DevOps | May 07, 2021

GitOps Security: Same tool, same policies, one Terrascan

GitOps security - same tool, same policies, one Terrascan - banner image

During KubeCon + CloudNativeCon Europe 2021, Accurics announced a new Terrascan integration with Argo CD. In this blog post, we’ll discuss what this integration is all about, and why it is a big deal.

Argo CD is a GitOps continuous delivery tool for Kubernetes. GitOps is a framework that takes the automation and best practices from the world of application development into the world of cloud native infrastructure. In a GitOps pipeline, infrastructure is codified, collaborated upon and version controlled. Like application code, infrastructure is codified in git. A tool such as Argo CD is responsible for ensuring that infrastructure remains synchronized with the git repository.

GitOps Security with Terrascan

Among their many advantages, GitOps pipelines facilitate shifting infrastructure security left. Since your git repository reflects your infrastructure, scanning your infrastructure as code (IaC)repository is a straightforward way to find and fix security vulnerabilities. Terrascan has had the ability to scan repositories for some time.

Today we are introducing the ability to integrate Terrascan simultaneously as a git repository scanner and as a Kubernetes admission controller. This empowers users to integrate Terrascan into their automated Argo CD workflows, while enforcing the same security policies at the K8s cluster level. The same tool, with the same policies, ensures security and consistency across the GitOps pipeline.

GitOps Security - Argo CD workflow with Terrascan policy as code
GitOps Security - Argo CD workflow with Terrascan policy as code

You can set up a single instance of Terrascan, and hook both your Argo CD and Kubernetes cluster to it. You’ll be able to leverage a consistent configuration, and establish thresholds at which policy violations will break the Argo CD build or reject admission to the K8s cluster.

Only interested in scanning, or have specialized needs? Add your own custom policies, and have them applied both to your Argo repository, as well as the K8s cluster. Unlike other OPA powered tools, no adaptation is necessary. Terrascan achieves this by standardizing the input, so a Kubernetes YAML and an AdmissionRequest object can be scanned by the same policy. Or use Terrascan’s built-in pack of hundreds of standard policies.  Or mix and match as desired.

Wondering why one should trigger security controls in both the CD workflow and at admission to the cluster? The answer is that changes to the cluster can be made by tools other than your CD tool, either by mistake or by malice. The admission controller is the defense against those threats. But for ease of maintenance and remediation, it is best not to rely on it for recurring workflows. Rather, leverage your CD tooling for integrated tests. 

For more information, please check out our Argo CD integration folder, and check out the documentation. The Terrascan team is committed to building in public, and this is just the beginning of our GitOps story. We would love to hear from you on our Github repo.

Is DevOps Really So Great If It’s So Hard to Achieve?

Extend–don’t shift–left cloud security posture management (CSPM)

Terraform Security: Six Habits for Secure Terraform Workflows

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.