DEV Community

Cover image for ๐Ÿ” Strengthen Your IaC with Terrascan: A Complete Guide for Terraform Security
Sergio Alberto Colque Ponce
Sergio Alberto Colque Ponce

Posted on

๐Ÿ” Strengthen Your IaC with Terrascan: A Complete Guide for Terraform Security

๐Ÿ› ๏ธ Introduction

Infrastructure as Code (IaC) brings speed and consistency to cloud deploymentsโ€”but it also opens the door to misconfigurations and vulnerabilities. Just like application code, your IaC must be secured.

In this article, weโ€™ll dive into Terrascan, a powerful open-source SAST tool for IaC, and show how to use it to analyze and secure your Terraform infrastructure before it ever hits production.

By the end, youโ€™ll know:

  • What Terrascan is and how it works.
  • How to use it on a real Terraform project.
  • How to automate it using GitHub Actions.

๐Ÿ” What Is Terrascan?

Terrascan is a static code analyzer developed by Tenable that detects security and compliance violations in your Terraform (as well as Kubernetes, CloudFormation, ARM, and more) code.

It uses Rego policies from Open Policy Agent (OPA) to enforce security best practices.

๐ŸŽฏ Terrascan Highlights:

  • Supports over 500 built-in policies.
  • Scans Terraform HCL files.
  • Integrates with CI/CD pipelines.
  • Detects AWS, Azure, GCP, and Kubernetes misconfigurations.

โœ… Step-by-Step Demo

Letโ€™s walk through scanning a vulnerable Terraform project.

๐Ÿ“ Step 1: Prepare Vulnerable Terraform Code
Weโ€™ll create an insecure AWS S3 bucket in main.tf:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "example" {
  bucket = "my-unsecure-bucket"
  acl    = "public-read" # โŒ Publicly accessible!
}
Enter fullscreen mode Exit fullscreen mode

This configuration violates AWS security best practices because it allows
public access.

๐Ÿ” Step 2: Install Terrascan

Install via Homebrew (macOS/Linux):
brew install terrascan

Or use Docker:
docker run --rm -v $(pwd):/iac tenable/terrascan scan -t terraform

Or download the binary from the official GitHub repo.

๐Ÿ“ฆ Step 3: Run Terrascan Locally
To scan your code:
terrascan scan -t terraform -d .

Output:

Violation detected:
 - Rule Name: AWS S3 bucket should not have public READ access.
 - Severity: HIGH
 - File: main.tf
 - Line: 7
Enter fullscreen mode Exit fullscreen mode

โœ… Terrascan catches the misconfiguration before deployment!

๐Ÿงน Step 4: Fix the Issue
Replace the bucket ACL with a private setting:

resource "aws_s3_bucket" "example" {
  bucket = "my-secure-bucket"
  acl    = "private" # โœ… Private access only
}
Enter fullscreen mode Exit fullscreen mode

Scan again and verify no violations are found:
terrascan scan -t terraform -d .


โš™๏ธ Bonus: Automate with GitHub Actions

Terrascan integrates easily with CI/CD.
Create a .github/workflows/terrascan.yml file:

name: Terraform Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  terrascan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Install Terrascan
        run: |
          curl -L https://github.com/tenable/terrascan/releases/latest/download/terrascan_linux_amd64 -o terrascan
          chmod +x terrascan
          sudo mv terrascan /usr/local/bin/

      - name: Run Terrascan
        run: terrascan scan -t terraform -d .
Enter fullscreen mode Exit fullscreen mode

๐Ÿš€ Every push or PR will now trigger a security scan!


๐Ÿ’ป GitHub Repository

๐Ÿ‘‰ Demo Code + GitHub Actions ready to deploy: ๐Ÿ”— View on GitHub

Includes:

  • Vulnerable and fixed Terraform files
  • .github/workflows/terrascan.yml
  • README instructions

๐Ÿง  Conclusion

Terrascan makes it incredibly easy to integrate SAST into your Infrastructure as Code workflows. By catching risks early, you ensure cloud security and complianceโ€”without slowing development.

โœ… Key Benefits:

  • Fast and free.
  • Over 500 built-in policies.
  • Works locally and in CI/CD.
  • Secures Terraform, Kubernetes, and more.

Start using Terrascan today and protect your infrastructure from the start!


๐Ÿ’ฌ Got feedback?

Drop a comment below or share how youโ€™re securing your IaC.
Happy scanning! ๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ›ก๏ธ

Top comments (0)