Terrascan
As we know that in today’s software applications world, Security policies are the priority matter, during development of code for any applications we run some of the static code analyzers to detect the code quality, duplicates etc. To find bugs in early stage of development, using some of tools like sonarqube, Veeracode, codacy and lots of other.
Similary for IaC, we shall do static code analysis to early detect of security issues and other vulnerabilities. Here we see about Terrascan and its implementation.
What exactly Terrascan is?
Terrascan, which is a static code analyzer for an IaC. It can be utilize in automated pipelines to spot policy violations before insecure infrastructure is provisioned.
How to use Terrascan:
You can run locally by installing terrascan package either can be run via docker.
Installation procedure is described in docs.
Before moving ahead, lets see the key features of terrascan.
Key Features of Terrascan:
→Scanning of Dockerfiles
→Scanning of Terraform
→Scanning of K8S(JSON/YAML), Kustomize and Helm.
→It has above 500 policies for best security practices.
→It can supportable to AWS, Azure, GCP, K8S, Dockerfile and Github.
→ It can be integrated with CI/CD tools such as Jenkins, Agro CD etc.
→It integrate with docker image vulnerability scanning for AWS, Azure, GCP.
→It supports many output formats such as, YAML, JSON, XML, JUNIT-XML and SARIF.
Scanning with Terrascan:
Lets see the commands for scanning with terrascan,
→To scan terraform files in current directory for AWS resources,
terrascan scan -t aws
→By default, terrascan performs scanning on Terraform HCL files, Hence use -i flag to change IaC Provider. For example to scan K8S files, will use command,terrascan scan -i k8s
→To scan helm charts, following command to be excuted in directory of helm chart, terrascan scan -i helm
→To scan dockerfile, terrascan scan -i docker command can be executed.
→To retrieve Container Image Vulnerabilities, terrascan can display vulnerabilties for container images present in IaC files by using flag --find-vuln as follows:terrascan scan -i <IaC Provider> --find-vuln
Integration:
Terrascan can be integrated with CI/CD to make it automate and to generate scanned reports in required output formats such as to integrate with Jenkins using the JUNIT-XML format. To integrate of terrascan view the docs.
Scaning Dockerfile with terrascan via docker run:
Lets experience the practical implemenation of terrascan with docker image.
Lets create a directory, cd into that directory and create a Dockerfile.
Now we are ready with dockerfile to scan the secuirty policies.
We have an image of terrascan named accurics/terrascan using this image,
along with following command in the directory of where dockerfile presents:
Note: The volume -v is mapped to the docker.
alias terrascan=“docker run --rm -it -v “$(pwd):/iac” -w /iac accurics/terrascan”Note: This command has some extra options to enable terrascan access to current directory when scan runs.
The above command is used for one time installed terrascan , if we close the teminal it will uninstall automatically.
Once above command is run, use terrascan version to view installed version.
Then to scan the Dockerfile use command in the directory as follows:terrascan scan -i docker , then it provides the output in following format as below:
Terrascan docker image can also be used as follows to run scan :
docker run — rm -it -v “$(pwd):/iac” -w /iac accurics/terrascan scan -i <IaC Provider>
(Above command may reflect error when you executes it in terminal due to quotes, hence re-insert the proper quotes)
Hence we done with the basic implementation and output of scanned result for the Dockerfile. It shows scan summary with severity levels.
Policies:
Terrascan policies are written in Rego Policy Language. Every rego includes JSON rule file, which defines metadata for the policy. By default terrascan downloads policies from terrascan repo., while first scan implements.
In terrascan we can skip certain policies that are not require and can be added that requires.
To skip any specific rules, use command as follows along with skip flag:docker run — rm -it -v “$(pwd):/iac” -w /iac accurics/terrascan scan -i docker — skip-rules=“ruleID1,ruleID2”
Also we can view the passed rules by using flag --show-passed .
For more about policies, view docs.
For more information about terrascan, Please refer: https://runterrascan.io/docs/
https://github.com/accurics/terrascan
