Skip to content

terrascan

terrascan documentation

terrascan - GitHub

Configuration in Mega-Linter

Variable Description Default value
TERRAFORM_TERRASCAN_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_TERRASCAN_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
TERRAFORM_TERRASCAN_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
TERRAFORM_TERRASCAN_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
{linter.cli_lint_mode}
TERRAFORM_TERRASCAN_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".tf"]
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_TERRASCAN_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_TERRASCAN_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_TERRASCAN_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_TERRASCAN_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

Mega-Linter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default Mega-Linter Flavor 93 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 44 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

  • terrascan is called one time by identified file

Example calls

terrascan scan -i terraform -t all -f myfile.tf

Help content

Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com

Usage:
  terrascan [command]

Available Commands:
  init        Initializes Terrascan and clones policies from the Terrascan GitHub repository.
  scan        Detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Terrascan version

Flags:
  -c, --config-path string   config file path
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

Use "terrascan [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
FROM accurics/terrascan:latest as terrascan
COPY --from=terrascan /go/bin/terrascan /usr/bin/
RUN terrascan init

Example success log

Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------

[SUCCESS] .automation/test/terraform_terrascan/good/terraform_good_1.tf
    results:
        violations: []
        count:
            low: 0
            medium: 0
            high: 0
            total: 0

Example error log

Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------

[ERROR] .automation/test/terraform_terrascan/bad/terraform_bad_1.tf
    results:
        violations:
            - rule_name: instanceWithNoVpc
              description: Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
              rule_id: AWS.Instance.NetworkSecurity.Medium.0506
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
            - rule_name: ec2UsingIMDSv1
              description: EC2 instances should disable IMDS or require IMDSv2
              rule_id: AC-AWS-NS-IN-M-1172
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
        count:
            low: 0
            medium: 2
            high: 0
            total: 2