How To use Terrascan to scan Terragrunt Code

Preamble:

If you have been writing Infrastructure as Code using frameworks like Terraform and Kubernetes, you know how painful it was to not have a proper testing framework to test the code before deploying. Resulting in dev teams hacking their way in and out to provide a somewhat testing framework to increase trust in their code.

Worry no more, Terrascan is here to save the day. Developed by Tenable (the leading Cybersecurity Exposure Management Company), Terrascan is an open-source static code analysis tool designed for Infrastructure as Code. It helps developers and DevOps teams ensure their infrastructure code adheres to best practices, security standards, and compliance requirements. Terrascan provides 500+ out-of-the-box policies so that you can scan your IaC code against common policy standards such as the CIS Benchmark.

Initializing Terrascan:

Once terrascan is installed, the first command to run is:

$ terrascan init

This command initializes and downloads the latest policies from the repository into ~/.terrascan. By default the policies are installed here: ~/.terrascan/pkg/policies/opa/rego and are fetched while scanning and performing code analysis. It leverages the Open Policy Agent (OPA) engine so that you can easily create your own custom policies using the Rego query language.

Scanning IaC Code with Terrascan

After initializing terrascan, the next command to run is with the option scan to scan the IaC code for compliance requirements, best practices, and security standards.

$ terrascan scan -c /directory/with/iac/code

The scan command also supports the following flags:

1. --config-path Specifies a directory to be scanned
2. --iac-file Specifies path to a single IaC file to be scanned
3. --iac-type Specifies IaC provider type (arm, cft, docker, helm, k8s, kustomize, terraform, or tfplan)
4. --policy-type Specifies policy type (all, aws, azure, docker, gcp, github, k8s) (default to all)
5. --remote-type Specifies type of remote backend where the IaC code resides (git, s3, gcs, http, terraform-registry)
6. --remote-url Specifies the url pointing to remote IaC repository

The full list of flags for the scan command can be found by running: terrascan scan -h

Scanning Terragrunt Code with Terrascan

Terragrunt is a thin wrapper that provides extra tools for running Terraform in a DRY (Do Not Repeat Yourself) fashion and for managing Terraform remote state. Here is how Terrascan can be used to scan Terragrunt IaC code:

1.) Inside the folder containing the terragrunt.hcl file, run the following to convert the terragrunt plan into tfplan format:

terragrunt plan -out $(pwd)/plan.tfplan

2.) Next, we will convert the tfplan file into json formatted output which will be used by terrascan:

terragrunt show -json $(pwd)/plan.tfplan > plan.json

3.) There is a small bug (at the time of writing this blog post) that prevents terrascan from reading tfplan json content formatted in format_version 1.1. To resolve the issue we will have to edit plan.json and update the format_version to 0.2.

vi plan.json

Change format_version from 1.1 to 0.2

4.) Run terrascan to scan the plan.json file

terrascan scan --iac-type tfplan --iac-file plan.json

And there you have it, Here is a sample output of a scan performed:

Found this useful, follow our page on: https://www.linkedin.com/company/geanttechnology