terrascan

terrascan documentation

Version in Mega-Linter: 1.12.0
Visit Official Web Site
See How to configure terrascan rules
See Index of problems detected by terrascan

Configuration in Mega-Linter

Enable terrascan by adding TERRAFORM_TERRASCAN in ENABLE_LINTERS variable
Disable terrascan by adding TERRAFORM_TERRASCAN in DISABLE_LINTERS variable

Variable	Description	Default value
TERRAFORM_TERRASCAN_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
TERRAFORM_TERRASCAN_FILTER_REGEX_INCLUDE	Custom regex including filter Ex: `(src\\|lib)`	Include every file
TERRAFORM_TERRASCAN_FILTER_REGEX_EXCLUDE	Custom regex excluding filter Ex: `(test\\|examples)`	Exclude no file
TERRAFORM_TERRASCAN_CLI_LINT_MODE	Override default CLI lint mode - `file`: Calls the linter for each file - `list_of_files`: Call the linter with the list of files as argument - `project`: Call the linter from the root of the project	`{linter.cli_lint_mode}`
TERRAFORM_TERRASCAN_FILE_EXTENSIONS	Allowed file extensions. `"*"` matches any extension, `""` matches empty extension. Empty list excludes all files Ex: `[".py", ""]`	`[".tf"]`
TERRAFORM_TERRASCAN_FILE_NAMES_REGEX	File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: `["Dockerfile(-.+)?", "Jenkinsfile"]`	Include every file
TERRAFORM_TERRASCAN_PRE_COMMANDS	List of bash commands to run before the linter	None
TERRAFORM_TERRASCAN_POST_COMMANDS	List of bash commands to run after the linter	None
TERRAFORM_TERRASCAN_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
TERRAFORM_TERRASCAN_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`

Mega-Linter Flavours

This linter is available in the following flavours

	Flavor	Description	Embedded linters	Info
	all	Default Mega-Linter Flavor	94
	terraform	Optimized for TERRAFORM based projects	45

Behind the scenes

How are identified applicable files

File extensions: .tf

How the linting is performed

terrascan is called one time by identified file

Example calls

terrascan scan -i terraform -t all -f myfile.tf

Help content

Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com

Usage:
  terrascan [command]

Available Commands:
  init        Initializes Terrascan and clones policies from the Terrascan GitHub repository.
  scan        Detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Terrascan version

Flags:
  -c, --config-path string   config file path
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

Use "terrascan [command] --help" for more information about a command.

Installation on mega-linter Docker image

Dockerfile commands :

FROM accurics/terrascan:latest as terrascan
COPY --from=terrascan /go/bin/terrascan /usr/bin/
RUN terrascan init

Example success log

Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------

[SUCCESS] .automation/test/terraform_terrascan/good/terraform_good_1.tf
    results:
        violations: []
        count:
            low: 0
            medium: 0
            high: 0
            total: 0

Example error log

Results of terrascan linter (version 1.2.0)
See documentation on https://nvuillam.github.io/mega-linter/descriptors/terraform_terrascan/
-----------------------------------------------

[ERROR] .automation/test/terraform_terrascan/bad/terraform_bad_1.tf
    results:
        violations:
            - rule_name: instanceWithNoVpc
              description: Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
              rule_id: AWS.Instance.NetworkSecurity.Medium.0506
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
            - rule_name: ec2UsingIMDSv1
              description: EC2 instances should disable IMDS or require IMDSv2
              rule_id: AC-AWS-NS-IN-M-1172
              severity: MEDIUM
              category: Network Security
              resource_name: instanceWithNoVpc
              resource_type: aws_instance
              file: terraform_bad_1.tf
              line: 1
        count:
            low: 0
            medium: 2
            high: 0
            total: 2