Skip to content

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

License

Notifications You must be signed in to change notification settings

salexpdx/terrascan

 
 

Repository files navigation

Terrascan

GitHub release License: Apache 2.0 PRs Welcome CI codecov community Documentation Status Blimp demo badge

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Features

  • 500+ Policies for security best practices
  • Scanning of Terraform 12+ (HCL2)
  • Scanning of Kubernetes YAML/JSON
  • Support for AWS, Azure, GCP, Kubernetes and GitHub

Installing

Terrascan's binary for your architecture can be found on the releases page. Here's an example of how to install it:

$ curl --location https://github.com/accurics/terrascan/releases/download/v1.1.0/terrascan_1.1.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz
$ tar -xvf terrascan.tar.gz
  x CHANGELOG.md
  x LICENSE
  x README.md
  x terrascan
$ install terrascan /usr/local/bin
$ terrascan

If you have go installed, Terrascan can be installed with go get

$ export GO111MODULE=on
$ go get -u github.com/accurics/terrascan/cmd/terrascan
  go: downloading github.com/accurics/terrascan v1.1.0
  go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.1.0
  ...
$ terrascan

Install via brew

Homebrew users can install by:

$ brew install terrascan

Docker

Terrascan is also available as a Docker image and can be used as follows

$ docker run accurics/terrascan

Building Terrascan

Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.

$ git clone git@github.com:accurics/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan

Demoing

If you want to play around with Terrascan without running it locally, you can boot a personal demo copy from your browser without downloading or setting up anything.

  1. Click the demo link to boot this repo in the Blimp cloud.

  2. Once the sandbox is booted, get its public URL by clicking "Connect" on the terrascan service on the left.

    The page will 404, but that's OK because we just need the domain name to create our URL that we'll hit with curl.

  3. Run the following command in your terminal to scan a simple Terraform file. Make sure to replace <YOUR PUBLIC URL> with the URL from the previous step.

    curl -i -F "file=@-" https://<YOUR PUBLIC URL>/v1/terraform/v12/aws/local/file/scan << EOF
    variable "my-variable" {
      default = "default"
      type    = string
    }
    EOF
    

    The full URL will look something like https://a98c0197112b7a4a96b72ea21ac0802b.blimp.dev/v1/terraform/v12/aws/local/file/scan.

    The command will output something like this:

    {
      "ResourceConfig": {},
      "Violations": {
        "results": {
          "violations": [],
          "count": {
            "low": 0,
            "medium": 0,
            "high": 0,
            "total": 0
          }
        }
      }
    }
    

See the server mode docs for more information on how to use the server endpoints.

Getting started

To scan your code for security issues you can run the following

$ terrascan scan -t aws

Terrascan will exit 3 if any issues are found.

The following commands are available:

$ terrascan
Terrascan

An advanced IaC (Infrastructure-as-Code) file scanner written in Go.
Secure your cloud deployments at design time.
For more information, please visit https://www.accurics.com

Usage:
  terrascan [command]

Available Commands:
  help        Help about any command
  init        Initialize Terrascan
  scan        Scan IaC (Infrastructure-as-Code) files for vulnerabilities.
  server      Run Terrascan as an API server

Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output-type string   output type (json, yaml, xml) (default "yaml")
  -v, --version              version for terrascan

Use "terrascan [command] --help" for more information about a command.

Documentation

To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a break down of it's commands, and a deep dive into policies.

Developing Terrascan

To learn more about developing and contributing to Terrascan refer to the contributing guide.

License

Terrascan is licensed under the Apache 2.0 License.

About

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 60.6%
  • Open Policy Agent 38.1%
  • Other 1.3%