This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Usage

In depth look into the many options Terrascan supports

For steps to install locally, or run Terrascan from docker, see this section.

Building Terrascan

Terrascan is a Go binary that you can build locally. This is useful if you want to be on the latest version, or when modding Terrascan.

$ git clone git@github.com:tenable/terrascan.git
$ cd terrascan
$ make build
$ ./bin/terrascan

Using Terrascan

This section provides an overview of the different ways you can use Terrascan:

  1. Command line mode provides list of Terrascan commands with descriptions.
  2. Server mode using Terrascan as API server

See Configuring Terrascan to learn more about Terrascan’s configuration file.

See In-File Instrumentation to learn how to granularly customize your scan based on particular resources and rules. For example, by skipping certain rules or resources.

Integrations

Terrascan can be integrated into various platforms and configured to validate policies to provide run time security. Currently Terrascan supports the following integrations:

  1. Kubernetes (K8s) Admissions webhooks
  2. ArgoCD
  3. Atlantis
  4. Github and GitLab or CI/CD pipelines

1 - Command Line Options

Run Terrascan in terminal. Read about flags and command line arguments.

This section contains the following information:

The following is a description of all the commands available. Terrascan’s interface is divided into subcommands as follows:

  • init = Initializes Terrascan by downloading the latest Rego policies into ~/.terrascan. The scan command will implicitly run this before a scan if it detects that there are no policies found.
  • scan = scans Infrastructure as code files based on the policies contained within the “.terrascan” directory
  • server = Starts the Terrascan’s API server
  • help = You can view the usage menu by typing help or using the -h flag on any subcommand (e.g. terrascan init -h). You can also view this by typing terrascan without flags or other arguments.

Terrascan Commands

$ terrascan
Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://runterrascan.io/

Usage:
  terrascan [command]

Available Commands:
  help        Provides usage info about any command
  init        Initialize Terrascan
  scan        Start scan to detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Shows the Terrascan version you are currently using.

Flags:
  -c, --config-path string      config file path
  -h, --help                    help for terrascan
  -l, --log-level string        log level (debug, info, warn, error, panic, fatal) (default "info")
      --log-output-dir string   directory path to write the log and output files
  -x, --log-type string         log output type (console, json) (default "console")
  -o, --output string           output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
      --temp-dir string         temporary directory path to download remote repository,module and templates

Use "terrascan [command] --help" for more information about a command.

Initializing (optional)

The initialization process downloads the latest policies from the repository into ~/.terrascan. By default the policies are installed here: ~/.terrascan/pkg/policies/opa/rego and are fetched while scanning an IaC. Use the following command to start the initialization process if you are updating the policies:

$ terrascan init

Note: The init command is implicitly executed if the scan command does not find policies while executing.

Scanning

If the scan command is used with no arguments (as shown below), the scan will include all supported cloud providers on Terraform HCL files:

$ terrascan scan

The scan command supports flags to configure the following:

  • Specify a directory to be scanned
  • Specify a particular IaC file to be scanned
  • Configure IaC provider type
  • Directory path to policies
  • Specify policy type
  • Retrieve vulnerability scanning results from docker images referenced in IaC

The full list of flags for the scan command can be found by typing terrascan scan -h

Scanning current directory containing terraform files for AWS Resources

The following will scan the current directory containing Terraform HCL2 files for AWS resources:

$ terrascan scan -t aws

Scanning for a specific IaC provider

By default, Terrascan defaults to scanning Terraform HCL files. Use the -i flag to change the IaC provider. Here’s an example of scanning kubernetes yaml files:

$ terrascan scan -i k8s

Scanning code remotely

Terrascan can be installed remotely to scan remote repositories or code resources using the -r and -u flags. Here’s an example:

$ terrascan scan -t aws -r git -u git@github.com:tenable/KaiMonkey.git//terraform/aws

Important: The URLs for the remote repositories should follow similar naming conventions as the source argument for modules in Terraform. For more details, see this article.

