What are the Use Cases of Terrascan?
Here are some common use cases of Terrascan as seen below.
1. Code Scanner
You can scan a variety of IaC using Terrascan. Consider this example where you have a file called “main.tf”.
Python3
provider "azurerm" { features {} } resource "azurerm_resource_group" "example" { name = "example-resources" location = "UK South"} |
You can scan and detect vulnerabilities in this Azure infrastructure using Terrascan. By running the “terrascan -f” command, you can scan any Terraform code as shown below.
You can also use Terraform’s sandbox environment in your browser by clicking this link to scan your Terraform code.
A snippet of the JSON code to be checked in terraform environment:
Python3
provider "azurerm" { features {} } resource "azurerm_storage_account" "my_storage_account" { name = "myteststorageaccount" resource_group_name = "myresourcegroup" location = "westus2" account_tier = "Standard" account_replication_type = "LRS"} resource "azurerm_virtual_network" "vnet_prod" { name = "vnet-prod" address_space = ["10.0.0.0/16"] location = "westus2" resource_group_name = "myresourcegroup" tags = { Name = "vnet-prod" } } |
Output
This works for all file extensions such as JSON, YAML, tf and so on.
2. Helm Chart Scanner
You can create Helm charts using the command.
helm create demo-chart
You’ll have a YAML (Yet Another Markup Language) called “values” where you can edit some values to create some vulnerabilities that Terrascan can report. You can detect vulnerabilities in Helm Charts using Terrascan.
Suppose you have the YAML code below:
Python3
Resources: MyPod: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Name: my-container Image: busybox Command: - sh - "-c" - "while true; do echo 'Hello, World!'; sleep 1; done" Memory: 128 Cpu: 0.5 |
Output
3. Scanning Kubernetes Code
You can check the ability and safety of Kubernetes manifests that you’ve created in CFT (CloudFormation Template). Suppose you have a code to deploy a simple nginx deployment:
Python3
Resources: NginxDeployment: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Name: nginx Image: nginx:latest Memory: 64 Cpu: 0.1 Family: nginx-deployment |
Due to its low resource requirement, this will be flagged as a major violation. To spend the right resources in Infrastructure and distribute them properly, unusually low resources will also be flagged as a violation as seen below.
Output
4. Integration with ArgoCD
You can configure Terrascan as an ArgoCD using two methods.
- Scan the remote repository after configuring Terrascan as an ArgoCD pre-sync hook.
- Deploy an already deployed Terrascan server into a Kubernetes (K8) cluster and scan remote repositories available in ArgoCD’s PreSync Hook.
What is Terrascan? Features, Installation and Use Cases
Terrascan is a popular software used to detect any possible vulnerabilities in IaC (Infrastructure as Code) structures. With its predefined built-in policies, Terrascan can detect any vulnerabilities in your code and let you know about the policy violations in detail, including their severity. The violations can range from minor infractions to severe structural compromises detected in the code. Before we go into detail, let’s see more about Terrascan.