DevOps | Feb 18, 2021

Terrascan GitHub Action: Easy Policy as Code for IaC Pipelines

Terrascan GitHub Action: Easy Policy as Code for IaC Pipelines

Today we’re excited to announce the release of the Terrascan GitHub Action, enabling you to detect security misconfigurations in your Infrastructure as Code (IaC) such as Kubernetes, Helm, Kustomize, or Terraform through your GitHub actions workflows.  

One of the key benefits of Policy as Code is the ability to codify your security policies and enforce them as part of CI/CD pipelines. By integrating into your development workflow, you can ensure that security issues are found early and prevent them from being introduced into your runtime environment. 

Terrascan GitHub Action Benefits

When you set up your repository with the GitHub Action, any IaC pushed to your repository will be scanned for security misconfigurations. There are multiple options to configure the Action including:

  • The type of IaC to scan (e.g. Terraform, Kubernetes, etc.)
  • The path where your Infrastructure as Code lives in the repository
  • The path to any custom Rego policies you would like to be included in the scan
  • Which policies, if any, to skip during the scan
  • Whether the Action should warn or fail if issues are found

Setting up the Terrascan GitHub Action

The GitHub marketplace readme includes detailed configuration options for the Action. To setup the Action, you need to include a YAML file in the .github/workflows directory of your repository as follows: 

on: [push]
 
jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action
    steps:
    - name: Checkout repository
      uses: actions/[email protected]
    - name: Run Terrascan
      id: terrascan
      uses: accurics/[email protected]
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'aws'
        only_warn: true
        #iac_dir:
        #policy_path:
        #skip_rules:
        #config_path:
 

With the above configuration, on every push of code to your repository the workflow will checkout the code that was pushed and execute Terrascan on the given directory using the rego policies in the specified policy path

The example above configures the scan to not fail whenever an issue is found by using the only_warn variable. 

Terrascan GitHub Action Warn Example

By default, the build will fail if any issues are found during the scan.

Terrascan GitHub Action Fail Example

The output of the scan is available in the workflow’s logs and includes details for each of the issues that were found in your IaC as well as a scan summary.

Terrascan GitHub Action Sample Output

Get Started Today

Given how easy it is to enable Terrascan in your projects, we encourage you to try the GitHub Action to help you find and fix security issues on your IaC as early as possible. We’re always looking for ways to integrate Terrascan into CI/CD tooling and welcome any suggestions in our community and contributions to our repository

Is DevOps Really So Great If It’s So Hard to Achieve?

Extend–don’t shift–left cloud security posture management (CSPM)

Terraform Security: Six Habits for Secure Terraform Workflows

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.