What is Terrascan: Benefits, Key Features, and Examples

Interested in learning more about env0?

Sam Gabrail

President at TeKanAid

Share this post

In this section of the IaC Scanning Tools Guide, we will be looking at Terrascan and discussing the benefits, key features, and looking at some real world examples. You can explore the other parts of this guide below.

Jump to section:

What is Terrascan?

Terrascan is a tool that helps you to scan your Infrastructure as Code for security and compliance policy violations. It supports various IaC languages such as Terraform, Kubernetes, Dockerfile, and more. It also integrates with different cloud platforms such as AWS, Azure, and GCP. Terrascan can detect over 500 policies for best practices and prevent risks before provisioning cloud infrastructure. You can run Terrascan locally or in your CI/CD pipeline to automate the scanning process.

Benefits and Key Features of using Terrascan

Some of the benefits and key features of using Terrascan are:

Feature Details
Scanning IaC Yes for security and compliance before deployment
IaC Frameworks Supported Multiple IaC frameworks such as Terraform, Kubernetes, Helm, Kustomize, and more
Reporting Detailed reports and recommendations for fixing the detected issues in different formats such as JSON, YAML, XML, JUnit XML, and SARIF
Integrations Many tools including GitHub, GitLab, Jenkins, Azure DevOps, and more
Policy Customizations Yes using Rego, a declarative language for policy enforcement
Open-source Yes
User Interface CLI interface as well as a REST API and a web UI for easy usage and automation

How to get started with Terrascan

Installing Terrascan

There are several ways to install Terrascan, depending on your preference and platform. You can download the binary from the GitHub releases page, install it using Homebrew or run it as a Docker image. For example, to install Terrascan on macOS using Homebrew, you can run the following command:

brew install terrascan

To verify that Terrascan is installed correctly, you can run:

terrascan version

You should see the output similar to this:

version: v1.18.1

If you’re following along in our GitHub repo with codespaces, terrascan is already installed for you.

Scanning your IaC code

To scan your IaC code for security issues, you can use the terrascan scan command. By default, Terrascan will scan the current directory for Terraform files and report any violations found. You can also specify the type of IaC using the -i flag, such as -i k8s for Kubernetes or -i dockerfile for Dockerfile.

For example, to scan a single Terraform file, you can run:

terrascan scan -f Terraform/s3.tf

You should see the output similar to this:

terrascan scan output generic

As you can see, Terrascan has detected one high-severity violation that indicate that the S3 bucket versioning is recommended for easy recovery from unintended user actions.

Example use cases of Terrascan

Use case 1: Scan Terraform Files

Now let’s scan our same Terraform files using Terrascan. Run the following commands:

terrascan scan -d ./Terraform

Let’s examine the output:

terrascan output
terrascan output summary

Use case 2: Scanning Kubernetes manifests

Let’s see how terrascan performs when it comes to Kubernetes manifests. Run the following commands:

terrascan scan -d ./Kubernetes -i k8s

And here is the output:

terrascan kubernetes output
terrascan kubernetes output continued
terrascan kubernetes output summary

Terrascan Custom Policies

Once again, let’s create a custom policy. We will use Rego with Terrascan to check if an S3 bucket has an ACL that is public-read with a tag Scope=”PCI”.

First, you will need to install the OPA binary. On Linux you can use the following script:

curl -L -o opa https://openpolicyagent.org/downloads/v0.51.0/opa_linux_amd64_static

And on Mac use:

curl -L -o opa curl -L -o opa https://openpolicyagent.org/downloads/v0.51.0/opa_darwin_amd64

Once again, if you are following along with GitHub codespaces, it will already be installed for you.

Now let’s examine the files you will need. You need to files, a .json one where you specify a few attributes of the policy and a .rego file where you define the actual policy.

We’ve included these 2 files in the terrascan_custom_policy folder in our repo under the Terraform folder.

Below is the content of the pci_policy_terrascan.json file:

	"name": "PCI_S3_PUBLIC_READ",
	"file": "pci_policy_terrascan.rego",
	"policy_type": "AWS",
	"resource_type": "aws_s3_bucket",
	"template_args": {
		"name": "PCI_S3_PUBLIC_READ",
		"prefix": "",
		"suffix": ""
	"severity": "HIGH",
	"description": "Make sure S3 bucket ACL is NOT public-read if it has a Scope=PCI tag",
	"category": "Identity and Access Management",
	"version": 1,
	"id": "pci_policy_terrascan"

And below is the content of the pci_policy_terrascan.rego file:

package accurics

{{.prefix}}{{.name}}{{.suffix}}[array.id] {
	array := input.aws_s3_bucket[_]
	array.config.acl == "public-read"
	array.config.tags == {"Scope": "PCI"}

An easy way to generate the above two files is to use the Terrascan Rego Editor VS Code extension.

Now we’re ready to run our scan, you can use the command below that will do it for us. Notice how we use the --policy-path to point to the directory where our custom rego policies live. The second --policy-path flag points to the general place where terrascan stores all its policies. If you omit the last --policy-path you will only run the scans for the custom policy that we created.

terrascan scan --policy-path ./Terraform/terrascan_custom_policy --policy-path ~/.terrascan/pkg/policies/opa/rego}

Finally, the output will be as shown below:

terrascan custom policy output

<< Learn about tfsec?

Comparing Checkov vs. tfsec vs. Terrascan >>

No items found.
The best way to manage your Terraform

Custom workflows let you model any process you have.

Improve collaboration so your teams are always on the same page with your Infrastructure as Code

Visualize the effect of IaC changes before and after deployment.

Sam Gabrail

Sam Gabrail is the President of TeKanAid Solutions Inc., an IT training company focused on DevOps. Sam enjoys creating content to help practitioners upskill in DevOps principles and cloud-native technologies. To learn more, visit the TeKanAid website and blog.
Sam also offers a beginner’s course.


The best way to manage your Terraform

Custom workflows let you model any process you have.

Improve collaboration so your teams are always on the same page with your Infrastructure as Code

Visualize the effect of IaC changes before and after deployment.

Start Free Trial
See what env0 can do for you

env0 is the best way to deploy, scale, and manage your Terraform and other Infrastructure as Code tools.

Milo waving