkov focuses more on Terraform but is capable of scanning multiple types of files, including CloudFormation (and AWS SAM), Azure Resource Manager (ARM), Serverless framework, Helm charts, K8S, and Docker. Checkov is a community-driven project with active contributions and a strong presence in the DevSecOps community.

Checkov is built using Python, whereas Terrascan uses Go, and custom policies are written using Rego. If you would prefer using Rego to build your custom policies, then Terrascan is a good choice.

To learn more, check out What is Checkov.

Terrascan vs tfsec

Tfsec is another open-source static code analysis tool, and another major option to consider.

Like Terrascan, TFSec is written in GO and uses YAML definitions for its custom policies as opposed to Rego used by Terrascan. Users familiar with K8S may prefer to write policies using YAML rather than learning Rego, which might be a reason to select TFSec.

It is also the most popular project than both Checkov and Terrascan in the community, having the most GitHub stars.

Read more about What is tfsec and how to integrate these tools with Spacelift using custom inputs.

Key points

As we’ve seen in this article, Terrascan is a versatile open-source static code analysis tool specialized in scanning IaC templates and configurations, effectively detecting security vulnerabilities and compliance breaches.

We encourage you also to explore how Spacelift makes it easy to work with Terraform. If you need any help managing your Terraform infrastructure, building more complex workflows based on Terraform, and managing AWS credentials per run, instead of using a static pair on your local machine, Spacelift is a fantastic tool for this. It supports Git workflows, policy as code, programmatic configuration, context sharing, drift detection, and many more great features right out of the box.

The most flexible management platform for Infrastructure as Code

Spacelift allows you to automate, audit, secure, and continuously deliver your infrastructure. It helps overcome common state management issues and adds several must-have features for infrastructure management.

Start free trial

The Practitioner’s Guide to Scaling Infrastructure as Code

Transform your IaC management to scale

securely, efficiently, and productively

into the future.

ebook global banner
Share your data and download the guide