{"id":13408095,"url":"https://github.com/tenable/terrascan","last_synced_at":"2025-05-12T05:28:07.557Z","repository":{"id":37290090,"uuid":"103084166","full_name":"tenable/terrascan","owner":"tenable","description":"Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.","archived":false,"fork":false,"pushed_at":"2025-05-06T11:08:08.000Z","size":16063,"stargazers_count":4924,"open_issues_count":281,"forks_count":517,"subscribers_count":69,"default_branch":"master","last_synced_at":"2025-05-12T02:43:02.873Z","etag":null,"topics":["architecture","aws","aws-security","azure-security","cloud-security","cloudsecurity","devops","devsecops","gcp-security","iac","infrastructure","infrastructure-as-code","kubernetes","sast","scans","security","security-tools","security-violations","terraform","terrascan"],"latest_commit_sha":null,"homepage":"https://runterrascan.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tenable.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-09-11T03:11:10.000Z","updated_at":"2025-05-11T04:10:38.000Z","dependencies_parsed_at":"2023-09-22T09:24:19.747Z","dependency_job_id":"4e567341-6b88-4e08-8e12-dbc66ce194cb","html_url":"https://github.com/tenable/terrascan","commit_stats":{"total_commits":1383,"total_committers":93,"mean_commits":"14.870967741935484","dds":0.8532176428054953,"last_synced_commit":"cfea5fdfd7b978fe0c471a63902631cae962b883"},"previous_names":["cesar-rodriguez/terrascan","accurics/terrascan"],"tags_count":57,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fterrascan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fterrascan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fterrascan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2Fterrascan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tenable","download_url":"https://codeload.github.com/tenable/terrascan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253672701,"owners_count":21945480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["architecture","aws","aws-security","azure-security","cloud-security","cloudsecurity","devops","devsecops","gcp-security","iac","infrastructure","infrastructure-as-code","kubernetes","sast","scans","security","security-tools","security-violations","terraform","terrascan"],"created_at":"2024-07-30T20:00:50.727Z","updated_at":"2025-05-12T05:28:07.527Z","avatar_url":"https://github.com/tenable.png","language":"Go","funding_links":[],"categories":["Tools","Go","Infrastructure as Code","Infrastructure Security","aws","Companion Tools","Infrastructure as Code Security","Tooling— Security and Policies"],"sub_categories":["Others","Terraform Tooling","Infrastructure as Code (IaC) Security","Community providers","Infrastructure as Code Scanning","Kubernetes Audit","Language Specific"],"readme":"![Terrascan](https://raw.githubusercontent.com/tenable/runterrascan.io/main/static/images/TerrascanTM_BY_Logo.png)\n\n[![GitHub release](https://img.shields.io/github/release/tenable/terrascan)](https://github.com/tenable/terrascan/releases/latest)\n[![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202-blue)](https://github.com/tenable/terrascan/blob/master/LICENSE)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/tenable/terrascan/pulls)\n![CI](https://github.com/tenable/terrascan/workflows/build/badge.svg)\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=tenable_terrascan\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=tenable_terrascan)\n[![AUR package](https://repology.org/badge/version-for-repo/aur/terrascan.svg)](https://repology.org/project/terrascan/versions)\n[![codecov](https://codecov.io/gh/tenable/terrascan/branch/master/graph/badge.svg)](https://codecov.io/gh/tenable/terrascan)\n[![Documentation Status](https://readthedocs.com/projects/tenable-terrascan/badge/?version=latest)](https://runterrascan.io/)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](code_of_conduct.md)\n![GitHub all releases](https://img.shields.io/github/downloads/tenable/terrascan/total)\n\n## Introduction\n\nTerrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:\n\n- Seamlessly scan infrastructure as code for misconfigurations.\n- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.\n- Detect security vulnerabilities and compliance violations.\n- Mitigate risks before provisioning cloud native infrastructure.\n- Offers flexibility to run locally or integrate with your CI\\CD.