Scanning private Terraform module repositories

When scanning Terraform code, Terrascan checks for the environment variable TF_CLI_CONFIG_FILE. If found uses the credential file provided in that environment variable to authenticate a private terraform module registry. If the env variable is not found then checks for the availability of the file ~/.terraformrc. This file contains credential information to authenticate a private terraform module registry. If this file is present, Terrascan will attempt to use the credentials when authenticating the private repository. For more details on the format of this file, please see Terraform’s config file documentation.

Configuring the output format for a scan

By default, Terrascan output is displayed in a human friendly format. Use the -o flag to change this to YAML, JSON, XML, JUNIT-XML and SARIF formats.

Note: Terrascan will exit with an error code if any errors or violations are found during a scan.

List of possible Exit Codes

Scenario Exit Code
scan summary has errors and violations 5
scan summary has errors but no violations 4
scan summary has violations but no errors 3
scan summary has no violations or errors 0
scan command errors out due to invalid inputs 1

Terrascan’s output is a list of security violations present in the scanned IaC files. The example below is terrascan’s output in YAML.

$ terrascan scan -t aws
results:
  violations:
  - rule_name: scanOnPushDisabled
    description: Unscanned images may contain vulnerabilities
    rule_id: AWS.ECR.DataSecurity.High.0578
    severity: MEDIUM
    category: Data Security
    resource_name: scanOnPushDisabled
    resource_type: aws_ecr_repository
    file: ecr.tf
    line: 1
  count:
    low: 0
    medium: 1
    high: 0
    total: 1

Scanning a Helm Chart

Helm chart can be scanned by specifying “helm” on the -i flag as follows:

$ terrascan scan -i helm

This command will recursively look for Chart.yaml files in the current directory and scan rendered .yaml, .yml, .tpl template files found under the corresponding /templates directory.

A specific directory to scan can be specified using the -d flag. The Helm IaC provider does not support scanning of individual files using the -f flag.

Scanning a Kustomize Chart

A Kustomize chart can be scanned by specifying “kustomize” on the -i flag as follows:

$ terrascan scan -i kustomize

This command looks for a kustomization.yaml file in the current directory and scans rendered .yaml or .yml template files.

Terrascan considers Kustomize v4 as the default version. Other supported versions (v2 and v3) of Kustomize could be scanned by specifying –iac-version flag as follows:

$ terrascan scan -i kustomize --iac-version v2

Scanning v2 and v3 requires the corresponding Kustomize binary and the path to the binary must be specified in the KUSTOMIZE_<VERSION> ENV variable.

e.g: For –iac-version v2, we need to have:

KUSTOMIZE_V2=path/to/kustomize/v2/binary

To install Kustomize one can use this script

A specific directory to scan can be specified using the -d flag. The Kustomize IaC provider does not support scanning of individual files using the -f flag.

Scanning a Dockerfile

A Dockerfile can be scanned by specifying “docker” on the -i flag as follows:

$ terrascan scan -i docker

This command looks for a Dockerfile in the current directory and scans that file.

A specific directory to scan can be specified using the -d flag. With the -d flag, it will check for all the docker files (named as Dockerfile) in the provided directory recursively. A specific dockerfile can be scanned using -f flag by providing a path to the file.

Retrieve Container Image Vulnerabilities

Terrascan can display vulnerabilities for container images present in the IaC files being scanned by specifying the --find-vuln flag along with the scan command as follows:

$ terrascan scan -i <IaC Provider> --find-vuln

This command looks for container images referenced in the IaC files and retrieves any vulnerabilities as reported by its container registry.

Supported container registries: AWS Elastic Container Registry (ECR), Azure Container Registry, Google Container Registry, Google Artifact Registry, and Harbor Container Registry.

The following environment variables are required when connecting to the container registries:

AWS Elastic Container Registry (ECR)

ECR requires your environment to be configured similar to the requirements of AWS’s SDK. For example, the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION environment variables can be set when connecting to AWS using API keys for an AWS user. More information here.

Google Container Registry and Artifact Registry

Terrascan requires a service account with access to the Container Analysis and Container Registry permissions. The GOOGLE_APPLICATION_CREDENTIALS environment variable can be set to the path of the service account’s key when scanning. More information about GCP authentication available here.

