terrascan
terrascan documentation
- Version in Mega-Linter: 1.3.1
- Visit Official Web Site
- See How to configure terrascan rules
- See Index of problems detected by terrascan
Configuration in Mega-Linter
- Enable terrascan by adding
TERRAFORM_TERRASCANin ENABLE_LINTERS variable - Disable terrascan by adding
TERRAFORM_TERRASCANin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| TERRAFORM_TERRASCAN_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| TERRAFORM_TERRASCAN_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src|lib) |
Include every file |
| TERRAFORM_TERRASCAN_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test|examples) |
Exclude no file |
| TERRAFORM_TERRASCAN_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".tf"] |
| TERRAFORM_TERRASCAN_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| TERRAFORM_TERRASCAN_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
Mega-Linter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default Mega-Linter Flavor | 83 |   |
| terraform | Optimized for TERRAFORM based projects | 39 |   |
Behind the scenes
How are identified applicable files
- File extensions:
.tf
Example calls
terrascan scan -i terraform -t all -f myfile.tf
Help content
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com
Usage:
terrascan [command]
Available Commands:
init Initialize Terrascan
scan Detect compliance and security violations across Infrastructure as Code.
server Run Terrascan as an API server
version Terrascan version
Flags:
-c, --config-path string config file path
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml) (default "human")
Use "terrascan [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM accurics/terrascan:latest as terrascan
COPY --from=terrascan /go/bin/terrascan /usr/bin/
RUN terrascan init
Example success log
Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------
[SUCCESS] .automation/test/terraform_terrascan/good/terraform_good_1.tf
results:
violations: []
count:
low: 0
medium: 0
high: 0
total: 0
Example error log
Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------
[ERROR] .automation/test/terraform_terrascan/bad/terraform_bad_1.tf
results:
violations:
- rule_name: instanceWithNoVpc
description: Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
rule_id: AWS.Instance.NetworkSecurity.Medium.0506
severity: MEDIUM
category: Network Security
resource_name: instanceWithNoVpc
resource_type: aws_instance
file: terraform_bad_1.tf
line: 1
- rule_name: ec2UsingIMDSv1
description: EC2 instances should disable IMDS or require IMDSv2
rule_id: AC-AWS-NS-IN-M-1172
severity: MEDIUM
category: Network Security
resource_name: instanceWithNoVpc
resource_type: aws_instance
file: terraform_bad_1.tf
line: 1
count:
low: 0
medium: 2
high: 0
total: 2