Skip to content

terrascan

GitHub last commit

terrascan documentation

terrascan - GitHub

Configuration in MegaLinter

Variable Description Default value
TERRAFORM_TERRASCAN_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_TERRASCAN_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".tf"]
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_TERRASCAN_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_TERRASCAN_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_TERRASCAN_CONFIG_FILE terrascan configuration file name
Use LINTER_DEFAULT to let the linter find it
terrascan-config.toml
TERRAFORM_TERRASCAN_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
TERRAFORM_TERRASCAN_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_TERRASCAN_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 97 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 47 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

terrascan is called once on the whole project directory

  • filtering can not be done using MegaLinter configuration variables,it must be done using terrascan configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make terrascan analyze only updated files

Example calls

terrascan scan -i terraform -t all -f myfile.tf

Help content

Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com

Usage:
  terrascan [command]

Available Commands:
  init        Initializes Terrascan and clones policies from the Terrascan GitHub repository.
  scan        Detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Terrascan version

Flags:
  -c, --config-path string   config file path
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
      --temp-dir string      temporary directory path to download remote repository,module and templates

Use "terrascan [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
FROM accurics/terrascan:latest as terrascan
COPY --from=terrascan /go/bin/terrascan /usr/bin/

Example success log

Results of terrascan linter (version 1.2.0)
See documentation on https://megalinter.github.io/descriptors/terraform_terrascan/
-----------------------------------------------

[SUCCESS] .automation/test/terraform_terrascan/good/terraform_good_1.tf
    results:
        violations: []
        count:
            low: 0
            medium: 0
            high: 0
            total: 0

Example error log

Results of terrascan linter (version 1.2.0)
See documentation on https://megalinter.github.io/descriptors/terraform_terrascan/
-----------------------------------------------

[ERROR] .automation/test/terraform_terrascan/bad/terraform_bad_1.tf
    results:
        violations:
            - rule_name: instanceWithNoVpc
              description: Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
              rule_id: AWS.Instance.NetworkSecurity.Medium.0506
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
            - rule_name: ec2UsingIMDSv1
              description: EC2 instances should disable IMDS or require IMDSv2
              rule_id: AC-AWS-NS-IN-M-1172
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
        count:
            low: 0
            medium: 2
            high: 0
            total: 2