Azure Container Registry

When integrating vulnerability results from Azure, Terrascan requires the AZURE_AUTH_LOCATION, and AZURE_ACR_PASSWORD environment variables.

The AZURE_AUTH_LOCATION should contain the path to your azure authentication json. You can generate this as follows:

az ad sp create-for-rbac --sdk-auth > azure.auth

After generating the file, set the azure.auth file path as the AZURE_AUTH_LOCATION environment variable. More information about using file based authentication for the Azure SDK available here.

Terrascan also requires the password to the registry set into the AZURE_ACR_PASSWORD environment variable. This can be fetched using the az cli as follows:

az acr credential show --name RegistryName

Harbor Container Registry

When integrating vulnerability results from Harbor, Terrascan requires the HARBOR_REGISTRY_USERNAME, HARBOR_REGISTRY_PASSWORD,HARBOR_REGISTRY_CACERT, HARBOR_SKIP_TLS, and HARBOR_REGISTRY_DOMAIN environment variables.

The HARBOR_REGISTRY_DOMAIN environment variable helps Terrascan identify the registry’s domain.

The HARBOR_SKIP_TLS environment variable can be set to true to avoid TLS errors when Harbor is using a non-trusted TLS certificate. This is not recommended for production use.

Resource Config

While scanning a IaC, Terrascan loads all the IaC files, creates a list of resource configs and then processes this list to report violations. For debugging purposes, you can print this resource configs list as an output by using the --config-only flag to the terrascan scan command.

$  terrascan scan -i terraform -t aws -f elb.tf --config-only -o json
{
  "aws_elb": [
    {
      "id": "aws_elb.public_elb",
      "name": "public_elb",
      "module_name": "root",
      "source": "elb.tf",
      "line": 1,
      "type": "aws_elb",
      "config": {
        "connection_draining": true,
        "health_check": [
          {
            "healthy_threshold": 2,
            "interval": 15,
            "target": "HTTP:80/index.html",
            "timeout": 3,
            "unhealthy_threshold": 2
          }
        ],
        "instances": "${aws_instance.web.*.id}",
        "listener": [
          {
            "instance_port": 80,
            "instance_protocol": "http",
            "lb_port": 80,
            "lb_protocol": "http"
          }
        ],
        "name": "${local.prefix.value}-public-elb",
        "security_groups": [
          "${aws_security_group.public_internet.id}"
        ],
        "subnets": "${aws_subnet.public.*.id}",
        "tags": {
          "Name": "${local.prefix.value}-public-elb"
        }
      },
      "line_config": {
        "connection_draining": 16,
        "health_check": [
          {
            "healthy_threshold": 9,
            "interval": 13,
            "target": 12,
            "timeout": 11,
            "unhealthy_threshold": 10
          }
        ],
        "instances": 6,
        "listener": [
          {
            "instance_port": 18,
            "instance_protocol": 19,
            "lb_port": 20,
            "lb_protocol": 21
          }
        ],
        "name": 2,
        "security_groups": 5,
        "subnets": 4,
        "tags": {
          "Name": 25
        }
      },
      "skip_rules": null,
      "max_severity": "",
      "min_severity": ""
    }
  ]
}

More details on scan command

List of options for scan command:

