Terrascan Expands Beyond Policy as Code for IaC

Terrascan emerged from the need for a scalable way to ensure that cloud infrastructure configuration adheres to evolving security best practices. It helps identify issues such as missing or misconfigured encryption on resources and communication, and inadvertent exposure of cloud services. Terrascan fundamentally enhances the value of Infrastructure as Code (IaC) used by organizations to define and manage cloud infrastructure, and improves security by enabling teams to eliminate risk before infrastructure is deployed.

Policy as Code has proven a great fit for enforcing policies in automated workflows, and Terrascan’s focus on Infrastructure as Code (IaC) such as Terraform and Kubernetes has filled an important role. As we integrated Terrascan into DevOps tooling, pipelines and software supply chains, we realized that IaC is not the only source of risk we can help mitigate before deployment.

Over the past few months, we’ve been busy expanding Terrascan’s ability to enforce policies across multiple important dimensions of risk.

Addressing Risks in IaC and Container Source Files

We added support for scanning Dockerfiles, to help identify security misconfigurations in container-based architectures including Kubernetes. We also added support for Azure Resource Manager (ARM) templates, an IaC technology that’s native to Azure, and for scanning CloudFormation templates including nested stacks.

Adding support for new input formats includes creating policies for relevant security risks in those formats. For example, we added numerous Dockerfile policies including one to ensure that Dockerfiles don’t RUN commands as root.

Managing Vulnerability Risks in Containers

In addition to identifying security misconfigurations in IaC, Terrascan can now identify security vulnerabilities in container images referenced from Elastic Container Registry (ECR), Azure Container Registry, Google Container Registry, Google Artifact Registry, and Harbor. This is especially useful for ensuring the absence of vulnerabilities in custom and third-party containers used and built in your development pipelines.

Enforcing Policy During Deployment to Kubernetes Clusters

Terrascan can now be used as an admission controller for Kubernetes, enforcing policies as changes are applied to the cluster and preventing security issues from making it into the runtime environment. Gone are the days of managing different tools and policies for pipelines and runtime. Terrascan enables you to enforce the same policies in development and runtime!

Improving Relevance with Prioritization and Filtering

Finding violations is important, but sometimes less is more. Terrascan now offers the ability to prioritize or de-prioritize issues based on specific levels of severity for policies in each IaC file. This helps tailor policies within Terrascan for the particular use case or architecture being tested, so you can focus specifically on the issues you care most about.

Deeper Integrations, Better Automation

Automating policy enforcement into existing workflows ensures that controls are applied consistently without increasing friction in the development process. The Terrascan GitHub action can be used within GitHub workflows to detect and prevent security issues from being merged into your code repository.

For those that need earlier enforcement, evaluating IaC even before code is committed into version control, Terrascan provides a pre-commit hook which runs on the developer workstation before code changes are committed into the git repository.

Better Collaboration with Reporting and Compliance Processes

Enforcing policies in development processes is important, but it’s sometimes just as important to be able to demonstrate that development processes are continuously compliant with the security policy. Terrascan has added support for SARIF output to facilitate integration with common compliance and security reporting tools, such as GitHub security reports.

Easier Custom Policy Development for Advanced Needs

Terrascan includes an extensive library of policies and best practices, but sometimes you need to implement policies that address your unique requirements or circumstances. The newly published Terrascan Rego Editor, a VS Code extension, makes it easier to create and test policies with a seamless workflow driven in the IDE.

Automating Terraform Security with pre-commit-terraform and Terrascan

One of the best things about using Terraform to manage your systems is that best practices can be defined and applied to your templates in a manner similar to what is done with application code. This means that linting and testing the infrastructure as code (IaC) templates for quality, operational, and security issues can be accomplished easily, using some of the same workflows as application code. The most common place to enforce coding best practices is in continuous integration (CI) pipelines.

You can configure your CI pipelines to help enforce compliance with your coding policies by automatically executing validation scripts and tools and failing the CI job whenever there’s a violation. These can be configured to prevent any merges to your main branch if there’s a violation that could be considered a blocker to your system.

One of the drawbacks to relying on pipelines for enforcement is that they are bottlenecks in the development process. Every code change goes through them, and one bad commit can break the build for everybody. This can be extremely disruptive when teams are iterating quickly. One way to avoid this problem is to use a pre-commit hook to enforce standards locally on a developer’s system before pushing code to the repository. By adding a pre-commit configuration to your repository, you can help those contributing to your repository test locally to ensure their commit will not break the build once it is pushed and CI pipelines are completed.

For Terraform, one of the best projects out there to configure your repository’s pre-commit scripts is pre-commit-terraform. The pre-commit-terraform project includes multiple git hooks specifically for Terraform that can help with linting, documentation, operational, and security compliance. As part of its security toolbox pre-commit-terraform includes Terrascan, the static code analyzer for IaC maintained by Accurics.

Terraform security with pre-commit-terraform

Let’s take a look at how Terrascan can be leveraged to find Terraform security issues using pre-commit-terraform in an example.

The first step is to install pre-commit. Alternate ways of installing are available here. ~ ➜ pip install pre-commit

Once pre-commit is installed we can create the repository that will contain our Terraform templates.

