### Installing Terrascan as Native Executable on Linux Source: https://github.com/tenable/terrascan/blob/master/README.md This script downloads the latest Terrascan Linux x86_64 binary, extracts it, installs it to `/usr/local/bin`, and then verifies the installation by running the `terrascan` command. It's suitable for direct installation on Linux systems. ```sh curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz sudo install terrascan /usr/local/bin && rm terrascan terrascan ``` -------------------------------- ### Example Terraform HCL for GitHub Repository Source: https://github.com/tenable/terrascan/blob/master/docs/policies.md This HCL snippet defines a `github_repository` resource, used as an example input for Terrascan's policy scanning. It creates a public GitHub repository named 'example' with a specific description and template. ```HCL resource "github_repository" "example" { name = "example" description = "My awesome codebase" private = false template { owner = "github" repository = "terraform-module-template" } } ``` -------------------------------- ### Deploying Terrascan Server with Helm Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Installs the Terrascan server deployment and service using the Helm chart. Requires a release name and namespace for deployment. ```bash helm install . -n ``` -------------------------------- ### Installing Terrascan via Homebrew Source: https://github.com/tenable/terrascan/blob/master/README.md This command installs Terrascan using Homebrew, a package manager for macOS and Linux. It's the recommended installation method for Homebrew users. ```sh brew install terrascan ``` -------------------------------- ### Installing Terrascan via AUR on ArchLinux/Manjaro Source: https://github.com/tenable/terrascan/blob/master/README.md This command uses the `yay` AUR helper to install Terrascan on ArchLinux and Manjaro distributions. It simplifies the installation process for users of these systems. ```sh yay -S terrascan ``` -------------------------------- ### Explaining Kubernetes Validating Webhook Rules (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command provides detailed documentation and schema information for the `webhooks.rules` section of a Kubernetes `ValidatingWebhookConfiguration`. It helps users understand the available options and structure for defining webhook rules. ```bash kubectl explain ValidatingWebhookConfiguration.webhooks.rules ``` -------------------------------- ### Deploying Terrascan Validating Webhook with Helm Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Installs the Terrascan deployment, service, and validating webhook using the Helm chart. Sets the 'webhook.mode' to true to enable webhook functionality. ```bash helm install . -n --set webhook.mode=true ``` -------------------------------- ### Building Terrascan Docker Image (Dockerfile) Source: https://github.com/tenable/terrascan/blob/master/README.md This Dockerfile snippet demonstrates how to create a Docker image for Terrascan using an Alpine Linux base. It installs Git, clones the Terrascan repository, and then builds the Go application with CGO disabled and Go modules enabled, outputting the binary to `/go/bin/terrascan`. ```Dockerfile FROM golang:alpine AS build-env RUN apk add --update git RUN git clone https://github.com/tenable/terrascan && cd terrascan \ && CGO_ENABLED=0 GO111MODULE=on go build -o /go/bin/terrascan cmd/terrascan/main.go ``` -------------------------------- ### Deploying Terrascan Webhook Backend with Kustomize (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This Bash command uses `kustomize build` to generate the Kubernetes manifests for the Terrascan webhook backend from the `webhook/` directory. The output is then piped to `kubectl apply -f -` to deploy these resources (deployment and service) to the Kubernetes cluster. ```bash kustomize build webhook/ | kubectl apply -f - ``` -------------------------------- ### Creating SSH Known Hosts File (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This command appends common SSH host keys for GitHub, Bitbucket, and GitLab to the `known_hosts` file. This file is crucial for SSH client authentication, ensuring that Terrascan can securely connect to and clone repositories from these services. ```bash cat << EOF >> server-remote-repo-scan/.ssh/known_hosts # known_hosts github.com,192.30.255.113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== bitbucket.org,104.192.141.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== gitlab.com,172.65.251.78 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= ``` -------------------------------- ### Replacing Webhook API Key in YAML Files (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This Bash command uses `sed` to replace the `` placeholder with the string `t3rrascan` in both `webhook/validating-webhook.yaml` and `webhook/deployment-env.yaml` files. This sets the desired API key for the Terrascan server. ```bash sed -i "" "s//t3rrascan/g" webhook/validating-webhook.yaml sed -i "" "s//t3rrascan/g" webhook/deployment-env.yaml ``` -------------------------------- ### Deploying Terrascan Server with Kustomize (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This command builds the Kustomize configuration located in `server-tls/` and applies it to the Kubernetes cluster using `kubectl`. It deploys the Terrascan