\n\n\n\n### Resources\n* To try Terrascan in your browser, see the Terrascan Sandbox https://www.tenable.com/terrascan\n\n* To learn more about Terrascan's features and capabilities, see the documentation portal: https://runterrascan.io\n\n\u003cp align=\"center\"\u003e\n    Join Tenable community 👇\n\u003cbr/\u003e\n\u003ca href=\"https://discord.gg/ScUPMzyG3n\"\u003e\n    \u003cimg src=\"http://fig.io/icons/discord-logo-square.png\" width=\"80px\" height=\"80px\" /\u003e\n\u003c/a\u003e\n\u003c/p\u003e\n\n\n## Key features\n* 500+ Policies for security best practices\n* Scanning of [Terraform](https://runterrascan.io/docs/usage/command_line_mode/#scanning-current-directory-containing-terraform-files-for-aws-resources) (HCL2)\n* Scanning of AWS CloudFormation Templates (CFT)\n* * Scanning of Azure Resource Manager (ARM)\n* Scanning of [Kubernetes](https://runterrascan.io/docs/usage/command_line_mode/#scanning-for-a-specific-iac-provider) (JSON/YAML), [Helm](https://runterrascan.io/docs/usage/command_line_mode/#scanning-a-helm-chart) v3, and [Kustomize](https://runterrascan.io/docs/usage/command_line_mode/#scanning-a-kustomize-chart)\n* Scanning of [Dockerfiles](https://runterrascan.io/docs/usage/command_line_mode/#scanning-a-dockerfile)\n* Support for [AWS](https://runterrascan.io/docs/policies/aws/), [Azure](https://runterrascan.io/docs/policies/azure/), [GCP](https://runterrascan.io/docs/policies/gcp/), [Kubernetes](https://runterrascan.io/docs/policies/k8s/), [Dockerfile](https://runterrascan.io/docs/policies/docker/), and [GitHub](https://runterrascan.io/docs/policies/github/)\n* Integrates with docker image vulnerability scanning for AWS, Azure, GCP, Harbor container registries.\n\n## Quick Start\n\n1. [Install](#install)\n2. [Scan](#scan)\n3. [Integrate](#integrate)\n\n### Step 1: Install\nTerrascan supports multiple ways to install and is also available as a Docker image.\nSee Terrascan's [releases](https://github.com/tenable/terrascan/releases) page for the latest version of builds in all supported platforms. Select the correct binary for your platform.\n\n#### Install as a native executable\n\n```sh\n  curl -L \"$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E \"https://.+?_Linux_x86_64.tar.gz\")\" \u003e terrascan.tar.gz\n  tar -xf terrascan.tar.gz terrascan \u0026\u0026 rm terrascan.tar.gz\n  sudo install terrascan /usr/local/bin \u0026\u0026 rm terrascan\n  terrascan\n```\n\n#### Install on ArchLinux / Manjaro via `AUR`\n\nArchLinux and Manjaro users can install by:\n\n```\nyay -S terrascan\n```\n\n#### Install via `brew`\n\n[Homebrew](https://brew.sh/) users can install by:\n\n```sh\n$ brew install terrascan\n```\n\n#### Docker image\n\nTerrascan is also available as a Docker image and can be used as follows\n\n```sh\n$ docker run tenable/terrascan\n```\nRefer to [documentation](https://runterrascan.io/docs/getting-started/) for information.\n\n### Step 2: Scan\nTo scan your code for security issues you can run the following (defaults to scanning Terraform).\n\n```sh\n$ terrascan scan\n```\n**Note**: Terrascan will exit with an error code if any errors or violations are found during a scan.\n\n#### List of possible Exit Codes\n| Scenario      | Exit Code |\n| ----------- | ----------- |\n| scan summary has errors and violations | 5 |\n| scan summary has errors but no violations | 4 |\n| scan summary has violations but no errors | 3 |\n| scan summary has no violations or errors | 0 |\n| scan command errors out due to invalid inputs | 1 |\n### Step 3: Integrate with CI\\CD\n\nTerrascan can be integrated into CI/CD pipelines to enforce security best practices.\nPlease refer to our [documentation to integrate with your pipeline](https://runterrascan.io/docs/integrations/).\n\n## Terrascan Commands\nYou can use the `terrascan` command with the following options:\n\n```sh\n$ terrascan\nTerrascan\n\nUsage:\n  terrascan [command]\n\nAvailable Commands:\n  help        Help about any command\n  init        Initialize Terrascan\n  scan        Detect compliance and security violations across Infrastructure as Code.\n  server      Run Terrascan as an API server\n  version     Terrascan version\n\nFlags:\n  -c, --config-path string   config file path\n  -h, --help                 help for terrascan\n  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default \"info\")\n  -x, --log-type string      log output type (console, json) (default \"console\")\n  -o, --output string        output type (human, json, yaml, xml) (default \"human\")\n\nUse \"terrascan [command] --help\" for more information about a command.\n```\n\n## Policies\nTerrascan policies are written using the [Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). Every rego includes a JSON \"rule\" file which defines metadata for the policy.\nBy default, Terrascan downloads policies from Terrascan repositories while scanning for the first time. However, if you want to download the latest policies, you need to run the Initialization process. See [Usage](https://runterrascan.io/docs/usage/command_line_mode/) for information about the Initialization process.