Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Infrastructure as Code Security Scanning with Terrascan

Tech 1

Terrascan is a static analysis tool designed to detect security and compliance violations in Infrastructure as Code (IaC) before provisioning cloud resources. It supports multiple IaC formats including Terraform, Kubernetes manifests, Helm charts, and Dockerfiles.

Key Capabilities

  • Scan IaC for misconfigurations and policy violations
  • Enforce secure baseline configurations and detect configuration drift
  • Identify security weaknesses across cloud-native infrastructure
  • Integrate into CI/CD pipelines or run locally
  • Support for multiple output formats: human-readable, JSON, YAML, XML

Installation Methods

Direct Binary (Linux/macOS)

# Download latest release for macOS
LATEST_URL=$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | \
  grep -o 'https://.*_Darwin_x86_64.tar.gz' | head -1)
curl -L "$LATEST_URL" | tar xz terrascan
sudo mv terrascan /usr/local/bin/

Docker

# Run directly
docker run --rm accurics/terrascan version

# Create alias for convenience
alias terrascan='docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan'

Basic Usage

The primary command is scan, which accepts various input types:

# Scan AWS Terraform configs
terrascan scan -t aws

# Scan Kubernetes manifests
terrascan scan -i k8s

# Scan remote Git repository
terrascan scan -t aws -r git -u git@github.com:org/repo.git//path/to/tf

# Scan Dockerfile
terrascan scan -i docker

API Server Mode

Terrascan can run as an HTTP server for programmatic access:

# Start server
terrascan server
# or via Docker
docker run --rm -p 9010:9010 accurics/terrascan server

Submit files for scanning via POST request:

curl -i -F "file=@example.tf" http://localhost:9010/v1/terraform/v14/aws/local/file/scan

The response includes detailed violation data:

{
  "results": {
    "violations": [
      {
        "rule_name": "cloudfrontNoGeoRestriction",
        "severity": "LOW",
        "category": "Network Security",
        "resource_type": "aws_cloudfront_distribution",
        "file": "example.tf",
        "line": 7
      }
    ],
    "count": { "low": 1, "medium": 1, "high": 3, "total": 5 }
  }
}

CI/CD Integration Example (GitLab CI)

stages:
  - validate

iac-scan:
  image:
    name: accurics/terrascan:latest
    entrypoint: ["/bin/sh", "-c"]
  stage: validate
  script:
    - /go/bin/terrascan scan .

Scanning Terraform Configurations

Terrascan can analyze both raw .tf files and Terraform plan JSON:

# Option 1: Scan directory containing .tf files
terrascan scan ./terraform/

# Option 2: Generate and scan plan JSON
terraform show -json > tfplan.json
terrascan scan tfplan.json

This process surfaces misconfigurations such as mising ancryption, insufficient logging, or insecure network policies before infrastructure is deployed.

Tags: IaCsecurityterrascanterraform
Back to List

Prev: Vue.js Development Techniques and Best Practices

Next: Getting Started with iOS Development for Frontend Developers: Swift Basics

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top