Flag Description Options (default highlighted )
-h Help for scan command See a list of all flags supported and descriptions. The default options for all commands are highlighted in bold
-d Use this to scan a specific directory. Use “.” for current directory AWS, GCP, Azure, and GitHub
-f Use this command to scan a specific file <tbd any formats/limitations for example file size>
-i type Use this to change the IaC provider arm, cft, docker, helm, k8s, kustomize, terraform
–iac-version version Use this in conjunction with - i type to specify the version of IaC provider Supported versions of each IaC are: arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15
-p Use this to specify directory path for policies By default policies are installed here:
-t Use this to specify individual cloud providers all, aws, azure, gcp, github, k8s
-r Use this to specify directory path for remote backend git, s3, gcs, http
-u Use this to specify directory URL for remote IaC repositories see options below
scan-rules Specify rules to scan, example: –scan-rules=“ruleID1,ruleID2”
skip-rules Specify one or more rules to skip while scanning. Example: –skip-rules=“ruleID1,ruleID2”
use-colors Configure the color for output (auto, t, f)
–non-recursive Use this for non recursive directories and modules scan By default directory is scanned recursively, if this flag is used then only provided root directory will be scanned
–webhook-token string Optional token used when sending authenticated requests to the notification webhook This flag is optional when using the notification webhook
–webhook-url A webhook URL where Terrascan will send JSON scan report and normalized IaC JSON This overrides any notification webhook URLs configured in config TOML file specified with the -c flag
–use-terraform-cache Use this to refer terraform remote modules from terraform init cache rather than downloading By default remote module will be downloaded in temporary directory. If this flag is set then modules will be refered from terraform init cache if module is not present in terraform init cache it will be downloaded. Directory will be scanned non recurively if this flag is used.(applicable only with terraform IaC provider)
–find-vuln find vulnerabilities Use this to fetch vulnerabilities identified on the registry for docker images present in IaC the files scanned
–repo-url repository url This flag can be used to include the repository URL as part of scan results and notifications
–repo-ref repository branch name This flag can be used to include the repository branch name as part of scan results and notifications
-v verbose Displays violations with all details
Global flags Description Options
-c Use this to specify config file settings Format supported is *.TOML
-l Use this to specify what log settings debug, info, warn, error, panic, fatal
–log-output-dir Use this to specify the directory path for writing the scan output to files along with console output. Using this flag will generate two files in the directory path provided, terrascan.log and scan-result.<ext>. The scan-result file extension will be in sync with -o flag (e.g. -o json will create scan-result.json). In case the directory could not be resolved, the scan logs and results will be printed on console only.
-x Use this to specify the log file format console, json
-o Use this to specify the scan output type human, json, yaml, xml, junit-xml, sarif, github-sarif
–temp-dir Use this to specify temporary directory path to download remote repository,module and templates

Full help for scan command:

$ terrascan scan -h
Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Usage:
  terrascan scan [flags]

Flags:
      --categories strings                  list of categories of violations to be reported by terrascan (example: --categories="category1,category2")
      --config-only                         will output resource config (should only be used for debugging purposes)
      --find-vuln                           fetches vulnerabilities identified in Docker images
  -h, --help                                help for scan
  -d, --iac-dir string                      path to a directory containing one or more IaC files (default ".")
  -f, --iac-file string                     path to a single IaC file
  -i, --iac-type string                     iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan)
      --iac-version string                  iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1)
      --non-recursive                       do not scan directories and modules recursively
      --webhook-token string   the auth token to call the notification webhook URL
      --webhook-url string     the URL where terrascan will send the scan report and normalized config json
  -p, --policy-path stringArray             policy path directory
  -t, --policy-type strings                 policy type (all, aws, azure, docker, gcp, github, k8s) (default [all])
  -r, --remote-type string                  type of remote backend (git, s3, gcs, http, terraform-registry)
  -u, --remote-url string         url pointing to remote IaC repository
      --repo-ref string           branch of the repo being scanned
      --repo-url string           URL of the repo being scanned, will be reflected in scan summary
      --scan-rules strings                  one or more rules to scan (example: --scan-rules="ruleID1,ruleID2")
      --severity string                     minimum severity level of the policy violations to be reported by terrascan
      --show-passed                         display passed rules, along with violations
      --skip-rules strings                  one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2")
      --use-colors string                   color output (auto, t, f) (default "auto")
      --use-terraform-cache                 use terraform init cache for remote modules (when used directory scan will be non recursive, flag applicable only with terraform IaC provider)
  -v, --verbose                             will show violations with details (applicable for default output)

Global Flags:
  -c, --config-path string      config file path
  -l, --log-level string        log level (debug, info, warn, error, panic, fatal) (default "info")
      --log-output-dir string   directory path to write the log and output files
  -x, --log-type string         log output type (console, json) (default "console")
  -o, --output string           output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
      --temp-dir string         temporary directory path to download remote repository,module and templates

