Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
| Category | DevSecOps & Pipeline Security |
|---|---|
| Community Stars | 4793 |
| Last Commit | 4 months ago |
| Last page update | 19 days ago |
| Pricing Details | Free and open-source |
| Target Audience | DevOps teams, security engineers, and compliance officers. |
Terrascan addresses the critical security and compliance challenges inherent in infrastructure as code (IaC) by scanning for vulnerabilities and misconfigurations before provisioning cloud-native infrastructure. The tool supports various IaC formats, including Terraform, Kubernetes, Helm, and Kustomize.
Technically, Terrascan's architecture is built around a modular design that allows for easy integration with CI/CD pipelines. It can be run as a GitHub Action, utilizing a Docker image that accepts multiple inputs such as IaC type, version, and policy type. This flexibility enables tailored scans based on specific cloud providers (e.g., AWS, Azure, GCP) and custom policies defined in a policy path directory.
Operationally, Terrascan can be configured to scan directories and modules recursively or non-recursively, and it supports skipping specific rules and uploading scan results in SARIF format for integration with GitHub Code Scanning. This integration allows for the display of scan results in the repository's Security tab, enhancing visibility and compliance tracking. Additionally, Terrascan can be set to only warn about violations rather than failing the build, which is useful in development environments.
Key considerations include the management of scan configurations and the handling of vulnerabilities. Terrascan regularly updates to address detected vulnerabilities, such as those identified by Snyk, ensuring the tool itself remains secure. However, the tool's effectiveness can be limited by the quality and relevance of the policies and rules applied during scans. Moreover, the performance of Terrascan may degrade with very large IaC repositories, although this is mitigated by the ability to configure scan depth and rule skipping.
In terms of specific technical details, Terrascan supports various IaC versions (e.g., Terraform v14, Kubernetes v1) and can be integrated with source code management systems using access tokens. The tool also provides verbose output options for detailed violation reports and supports webhook notifications for real-time alerting.