Terrascan GitHub Action: Easy Policy as Code for IaC Pipelines
Today we’re excited to announce the release of the Terrascan GitHub Action, enabling you to detect security misconfigurations in your Infrastructure as Code (IaC) such as Kubernetes, Helm, Kustomize, or Terraform through your GitHub actions workflows.
One of the key benefits of Policy as Code is the ability to codify your security policies and enforce them as part of CI/CD pipelines. By integrating into your development workflow, you can ensure that security issues are found early and prevent them from being introduced into your runtime environment.
Terrascan GitHub Action Benefits
When you set up your repository with the GitHub Action, any IaC pushed to your repository will be scanned for security misconfigurations. There are multiple options to configure the Action including:
- The type of IaC to scan (e.g. Terraform, Kubernetes, etc.)
- The path where your Infrastructure as Code lives in the repository
- The path to any custom Rego policies you would like to be included in the scan
- Which policies, if any, to skip during the scan
- Whether the Action should warn or fail if issues are found
Setting up the Terrascan GitHub Action
The GitHub marketplace readme includes detailed configuration options for the Action. To setup the Action, you need to include a YAML file in the .github/workflows directory of your repository as follows:
on: [push]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Run Terrascan
id: terrascan
uses: accurics/[email protected]
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'aws'
only_warn: true
#iac_dir:
#policy_path:
#skip_rules:
#config_path:
With the above configuration, on every push of code to your repository the workflow will checkout the code that was pushed and execute Terrascan on the given directory using the rego policies in the specified policy path.
The example above configures the scan to not fail whenever an issue is found by using the only_warn variable.
By default, the build will fail if any issues are found during the scan.
The output of the scan is available in the workflow’s logs and includes details for each of the issues that were found in your IaC as well as a scan summary.
Get Started Today
Given how easy it is to enable Terrascan in your projects, we encourage you to try the GitHub Action to help you find and fix security issues on your IaC as early as possible. We’re always looking for ways to integrate Terrascan into CI/CD tooling and welcome any suggestions in our community and contributions to our repository.