2 - Server mode

Run Terrascan as an API server

Server mode will execute Terrascan’s API server. This is useful when using Terrascan to enforce a unified set of policies and configuration in multiple parts of the software development pipelines. It also simplifies programmatically interacting with Terrascan. By default the http server listens in port 9010 and supports the following routes:

Note: URL placeholders are equivalent to the command line flags in the scan command

API Routes

Check health of server

  • GET - /health

Scan IaC File

  • POST - /v1/{iac}/{iacVersion}/{cloud}/local/file/scan

POST Parameter: file - Content of the file to be scanned

Example: curl -i -F "file=@aws_cloudfront_distribution.tf" localhost:9010/v1/terraform/v14/aws/local/file/scan

Scan Remote IaC

  • POST - /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan

Run Terrascan in Server Mode

You can launch server mode by executing the Terrascan binary, or with a Docker container. Use the following to execute the Terrascan CLI:

$ terrascan server

Use this command to launch Terrascan server mode using Docker:

$ docker run --rm --name terrascan -p 9010:9010 tenable/terrascan

Example of how to send a request to the Terrascan server using curl:

$ curl -i -F "file=@aws_cloudfront_distribution.tf" localhost:9010/v1/terraform/v14/aws/local/file/scan
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Sun, 16 Aug 2020 02:45:35 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked

{
  "results": {
    "violations": [
      {
        "rule_name": "cloudfrontNoGeoRestriction",
        "description": "Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.",
        "rule_id": "AWS.CloudFront.Network Security.Low.0568",
        "severity": "LOW",
        "category": "Network Security",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoHTTPSTraffic",
        "description": "Use encrypted connection between CloudFront and origin server",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoHTTPSTraffic",
        "description": "Use encrypted connection between CloudFront and origin server",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoLogging",
        "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
        "rule_id": "AWS.CloudFront.Logging.Medium.0567",
        "severity": "MEDIUM",
        "category": "Logging",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoSecureCiphers",
        "description": "Secure ciphers are not used in CloudFront distribution",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      }
    ],
    "count": {
      "low": 1,
      "medium": 1,
      "high": 3,
      "total": 5
    }
  }
}

3 - In-file Instrumentation

Terrascan can be instrumented using special commands inside your IaC files (Terraform, K8s and dockerfile)

Today, Terrascan supports these instrumentations:

  • Rule Skipping
  • Resource Prioritization

Rule Skipping

Rule skipping allows you to specify a rule that should not be applied to a particular resource.

Note: In-file instrumentation will skip the rule only for the resource it is defined in. The skip_rules parameter in the config file will skip the rule for the entire scan.

In Terraform

Use the syntax #ts:skip=RuleID optional_comment inside a resource to skip the rule for that resource.

Example

resource "aws_db_instance" "PtShGgAdi4" {
  #ts:skip=AWS.RDS.DataSecurity.High.0414 Reason to skip this rule
  allocated_storage       = 20
  storage_type            = "gp2"
  engine                  = "mysql"
  engine_version          = "5.7"
  instance_class          = "db.t2.micro"
 .
 .
 .
}

In Kubernetes

Use the annotation runterrascan.io/skip:[{\"rule\": \RuleID\", \"comment\": \"reason to skip the rule\"}] inside a resource to skip the rule for that resource.

Example

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
  annotations:
    runterrascan.io/skip: "[{\"rule\": \"AC-K8-NS-IN-H-0020\", \"comment\": \"reason to skip the rule\"}]"
spec:
  rules:
    - host: example-host.example.com
      http:
        paths:
          - backend:
              serviceName: nginx
              servicePort: 80

In Dockerfile

Use the syntax #ts:skip=RuleID optional_comment inside the dockerfile to skip the rule for that resource.

