You can provide a configuration file in TOML format to configure the Terrascan.
Command to specify config File
--config-path flag provide a TOML configuration file for Terrascan.
$ terrascan scan -c <config file path>
Here’s an example config file:
[notifications] [notifications.webhook] url = "https://httpbin.org/post" token = "my_auth_token" [severity] level = "medium" [rules] skip-rules = [ "accurics.kubernetes.IAM.107" ] [k8s-admission-control] denied-categories = [ "Network Ports Security" ] denied-severity = "high" dashboard=true
You can specify the following configurations:
- scan-rules - Specify one or more rules to scan. All other rules in the policy pack will be skipped.
- skip-rules - Specify one or more rules to skip while scanning. All other rules in the policy pack will be applied.
- severity - the minimal level of severity of the policies to be scanned and displayed. Options are high, medium and low
- category - the list of type of categories of the policies to be scanned and displayed
- notifications - This configuration can be used, as seen in the example above, to send the output of scans as a webhook to a remote server. Note that the
--notification-webhook-urlCLI flag will override any URLs configured through a configuration file.
k8s-admission-control - Config options for K8s Admission Controllers and GitOps workflows:
- denied-severity - Violations of this or higher severity will cause and admission rejection. Lower severity violations will be warnings. Options are high, medium. and low
- denied-categories - Violations from these policy categories will lead to an admission rejection. Policy violations of other categories will lead to warnings.
- dashboard=true - enable the
/logsendpoint to log and graphically display K8s admission requests and violations. Default is
Logging can be configured by using the
--log-level flags with possible values being: debug, info, warn, error, panic, or fatal. This defaults to “info”.
In addition to the default “console” logs, the logs can be configured to be output in JSON by using the
--log-type flag with the value of
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.