terrascan
TLDR
Initialize Terrascan (download policies)
SYNOPSIS
terrascan [command] [options]
DESCRIPTION
Terrascan is a static code analyzer for Infrastructure as Code (IaC). It scans Terraform, Kubernetes, Helm, and Kustomize configurations for security misconfigurations and compliance violations.
The tool comes with 500+ policies covering AWS, Azure, GCP, and Kubernetes best practices. It can integrate into CI/CD pipelines to prevent insecure configurations from being deployed.
Terrascan can run as a CLI tool, API server, or Kubernetes admission controller. Custom policies can be written using Rego (Open Policy Agent's policy language).
Policies are stored in ~/.terrascan and automatically downloaded on first run or via `terrascan init`.
PARAMETERS
-c, --config-path file
Configuration file path.-d, --iac-dir path
Directory to scan.-f, --iac-file file
Specific file to scan.-i, --iac-type type
IaC type: terraform, k8s, helm, kustomize.-t, --policy-type type
Policy type: all, aws, azure, gcp, k8s.-o, --output format
Output format: human, json, yaml, xml.-r, --remote-type type
Remote type: git.-u, --remote-url url
Remote repository URL.--skip-rules rules
Comma-separated rules to skip.--severity level
Minimum severity: low, medium, high.--find-vuln
Check for container vulnerabilities.-l, --log-level level
Log level: debug, info, warn, error.-x, --log-type type
Log type: console, json.
COMMANDS
init: Initialize Terrascan and download policies.
scan: Scan IaC for security violations.
server: Run as API server.
version: Display version information.
help: Show help for commands.
CAVEATS
Requires Go or pre-built binary. Policy updates require running init. Some policies may generate false positives requiring rule exclusions. Scanning large codebases can be resource-intensive.
HISTORY
Terrascan was originally developed by Accurics and is now maintained by Tenable. It provides pre-deployment security scanning for cloud-native infrastructure, helping organizations implement security as code practices.