server, assuming `server-tls/kustomization.yaml` is correctly configured with desired parameters, including TLS settings. ```bash kustomize build server-tls/ | kubectl apply -f - ``` -------------------------------- ### Creating TLS Certificate Configuration File (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This snippet creates a `domain.cnf` file used for generating TLS certificates. It defines certificate details like country, state, organization, and common name, crucial for secure HTTPS communication. Placeholders must be replaced with actual values. ```bash mkdir server-tls/certs touch server-tls/certs/domain.cnf cat << EOF > certs/domain.cnf [req] default_bits = 2048 prompt = no default_md = sha256 x509_extensions = v3_req distinguished_name = dn [dn] C = ST = L = O = emailAddress = CN = terrascan..svc.cluster.local [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = terrascan..svc.cluster.local >EOF ``` -------------------------------- ### Creating Terrascan Kubernetes Namespace (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command creates a new Kubernetes namespace named 'terrascan'. This namespace is required to deploy the Terrascan server and its related resources within the cluster. ```bash kubectl create namespace terrascan ``` -------------------------------- ### Replacing Terrascan Namespace Placeholder in Kustomize Files (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This Bash script uses `sed` to replace the `` placeholder with 'terrascan' across multiple Kustomize configuration files and a certificate configuration file. This is a prerequisite step to customize the deployment to a specific Kubernetes namespace. ```bash sed -i "" "s//terrascan/g" base/kustomization.yaml sed -i "" "s//terrascan/g" server/kustomization.yaml sed -i "" "s//terrascan/g" server-tls/kustomization.yaml sed -i "" "s//terrascan/g" server-remote-repo-scan/kustomization.yaml sed -i "" "s//terrascan/g" server-tls/certs/domain.cnf sed -i "" "s//terrascan/g" webhook/kustomization.yaml sed -i "" "s//terrascan/g" webhook/validating-webhook.yaml ``` -------------------------------- ### Running Terrascan via Docker Image Source: https://github.com/tenable/terrascan/blob/master/README.md This command pulls and runs the official Terrascan Docker image. It provides a containerized environment for executing Terrascan without requiring a native installation. ```sh docker run tenable/terrascan ``` -------------------------------- ### Configuring SSH Key for Private Repository Scan (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This snippet creates a directory for SSH keys, copies a private SSH key (e.g., `github_rsa`) into it, and updates the `kustomization.yaml` file to reference the key. This is a prerequisite for Terrascan to clone private repositories. ```bash mkdir server-remote-repo-scan/.ssh cp ~/.ssh/github_rsa server-remote-repo-scan/.ssh/ sed -i "" "s//github_rsa/g" server-remote-repo-scan/kustomization.yaml ``` -------------------------------- ### Deploying Terrascan Validating Webhook (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command applies the `validating-webhook.yaml` file located in the `webhook/` directory to the Kubernetes cluster. This action deploys the Terrascan Validating Webhook configuration, enabling it to intercept and validate incoming Kubernetes resources. ```bash kubectl apply -f webhook/validating-webhook.yaml ``` -------------------------------- ### Deploying Terrascan Server in HTTP Mode (Kustomize & kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This command uses `kustomize build` to generate Kubernetes manifests from the `server/` directory and pipes them to `kubectl apply -f -` for deployment. This deploys the Terrascan server in plain HTTP mode, assuming `server/kustomization.yaml` is configured correctly. ```bash kustomize build server/ | kubectl apply -f - ``` -------------------------------- ### Uninstalling Terrascan Helm Chart Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Uninstalls the Terrascan Helm chart, removing all associated resources from the specified namespace. Requires the release name used during installation. ```bash helm uninstall -n ``` -------------------------------- ### Deploying Terrascan Server for Remote Repository Scan (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This command builds the Kustomize configuration for remote repository scanning and applies it to the Kubernetes cluster. It deploys the Terrascan server with the necessary SSH key and `known_hosts` configurations to access private IaC file repositories. ```bash kustomize build server-remote-repo-scan/ | kubectl apply -f - ``` -------------------------------- ### Rego Policy Evaluation Output Source: https://github.com/tenable/terrascan/blob/master/docs/policies.md This JSON output shows the result of evaluating the `privateRepoEnabled` Rego policy against the example Terraform configuration. A successful policy trigger indicates that the `github_repository.example` resource was found to be non-private, as defined by the policy. ```JSON { "privateRepoEnabled": [ "github_repository.example" ] } ``` -------------------------------- ### Generating TLS Server Key and Certificate (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This command uses OpenSSL to generate a self-signed server key (`server.key`) and certificate (`server.crt`) based on the `domain.cnf` configuration. These files are essential for enabling HTTPS (TLS) mode for the Terrascan server. ```bash openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout server-tls/certs/server.key -out server-tls/certs/server.crt -config server-tls/certs/domain.cnf ``` -------------------------------- ### Streaming Terrascan Pod Logs (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command retrieves and streams the logs from a specified Terrascan pod within the `terrascan` namespace. The `-f` flag 'follows' the logs, continuously displaying new log entries, which is useful for real-time monitoring and debugging. ```bash kubectl -n terrascan logs -f ``` -------------------------------- ### Deleting Terrascan Namespace (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command deletes the entire Kubernetes namespace specified by ``. Deleting a namespace automatically removes all resources contained within it, providing a clean way to remove the Terrascan deployment. ```bash kubectl delete ns ``` -------------------------------- ### Configuring SSH Known Hosts for Private Repositories (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md This snippet provides example content for the `.ssh/known_hosts` file, which is necessary for Terrascan to perform remote scans of private repositories via SSH. It includes public keys for GitHub, Bitbucket, and GitLab, allowing the Terrascan server to authenticate and connect to these services. ```bash # known_hosts github.com,192.30.255.113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== bitbucket.org,104.192.141.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== gitlab.com,172.65.251.78 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= ``` -------------------------------- ### Example Terrascan Rule JSON File Source: https://github.com/tenable/terrascan/blob/master/docs/policies.md This JSON file defines metadata for a Terrascan policy, including its name, associated Rego file, severity, description, and a unique reference ID. It adheres to a specific naming convention and provides essential context for policy management within Terrascan. ```JSON { "name": "unrestrictedIngressAccess", "file": "unrestrictedIngressAccess.rego", "template_args": { "prefix": "" }, "severity": "HIGH", "description": " It is recommended that no security group allows unrestricted ingress access", "reference_id": "AWS.SecurityGroup.NetworkSecurity.High.0094", "category": "Network Ports Security", "version": 2 } ``` -------------------------------- ### Encoding and Injecting CA Bundle into Webhook YAML (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This Bash command first reads the `server.crt` file, base64 encodes its content, and stores it in the `CA_BUNDLE` environment variable. Then, it uses `sed` to replace the `` placeholder in `webhook/validating-webhook.yaml` with the base64 encoded certificate, integrating the CA bundle for TLS. ```bash CA_BUNDLE=$(cat server-tls/certs/server.crt | base64) sed -i "" "s//$CA_BUNDLE/g" webhook/validating-webhook.yaml ``` -------------------------------- ### Monitoring Terrascan Server Pod Status (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command is used to monitor the status of pods within the specified ``. The `-w` flag enables watch mode, continuously updating the output as pod statuses change, allowing verification that the Terrascan server pod is running. ```bash kubectl -n get pods -w ``` -------------------------------- ### Deleting Resources with Kustomize (kubectl) Source: https://github.com/tenable/terrascan/blob/master/deploy/kustomize/README.md This `kubectl` command, combined with `kustomize build`, is used to delete resources deployed via Kustomize without deleting the entire namespace. It builds the manifests from the specified `` and pipes them to `kubectl delete -f -`, which removes the defined resources from the cluster. ```bash kustomize build / | kubectl delete -f ``` -------------------------------- ### Terrascan Normalized JSON Output for Terraform Source: https://github.com/tenable/terrascan/blob/master/docs/policies.md This JSON output demonstrates the normalized configuration generated by Terrascan using the `--config-only` and `-o json` flags on the example Terraform HCL. It shows how IaC configurations are transformed into a structured JSON format for policy evaluation, detailing the `github_repository` resource's attributes. ```JSON $ terrascan scan -i terraform --config-only -o json { "github_repository": [ { "id": "github_repository.example", "name": "example", "source": "main.tf", "line": 1, "type": "github_repository", "config": { "description": "My awesome codebase", "name": "example", "private": false, "template": [ { "owner": "github", "repository": "terraform-module-template" } ] } } ] } ``` -------------------------------- ### Building Terrascan Locally using Make (Shell) Source: https://github.com/tenable/terrascan/blob/master/README.md This snippet outlines the steps to clone the Terrascan repository, navigate into it, build the project using `make build`, and then execute the compiled binary. It requires `gcc` and Go 1.19+ as prerequisites for a successful build. ```Shell $ git clone git@github.com:tenable/terrascan.git $ cd terrascan $ make build $ ./bin/terrascan ``` -------------------------------- ### Displaying