Example

FROM runatlantis/atlantis:v0.16.1
#ts:skip=AC_DOCKER_0001 skip this rule.
ENV DEFAULT_TERRASCAN_VERSION=1.5.1
RUN terrascan init
ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
CMD ["server"]

Resource Prioritization

Resource prioritization allows you set maximum and minimum severities for violations in a given resource. Are you configuring a very sensitive resource? Set the minimum severity to High, so low and medium violations will be escalated. Need to suppress all violations from a particular resource? Set the maximum severity to None.

For maximum severity, meaningful options are Medium, Low, and None.

For minimum severity, meaningful options are High and Medium.

In Terraform

Use the syntax #ts:maxseverity=SEVERITY, or #ts:minseverity=SEVERITY inside a resource to skip the rule for that resource.

Example

resource "aws_db_instance" "PtShGgAdi4" {
  #ts:maxseverity=Low
  allocated_storage       = 20
  storage_type            = "gp2"
  engine                  = "mysql"
  engine_version          = "5.7"
  instance_class          = "db.t2.micro"
  .
  .
  .
}

In Kubernetes

Use the annotation runterrascan.io/minseverity: SEVERITY, or runterrascan.io/maxseverity: SEVERITY inside a resource to skip the rule for that resource.

Example

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
  annotations:
    runterrascan.io/minseverity: Low
spec:
  rules:
    - host: example-host.example.com
      http:
        paths:
          - backend:
              serviceName: nginx
              servicePort: 80

In Dockerfile

Use the syntax #ts:maxseverity=SEVERITY, or #ts:minseverity=SEVERITY inside a dockerfile to skip the rule for that resource.

Example

#ts:maxseverity=None
FROM runatlantis/atlantis:v0.16.1
ENV DEFAULT_TERRASCAN_VERSION=1.5.1
RUN terrascan init
ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
CMD ["server"]

4 - Configuration File

Configure Terrascan via it’s configuration file.

You can provide a configuration file in TOML format to configure the Terrascan.

Command to specify config File

Use the -c or --config-path flag provide a TOML configuration file for Terrascan.

$ terrascan scan -c <config file path>

Here’s an example config file:

[notifications]
    [notifications.webhook]
    url = "https://httpbin.org/post"
    token = "my_auth_token"

[severity]
level = "medium"
[rules]
    skip-rules = [
        "accurics.kubernetes.IAM.107"
    ]

[k8s-admission-control]
    denied-categories = [
        "Network Ports Security"
    ]
    denied-severity = "high"
    dashboard=true

[policy]
environment = "<environment_url>"
access_token = "<access_token>"

You can specify the following configurations:

  • scan-rules - Specify one or more rules to scan. All other rules in the policy pack will be skipped.
  • skip-rules - Specify one or more rules to skip while scanning. All other rules in the policy pack will be applied.
  • severity - the minimal level of severity of the policies to be scanned and displayed. Options are high, medium and low
  • category - the list of type of categories of the policies to be scanned and displayed
  • notifications - This configuration can be used, as seen in the example above, to send the output of scans as a webhook to a remote server. Note that the --notification-webhook-url CLI flag will override any URLs configured through a configuration file.

k8s-admission-control - Config options for K8s Admission Controllers and GitOps workflows:

  • denied-severity - Violations of this or higher severity will cause and admission rejection. Lower severity violations will be warnings. Options are high, medium. and low
  • denied-categories - Violations from these policy categories will lead to an admission rejection. Policy violations of other categories will lead to warnings.
  • dashboard=true - enable the /logs endpoint to log and graphically display K8s admission requests and violations. Default is false

policy - Config options for policy source and destination path information

  • path - Sets the local path for terrascan files including policies

  • rego_subdir - Sub directory within the base path for caching policies

  • repo_url - Repository from which all the policies must be downloaded

  • branch - Specific branch out of the repository to pull the policies

  • environment - Authenticated environment URL for downloading policies. Supercedes any other source if its set along with a valid access token

  • access_token - Authentication token to download policies from authenticated environment

Logging

Logging can be configured by using the -l or --log-level flags with possible values being: debug, info, warn, error, panic, or fatal. This defaults to “info”.

In addition to the default “console” logs, the logs can be configured to be output in JSON by using the -x or --log-type flag with the value of json.