terrascan

by tenable

5.2Kstars

539forks

70watchers

Updated 5 months ago

About

Terrascan is a static code analyzer that detects compliance and security violations in Infrastructure as Code to prevent risks before cloud infrastructure provisioning.

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Primary Use Case

Terrascan is primarily used by DevOps, security engineers, and cloud architects to scan Infrastructure as Code templates such as Terraform, CloudFormation, and Kubernetes manifests for misconfigurations and security vulnerabilities. It helps enforce security best practices and compliance policies early in the development lifecycle, integrating seamlessly into CI/CD pipelines or running locally to ensure secure cloud infrastructure deployment.

Key Features

500+ built-in policies for security best practices
Supports scanning Terraform (HCL2), AWS CloudFormation, Azure ARM templates
Scans Kubernetes (JSON/YAML), Helm v3 charts, and Kustomize configurations
Dockerfile scanning for container security
Policy support for AWS, Azure, GCP, Kubernetes, Dockerfile, and GitHub
Monitors provisioned cloud infrastructure for configuration drift and enables reverting to secure posture
Integration with Docker image vulnerability scanning for AWS, Azure, GCP, and Harbor registries
Flexible usage: runs locally or integrates with CI/CD pipelines

Installation

Visit the Terrascan releases page at https://github.com/tenable/terrascan/releases to download the latest binary for your platform
Install as a native executable by running the curl command provided on the releases page
Alternatively, use the Terrascan Docker image for containerized usage

Usage

>_ terrascan scan

Scans the current directory containing Infrastructure as Code files for security and compliance violations

>_ terrascan scan -p terraform

Scans Terraform (HCL2) files specifically for AWS resources

>_ terrascan scan -p cloudformation

Scans AWS CloudFormation templates for misconfigurations

>_ terrascan scan -p azure

Scans Azure Resource Manager (ARM) templates

>_ terrascan scan -p kubernetes

Scans Kubernetes manifests in JSON or YAML format

>_ terrascan scan -p helm

Scans Helm v3 charts for security issues

>_ terrascan scan -p kustomize

Scans Kustomize charts

>_ terrascan scan -p dockerfile

Scans Dockerfiles for security best practices

Security Frameworks

Reconnaissance

Defense Evasion

Credential Access

Discovery

Impact

Usage Insights

Integrate Terrascan into CI/CD pipelines for early detection of IaC misconfigurations to prevent cloud infrastructure vulnerabilities.
Use Terrascan's drift detection feature to continuously monitor and revert unauthorized changes in cloud configurations, enhancing post-deployment security.
Combine Terrascan with container scanning tools to provide comprehensive security coverage from infrastructure provisioning to container deployment.
Leverage Terrascan's policy-as-code approach to customize compliance checks aligned with organizational security policies and regulatory requirements.
Employ Terrascan in purple team exercises to simulate misconfigurations and test detection and remediation workflows collaboratively.