Terrascan

Terrascan is an open-source static code analyzer for Infrastructure as Code, originally maintained by Tenable. With 5.2k GitHub stars and 83 contributors, it built a strong community before being archived in November 2025.

It detects security vulnerabilities and compliance violations across Terraform, CloudFormation, Kubernetes, Helm, Docker, and more.

With over 500 built-in policies aligned to CIS Benchmarks and security best practices, Terrascan helps teams catch misconfigurations before they reach production. Note that the project is now archived but the codebase remains available for community forks.

What is Terrascan?

Terrascan scans IaC files against a comprehensive policy library to identify security risks like overly permissive IAM policies, unencrypted storage, and exposed network services.

As a CNCF member project with over 5,000 GitHub stars, it has strong community backing and regular updates.

Built on the Open Policy Agent (OPA) engine, Terrascan allows security teams to write custom policies in Rego.

This extensibility makes it suitable for organizations with specific compliance requirements beyond standard benchmarks.

The tool also supports drift detection by comparing IaC definitions against live cloud resources.

Key Features

Comprehensive Policy Library

Terrascan ships with 500+ security policies covering AWS, Azure, GCP, and Kubernetes.

Policies align with CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA, and SOC 2 requirements.

Each policy includes clear documentation explaining the risk and remediation steps.

Custom Policies with Rego

Using the OPA Rego language, teams can define organization-specific rules.

Custom policies live alongside built-in ones and integrate into the same scanning workflow.

This flexibility handles edge cases that generic policies miss.

Multi-Format Support

Terrascan analyzes Terraform HCL, CloudFormation YAML and JSON, Kubernetes manifests, Helm charts, Kustomize overlays, ARM templates, and Dockerfiles.

This broad coverage means a single tool handles diverse infrastructure stacks.

Kubernetes Admission Controller

Beyond static scanning, Terrascan can run as a Kubernetes admission controller webhook.

This validates manifests at deploy time, blocking resources that violate policies from entering the cluster.

SARIF Output for GitHub Security

Terrascan outputs results in SARIF format, integrating directly with GitHub Code Scanning.

Findings appear in the Security tab alongside other code analysis tools.

Installation

Install Terrascan using Homebrew, Docker, or direct binary download:

# Install via Homebrew (macOS/Linux)
brew install terrascan

# Install via Docker
docker pull tenable/terrascan:latest

# Download binary directly (Linux example)
curl -L "https://github.com/tenable/terrascan/releases/latest/download/terrascan_$(uname -s)_$(uname -m).tar.gz" | tar -xz
sudo mv terrascan /usr/local/bin/

Run basic scans from the command line:

# Scan Terraform files in current directory
terrascan scan

# Scan specific directory with Terraform type
terrascan scan -t aws -i terraform -d ./infrastructure/

# Scan Kubernetes manifests
terrascan scan -t k8s -i k8s -d ./manifests/

# Scan a Helm chart
terrascan scan -t k8s -i helm -d ./my-chart/

# Output in SARIF format for GitHub
terrascan scan -o sarif > results.sarif

CI/CD Integration

GitHub Actions

name: Terrascan IaC Scan
on: [push, pull_request]

jobs:
  terrascan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Terrascan
        uses: tenable/terrascan-action@main
        with:
          iac_type: 'terraform'
          iac_version: 'v14'
          policy_type: 'aws'
          sarif_upload: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: terrascan.sarif

GitLab CI

terrascan:
  image: tenable/terrascan:latest
  stage: security
  script:
    - terrascan scan -t aws -i terraform -d ./terraform/
      --config-path=.terrascan.toml
      -o sarif > gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

Kubernetes Admission Controller

Deploy Terrascan as a validating webhook:

# Install in Kubernetes cluster
kubectl apply -f https://raw.githubusercontent.com/tenable/terrascan/master/deploy/k8s-webhook/deployment.yaml

# Verify webhook is running
kubectl get pods -n terrascan

Configuration

Create a .terrascan.toml configuration file to customize behavior:

[rules]
skip-rules = ["AC-AWS-S3-NS-01", "AC_AWS_0002"]
severity = "HIGH"

[notifications]
webhook-url = "https://hooks.slack.com/services/xxx"
webhook-token = "xxx"

[k8s-admission-control]
denied-categories = ["INFRASTRUCTURE SECURITY", "IDENTITY AND ACCESS MANAGEMENT"]

When to Use Terrascan

Terrascan is ideal for teams seeking a free, comprehensive IaC scanner with compliance framework alignment.

The extensive policy library covers most common misconfigurations without custom rule development, making it accessible to teams new to IaC security.

Choose Terrascan when you need CIS Benchmark compliance checking, SARIF integration with GitHub Security, or a Kubernetes admission controller.

The OPA/Rego foundation appeals to teams already using OPA for policy enforcement elsewhere.

For teams wanting a broader security platform with SCA and container scanning, Snyk IaC or Checkov might be better fits.

If your focus is specifically Kubernetes cluster security with runtime protection, consider Kubescape.