Skip to content


downgraded version GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

terrascan documentation

terrascan - GitHub

Configuration in MegaLinter

Variable Description Default value
TERRAFORM_TERRASCAN_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_TERRASCAN_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
TERRAFORM_TERRASCAN_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_TERRASCAN_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_TERRASCAN_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_TERRASCAN_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling TERRAFORM_TERRASCAN and its pre/post commands None
TERRAFORM_TERRASCAN_CONFIG_FILE terrascan configuration file nameUse LINTER_DEFAULT to let the linter find it terrascan-config.toml
TERRAFORM_TERRASCAN_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
TERRAFORM_TERRASCAN_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_TERRASCAN_CLI_EXECUTABLE Override CLI executable ['terrascan']

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 125 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 84 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 56 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

terrascan is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using terrascan configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make terrascan analyze only updated files

Example calls

terrascan scan -i terraform -t all -f

Help content


Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit

  terrascan [command]

Available Commands:
  init        Initializes Terrascan and clones policies from the Terrascan GitHub repository.
  scan        Detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Terrascan version

  -c, --config-path string      config file path
  -l, --log-level string        log level (debug, info, warn, error, panic, fatal) (default "info")
      --log-output-dir string   directory path to write the log and output files
  -x, --log-type string         log output type (console, json) (default "console")
  -o, --output string           output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
      --temp-dir string         temporary directory path to download remote repository,module and templates

Use "terrascan [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
# renovate: datasource=docker depName=alpine/terragrunt
FROM tenable/terrascan:${TERRAFORM_TERRASCAN_VERSION} as terrascan
COPY --link --from=terrascan /go/bin/terrascan /usr/bin/