terrascan
terrascan documentation
- Version in MegaLinter: 1.19.9
- Visit Official Web Site
- See How to configure terrascan rules
- See Index of problems detected by terrascan
Configuration in MegaLinter
- Enable terrascan by adding
TERRAFORM_TERRASCAN
in ENABLE_LINTERS variable - Disable terrascan by adding
TERRAFORM_TERRASCAN
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
TERRAFORM_TERRASCAN_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
TERRAFORM_TERRASCAN_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
TERRAFORM_TERRASCAN_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
TERRAFORM_TERRASCAN_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".tf"] |
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
TERRAFORM_TERRASCAN_PRE_COMMANDS | List of bash commands to run before the linter | None |
TERRAFORM_TERRASCAN_POST_COMMANDS | List of bash commands to run after the linter | None |
TERRAFORM_TERRASCAN_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling TERRAFORM_TERRASCAN and its pre/post commands | None |
TERRAFORM_TERRASCAN_CONFIG_FILE | terrascan configuration file nameUse LINTER_DEFAULT to let the linter find it |
terrascan.toml |
TERRAFORM_TERRASCAN_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
TERRAFORM_TERRASCAN_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
TERRAFORM_TERRASCAN_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
TERRAFORM_TERRASCAN_CLI_EXECUTABLE | Override CLI executable | ['terrascan'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
security | Optimized for security | 24 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- File extensions:
.tf
How the linting is performed
terrascan is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using terrascan configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make terrascan analyze only updated files
Example calls
terrascan scan -i terraform -t all -f myfile.tf
Help content
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://runterrascan.io/
Usage:
terrascan [command]
Available Commands:
init Initializes Terrascan and clones policies from the Terrascan GitHub repository.
scan Detect compliance and security violations across Infrastructure as Code.
server Run Terrascan as an API server
version Terrascan version
Flags:
-c, --config-path string config file path
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
--log-output-dir string directory path to write the log and output files
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
--temp-dir string temporary directory path to download remote repository,module and templates
Use "terrascan [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=docker depName=tenable/terrascan
ARG TERRAFORM_TERRASCAN_VERSION=1.19.9
FROM tenable/terrascan:${TERRAFORM_TERRASCAN_VERSION} AS terrascan
COPY --link --from=terrascan /go/bin/terrascan /usr/bin/