.webp)
Update (May 2026): Tenable archived the Terrascan repository on November 20, 2025. It is now read-only and no longer receives security updates, new checks, or cloud provider API support. For current IaC scanning alternatives, see Checkov vs Trivy in 2026: IaC Scanning After tfsec and Terrascan.
In this section of the IaC Scanning Tools Guide, we will be looking at Terrascan and discussing the benefits, key features, and looking at some real world examples. You can explore the other parts of this guide below.
Jump to section:
What is Terrascan?
Terrascan is a tool that helps you to scan your Infrastructure as Code for security and compliance policy violations. It supports various IaC languages such as Terraform, Kubernetes, Dockerfile, and more. It also integrates with different cloud platforms such as AWS, Azure, and GCP. Terrascan can detect over 500 policies for best practices and prevent risks before provisioning cloud infrastructure. You can run Terrascan locally or in your CI/CD pipeline to automate the scanning process.
Benefits and Key Features of using Terrascan
Some of the benefits and key features of using Terrascan are:
| Feature | Details |
|---|---|
| Scanning IaC | Yes for security and compliance before deployment |
| IaC Frameworks Supported | Multiple IaC frameworks such as Terraform, Kubernetes, Helm, Kustomize, and more |
| Reporting | Detailed reports and recommendations for fixing the detected issues in different formats such as JSON, YAML, XML, JUnit XML, and SARIF |
| Integrations | Many tools including GitHub, GitLab, Jenkins, Azure DevOps, and more |
| Policy Customizations | Yes using Rego, a declarative language for policy enforcement |
| Open-source | Yes |
| User Interface | CLI interface as well as a REST API and a web UI for easy usage and automation |
How to get started with Terrascan
Installing Terrascan
There are several ways to install Terrascan, depending on your preference and platform. You can download the binary from the GitHub releases page, install it using Homebrew or run it as a Docker image. For example, to install Terrascan on macOS using Homebrew, you can run the following command:
brew install terrascan
To verify that Terrascan is installed correctly, you can run:
terrascan version
You should see the output similar to this:
version: v1.18.1
If you’re following along in our GitHub repo with codespaces, terrascan is already installed for you.
Scanning your IaC code
To scan your IaC code for security issues, you can use the terrascan scan command. By default, Terrascan will scan the current directory for Terraform files and report any violations found. You can also specify the type of IaC using the -i flag, such as -i k8s for Kubernetes or -i dockerfile for Dockerfile.
For example, to scan a single Terraform file, you can run:
terrascan scan -f Terraform/s3.tf
You should see the output similar to this:
As you can see, Terrascan has detected one high-severity violation that indicate that the S3 bucket versioning is recommended for easy recovery from unintended user actions.
Example use cases of Terrascan
Use case 1: Scan Terraform Files
Now let’s scan our same Terraform files using Terrascan. Run the following commands:
terrascan scan -d ./Terraform
Let’s examine the output:
Use case 2: Scanning Kubernetes manifests
Let’s see how terrascan performs when it comes to Kubernetes manifests. Run the following commands:
terrascan scan -d ./Kubernetes -i k8s
And here is the output:
Terrascan Custom Policies
Once again, let’s create a custom policy. We will use Rego with Terrascan to check if an S3 bucket has an ACL that is public-read with a tag Scope=”PCI”.
First, you will need to install the OPA binary. On Linux you can use the following script:
curl -L -o opa https://openpolicyagent.org/downloads/v0.51.0/opa_linux_amd64_static
And on Mac use:
curl -L -o opa curl -L -o opa https://openpolicyagent.org/downloads/v0.51.0/opa_darwin_amd64
Once again, if you are following along with GitHub codespaces, it will already be installed for you.
Now let’s examine the files you will need. You need to files, a .json one where you specify a few attributes of the policy and a .rego file where you define the actual policy.
We’ve included these 2 files in the terrascan_custom_policy folder in our repo under the Terraform folder.
Below is the content of the pci_policy_terrascan.json file:
{
"name": "PCI_S3_PUBLIC_READ",
"file": "pci_policy_terrascan.rego",
"policy_type": "AWS",
"resource_type": "aws_s3_bucket",
"template_args": {
"name": "PCI_S3_PUBLIC_READ",
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"description": "Make sure S3 bucket ACL is NOT public-read if it has a Scope=PCI tag",
"category": "Identity and Access Management",
"version": 1,
"id": "pci_policy_terrascan"
}
And below is the content of the pci_policy_terrascan.rego file:
package accurics
{{.prefix}}{{.name}}{{.suffix}}[array.id] {
array := input.aws_s3_bucket[_]
array.config.acl == "public-read"
array.config.tags == {"Scope": "PCI"}
}
An easy way to generate the above two files is to use the Terrascan Rego Editor VS Code extension.
Now we’re ready to run our scan, you can use the command below that will do it for us. Notice how we use the --policy-path to point to the directory where our custom rego policies live. The second --policy-path flag points to the general place where terrascan stores all its policies. If you omit the last --policy-path you will only run the scans for the custom policy that we created.
terrascan scan --policy-path ./Terraform/terrascan_custom_policy --policy-path ~/.terrascan/pkg/policies/opa/rego}
Finally, the output will be as shown below:
![Using Open Policy Agent (OPA) with Terraform: Tutorial and Examples [2026]](https://cdn.prod.website-files.com/63eb9bf7fa9e2724829607c1/69d6a3bde2ffe415812d9782_post_th.png)