\n\nNote: The scan command will implicitly run the initialization process if there are no policies found.\n\n## Docker Image Vulnerabilities\nYou can use the `--find-vuln` flag to collect vulnerabilities as reported in its registry as part of Terrascan's output. Currently Terrascan supports Elastic Container Registry (ECR), Azure Container Registry, Google Container Registry, and Google Artifact Registry.\n\nThe `--find-vuln` flag can be used when scanning IaC files as follows:\n\n```\n$ terrascan scan -i \u003cIaC provider\u003e --find-vuln\n```\n\nFor more information and explanation of how to setup your environment to authenticate with the registry's APIs see the [usage](https://runterrascan.io/docs/usage/command_line_mode/) documentation.\n\n## Customizing scans\n\nBy default, Terrascan scans your entire configuration against all policies. However, Terrascan supports granular configuration of policies and resources.\n\nRead more about [in-file instrumentation](https://runterrascan.io/docs/usage/in-file_instrumentation/) and [the config file](https://runterrascan.io/docs/usage/config_options/) on our documentation site.\n\nFor now, some quick tips:\n\n- [Exclude a particular policy for a specific resource.](#How_to_exclude_a_policy_while_scanning_a_resource)\n- [Manually configure policies to be suppressed or applied globally from a scan across all resources or, for just a particular resource.](#_How_to_include_or_exclude_specific_policies_or_resources_from_being_scanned)\n\n### How to exclude a policy while scanning a resource\n\nYou can configure Terrascan to skip a particular policy (rule) while scanning a resource. Follow these steps depending on your platform:\n\n#### Terraform\nUse Terraform scripts to configure Terrascan to skip rules by inserting a comment with the phrase `\"ts:skip=\u003cRULENAME\u003e\u003cSKIP_REASON\u003e\"`. The comment should be included inside the resource as shown in the example below.\n\n![tf](docs/img/tf_skip_rule.png)\n\n#### Kubernetes\nIn Kubernetes yamls, you can configure Terrascan to skip policies by adding an annotation as seen in the snippet below.\n\n![k8s](docs/img/skiprules.png)\n\n### How to include or exclude specific policies or resources from being scanned\n\nUse the Terrascan config file to manually select the policies which should be included or excluded from the entire scan. This is suitable for edge use cases.\nUse the \"in-file\" suppression option to specify resources that should be excluded from being tested against selected policies. This ensures that the policies are skipped only for particular resources, rather than all of the resources.\n\n![config](https://user-images.githubusercontent.com/74685902/105115887-83e2f380-5a7e-11eb-82b8-a1d18c83a405.png)\n\n### Sample scan output\n\nTerrascan's default output is a list of violations present in the scanned IaC. A sample output:\n\n![Screenshot 2021-01-19 at 10 52 47 PM](https://user-images.githubusercontent.com/74685902/105115731-32d2ff80-5a7e-11eb-93b0-2f0620eb1295.png)\n\n## Building Terrascan\nTerrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan. [gcc](https://gcc.gnu.org/install/) and [Go](https://go.dev/doc/install) 1.19 or above are required.\n\n```sh\n$ git clone git@github.com:tenable/terrascan.git\n$ cd terrascan\n$ make build\n$ ./bin/terrascan\n```\n\n### To build your own docker, refer to this example (Alpine Linux):\n```\nFROM golang:alpine AS build-env\n\nRUN apk add --update git\n\nRUN git clone https://github.com/tenable/terrascan \u0026\u0026 cd terrascan \\\n  \u0026\u0026 CGO_ENABLED=0 GO111MODULE=on go build -o /go/bin/terrascan cmd/terrascan/main.go\n\n```\n\n## Developing Terrascan\nTo learn more about developing and contributing to Terrascan, refer to the [contributing guide](CONTRIBUTING.md).\n\n## Code of Conduct\nWe believe having an open and inclusive community benefits all of us. Please note that this project is released with a [Contributor Code of Conduct](code_of_conduct.md). By participating in this project you agree to abide by its terms.\n\n## License\n\nTerrascan is licensed under the [Apache 2.0 License](LICENSE).\n\n### Stargazers\n\n[![Stargazers @tenable/terrascan](https://reporoster.com/stars/tenable/terrascan)](https://github.com/tenable/terrascan/stargazers)\n\n### Forkers\n\n[![Forkers @tenable/terrascan](https://reporoster.com/forks/tenable/terrascan)](https://github.com/tenable/terrascan/network/members)\n\n####\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fterrascan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftenable%2Fterrascan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fterrascan/lists"}