~ ➜  mkdir pre-commit-tf-example
~ ➜  git init pre-commit-tf-example
~ ➜  cd pre-commit-tf-example

We’ll add a .pre-commit-config.yaml file in the root of our repository configured to use the terrascan git hook within the pre-commit-terraform repository. We’ll reference release v1.50.0 which is the latest release as of this writing.

pre-commit-tf-example git:(main) ✗ ➜  cat .pre-commit-config.yaml
-   repo: https://github.com/antonbabenko/pre-commit-terraform
	rev: v1.50.0
	-   id: terrascan
pre-commit-tf-example git:(main) ✗ ➜

Now, we’ll run the pre-commit install, which will configure pre-commit for this particular repository using the information obtained from the .pre-commit-config.yaml file.

pre-commit-tf-example git:(master) ✗ ➜  pre-commit install
pre-commit installed at .git/hooks/pre-commit
pre-commit-tf-example git:(master) ✗ ➜  

Let’s add a Terraform template with a known violation. In this case we’re going to add an AWS S3 object resource that’s missing the encryption at rest configuration.

pre-commit-tf-example git:(master) ✗ ➜  cat main.tf
variable "bucket" {}

resource "aws_s3_bucket_object" "html" {
  bucket   	= var.bucket
  key      	= "index.html"
  source   	= "index.html"
  acl      	= "public-read"
  content_type  = "text/html"
  etag     	= filemd5("index.html")
pre-commit-tf-example git:(master) ✗ ➜  

Once we try to commit the Terraform template, pre-commit will execute Terrascan. Since we have not set encryption for this object, Terrascan will fail and provide feedback on what it found.

pre-commit-tf-example git:(master) ✗ ➜  git add . && git commit -m 'add terraform'
[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
- hook id: terrascan
- exit code: 3

Violation Details -
    Description	:    Ensure S3 object is Encrypted
    File       	:    main.tf
    Line       	:    3
    Severity   	:    MEDIUM

Scan Summary -

    File/Folder     	  :    /Users/therasec/pre-commit-tf-example
    IaC Type        	  :    terraform
    Scanned At      	  :    2021-05-10 03:32:22.117445 +0000 UTC
    Policies Validated  :    607
    Violated Policies   :    1
    Low             	  :    0
    Medium          	  :    1
    High             	  :    0
pre-commit-tf-example git:(master) ✗ ➜  

Let’s fix the issue by configuring server side encryption for the object and try to commit again.

pre-commit-tf-example git:(master) ✗ ➜  cat main.tf

variable "bucket" {}

resource "aws_kms_alias" "a" {
  name = "alias/my-key-alias"

resource "aws_s3_bucket_object" "html" {
  bucket             	= var.bucket
  key                	= "index.html"
  source             	= "index.html"
  acl                	= "public-read"
  content_type       	= "text/html"
  etag               	= filemd5("index.html")
  server_side_encryption = "AES256"
  kms_key_id         	= data.aws_kms_alias.a.target_key_id
pre-commit-tf-example git:(master) ✗ ➜  

Since we added the server_side_encryption and kms_key_id parameters, the issue should be solved and we should be able to perform git commit.

pre-commit-tf-example git:(master) ✗ ➜  git add .
pre-commit-tf-example git:(master) ✗ ➜  git commit -m 'add terraform'
[master (root-commit) 41138a6] adds terraform
 2 files changed, 22 insertions(+)
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 main.tf
pre-commit-tf-example git:(master) ✗ ➜  

By using a pre-commit hook we’re able to get quick feedback into security issues affecting the code we’re trying to commit. This allows us to solve issues quickly and prevent any misconfigurations from being merged into our baseline code. Terrascan can be leveraged as a pre-commit hook and as part of your CI/CD pipelines to find Terraform security weaknesses and is included as part of the pre-commit-terraform project.

Terraform Security: Terrascan in Atlantis Workflows

Atlantis is a popular open source automation platform for Terraform that leverages an organization’s code repository, such as Git, to streamline and automate Terraform workflows. At its most basic:

  • New Terraform code is introduced as a pull request
  • Atlantis automatically creates a Terraform plan with the new changes.
  • A colleague reviews the pull request, a common development practice.
  • Atlantis will apply the new plan when it receives the command, deploying new cloud infrastructure.

This is a very powerful way to manage complex cloud infrastructure across multiple teams. Moreover, the version control system naturally provides useful features like version control, permission management and audit logs.

At Tenable, we are most excited about how the entire workflow is managed as a single pull request thread. Moreover, at the end of the process, the Terraform code repository should reflect the actual deployed infrastructure. While not explicitly a GitOps approach for Terraform automation, a lot of the core tenets are present. We work well in GitOps workflows, so we decided to explore whether we can seamlessly integrate Terrascan into the Atlantis workflow.

Terraform Security with Atlantis and Terrascan

Terrascan is an infrastructure as Code (IaC) security scanner. Powered by hundreds of OPA’s Rego security policies, it scans Terraform source code and detects security vulnerabilities embedded within them. It allows users to fix vulnerable infrastructure before it is ever deployed. Scanning can be done at different stages of the deployment lifecycle. Ideally, it would be done in multiple stages.

By integrating Terrascan directly into the Atlantis workflow, scan results are reported as part of the same pull request workflow, which will inform the pull request reviewer before approving. In the spirit of automation, Terrascan can fail the automated plan build if a vulnerability of a certain severity is found.

Terraform security - Terrascan finds policy violations in Atlantis workflows

Of course, that is not the only place that Terrascan can fit in the development lifecycle. A developer can scan their code as they are writing it. Terrascan’s Github Action can automatically scan new code as it is pushed, which could actually reduce the turnaround time for a fix. To enforce policy at the organizational level, just before code is applied as infrastructure, integrating Terrascan into the Atlantis flow provides a welcome new level of security.

Getting Started with Terrascan in Atlantis

Terrascan supports being run as a server on a separate environment, so only network connectivity is required to integrate Terrascan into existing Atlantis environments. For even more flexibility, we will soon publish an Atlantis container image that includes the Terrascan binary.

To integrate Terrascan into your Atlantis deployment, please follow the steps in our documentation.