terrascan
terrascan documentation
- Version in Mega-Linter: 1.12.0
- Visit Official Web Site
- See How to configure terrascan rules
- See Index of problems detected by terrascan
Configuration in Mega-Linter
- Enable terrascan by adding
TERRAFORM_TERRASCAN
in ENABLE_LINTERS variable - Disable terrascan by adding
TERRAFORM_TERRASCAN
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
TERRAFORM_TERRASCAN_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
TERRAFORM_TERRASCAN_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
TERRAFORM_TERRASCAN_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
TERRAFORM_TERRASCAN_CLI_LINT_MODE | Override default CLI lint mode - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
{linter.cli_lint_mode} |
TERRAFORM_TERRASCAN_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".tf"] |
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
TERRAFORM_TERRASCAN_PRE_COMMANDS | List of bash commands to run before the linter | None |
TERRAFORM_TERRASCAN_POST_COMMANDS | List of bash commands to run after the linter | None |
TERRAFORM_TERRASCAN_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
TERRAFORM_TERRASCAN_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
Mega-Linter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default Mega-Linter Flavor | 94 | ||
terraform | Optimized for TERRAFORM based projects | 45 |
Behind the scenes
How are identified applicable files
- File extensions:
.tf
How the linting is performed
- terrascan is called one time by identified file
Example calls
terrascan scan -i terraform -t all -f myfile.tf
Help content
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com
Usage:
terrascan [command]
Available Commands:
init Initializes Terrascan and clones policies from the Terrascan GitHub repository.
scan Detect compliance and security violations across Infrastructure as Code.
server Run Terrascan as an API server
version Terrascan version
Flags:
-c, --config-path string config file path
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
Use "terrascan [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM accurics/terrascan:latest as terrascan
COPY --from=terrascan /go/bin/terrascan /usr/bin/
RUN terrascan init
Example success log
Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------
[SUCCESS] .automation/test/terraform_terrascan/good/terraform_good_1.tf
results:
violations: []
count:
low: 0
medium: 0
high: 0
total: 0
Example error log
Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------
[ERROR] .automation/test/terraform_terrascan/bad/terraform_bad_1.tf
results:
violations:
- rule_name: instanceWithNoVpc
description: Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
rule_id: AWS.Instance.NetworkSecurity.Medium.0506
severity: MEDIUM
category: Network Security
resource_name: instanceWithNoVpc
resource_type: aws_instance
file: terraform_bad_1.tf
line: 1
- rule_name: ec2UsingIMDSv1
description: EC2 instances should disable IMDS or require IMDSv2
rule_id: AC-AWS-NS-IN-M-1172
severity: MEDIUM
category: Network Security
resource_name: instanceWithNoVpc
resource_type: aws_instance
file: terraform_bad_1.tf
line: 1
count:
low: 0
medium: 2
high: 0
total: 2