๐ ๏ธ Introduction
Infrastructure as Code (IaC) brings speed and consistency to cloud deploymentsโbut it also opens the door to misconfigurations and vulnerabilities. Just like application code, your IaC must be secured.
In this article, weโll dive into Terrascan, a powerful open-source SAST tool for IaC, and show how to use it to analyze and secure your Terraform infrastructure before it ever hits production.
By the end, youโll know:
- What Terrascan is and how it works.
- How to use it on a real Terraform project.
- How to automate it using GitHub Actions.
๐ What Is Terrascan?
Terrascan is a static code analyzer developed by Tenable that detects security and compliance violations in your Terraform (as well as Kubernetes, CloudFormation, ARM, and more) code.
It uses Rego policies from Open Policy Agent (OPA) to enforce security best practices.
๐ฏ Terrascan Highlights:
- Supports over 500 built-in policies.
- Scans Terraform HCL files.
- Integrates with CI/CD pipelines.
- Detects AWS, Azure, GCP, and Kubernetes misconfigurations.
โ Step-by-Step Demo
Letโs walk through scanning a vulnerable Terraform project.
๐ Step 1: Prepare Vulnerable Terraform Code
Weโll create an insecure AWS S3 bucket in main.tf:
provider "aws" {
region = "us-east-1"
}
resource "aws_s3_bucket" "example" {
bucket = "my-unsecure-bucket"
acl = "public-read" # โ Publicly accessible!
}
This configuration violates AWS security best practices because it allows
public access.
๐ Step 2: Install Terrascan
Install via Homebrew (macOS/Linux):
brew install terrascan
Or use Docker:
docker run --rm -v $(pwd):/iac tenable/terrascan scan -t terraform
Or download the binary from the official GitHub repo.
๐ฆ Step 3: Run Terrascan Locally
To scan your code:
terrascan scan -t terraform -d .
Output:
Violation detected:
- Rule Name: AWS S3 bucket should not have public READ access.
- Severity: HIGH
- File: main.tf
- Line: 7
โ Terrascan catches the misconfiguration before deployment!
๐งน Step 4: Fix the Issue
Replace the bucket ACL with a private setting:
resource "aws_s3_bucket" "example" {
bucket = "my-secure-bucket"
acl = "private" # โ
Private access only
}
Scan again and verify no violations are found:
terrascan scan -t terraform -d .
โ๏ธ Bonus: Automate with GitHub Actions
Terrascan integrates easily with CI/CD.
Create a .github/workflows/terrascan.yml file:
name: Terraform Security Scan
on:
push:
branches: [main]
pull_request:
jobs:
terrascan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Install Terrascan
run: |
curl -L https://github.com/tenable/terrascan/releases/latest/download/terrascan_linux_amd64 -o terrascan
chmod +x terrascan
sudo mv terrascan /usr/local/bin/
- name: Run Terrascan
run: terrascan scan -t terraform -d .
๐ Every push or PR will now trigger a security scan!
๐ป GitHub Repository
๐ Demo Code + GitHub Actions ready to deploy: ๐ View on GitHub
Includes:
- Vulnerable and fixed Terraform files
.github/workflows/terrascan.yml- README instructions
๐ง Conclusion
Terrascan makes it incredibly easy to integrate SAST into your Infrastructure as Code workflows. By catching risks early, you ensure cloud security and complianceโwithout slowing development.
โ Key Benefits:
- Fast and free.
- Over 500 built-in policies.
- Works locally and in CI/CD.
- Secures Terraform, Kubernetes, and more.
Start using Terrascan today and protect your infrastructure from the start!
๐ฌ Got feedback?
Drop a comment below or share how youโre securing your IaC.
Happy scanning! ๐จโ๐ป๐ก๏ธ
Top comments (0)