Terrascan CLI Help and Available Commands (Shell) Source: https://github.com/tenable/terrascan/blob/master/README.md This snippet shows the general usage of the `terrascan` command, listing its available subcommands such as `help`, `init`, `scan`, `server`, and `version`. It also details the global flags that can be used to configure logging, output format, and specify a configuration file path. ```sh $ terrascan Terrascan Usage: terrascan [command] Available Commands: help Help about any command init Initialize Terrascan scan Detect compliance and security violations across Infrastructure as Code. server Run Terrascan as an API server version Terrascan version Flags: -c, --config-path string config file path -h, --help help for terrascan -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") -x, --log-type string log output type (console, json) (default "console") -o, --output string output type (human, json, yaml, xml) (default "human") Use "terrascan [command] --help" for more information about a command. ``` -------------------------------- ### Checking Terrascan Pod Logs with Kubectl Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Retrieves the logs of the Terrascan pod in the specified namespace to verify successful server startup. Look for 'server listening on port : ' message. ```bash kubectl -n logs ``` -------------------------------- ### Running Unit and Integration Tests with Make Source: https://github.com/tenable/terrascan/blob/master/release_checklist.md This command executes both unit and end-to-end tests for Terrascan. It is a prerequisite for any release, ensuring code quality and stability before proceeding with version updates. ```Shell make cicd ``` -------------------------------- ### Verifying Validating Webhook by Creating a Resource Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Attempts to create a test pod (nginx image) to trigger and verify the functionality of the Terrascan validating webhook. The webhook should scan this resource. ```bash kubectl run test-pod --image=nginx ``` -------------------------------- ### Verifying Terrascan Pod Status with Kubectl Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md Queries for the Terrascan pod in the specified namespace and watches its status until it reaches the 'Running' state, indicating successful deployment. ```bash kubectl get pod -n -w ``` -------------------------------- ### Cloning Terrascan Repository - Git Source: https://github.com/tenable/terrascan/blob/master/CONTRIBUTING.md This command clones your forked Terrascan repository from GitHub to your local machine. Replace `your_name_here` with your actual GitHub username. This is the first step in setting up the development environment after forking the repository. ```Shell $ git clone git@github.com:your_name_here/terrascan.git ``` -------------------------------- ### Tagging and Pushing New Release Version with Git Source: https://github.com/tenable/terrascan/blob/master/release_checklist.md These Git commands are used to pull the latest code, create a new Git tag corresponding to the release version, and push both the tag and the updated code to the remote repository. This action typically triggers automated release workflows. ```Shell git pull git tag v1.5.0 git push --tags git push upstream v1.5.0 ``` -------------------------------- ### Running CI/CD Checks Locally - Make Source: https://github.com/tenable/terrascan/blob/master/CONTRIBUTING.md This command executes all linting and testing checks that are part of Terrascan's continuous integration (CI) pipeline. It's essential to run this before committing changes to ensure they meet project standards and pass all automated tests. ```Shell $ make cicd ``` -------------------------------- ### Generating TLS Certificates for Terrascan Webhook (Bash) Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md This command uses OpenSSL to generate a self-signed X.509 certificate and private key for TLS communication. It's required for the Kubernetes admission controller webhook. The command creates `server.key` and `server.crt` based on the configuration in `domain.cnf`, which should be edited to match the service DNS name. ```bash openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf ``` -------------------------------- ### Committing and Pushing Changes - Git Source: https://github.com/tenable/terrascan/blob/master/CONTRIBUTING.md These commands stage all local changes, commit them with a descriptive message, and then push the new branch to your forked repository on GitHub. This prepares your changes for a pull request. Remember to replace the commit message and branch name appropriately. ```Shell $ git add . $ git commit -m "Your detailed description of your changes." $ git push origin name-of-your-bugfix-or-feature ``` -------------------------------- ### Generating GitHub Changelog Entries with Docker Source: https://github.com/tenable/terrascan/blob/master/release_checklist.md This Docker command generates new entries for `CHANGELOG.md` based on changes since a specified Git tag. It requires a GitHub personal access token set in the `GITHUB_TOKEN` environment variable for authentication with the GitHub API. ```Shell docker run -it --rm -v "$(pwd)":/usr/local/src/your-app ferrarimarco/github-changelog-generator -u tenable -p terrascan -t $GITHUB_TOKEN -b CHANGELOG.md --since-tag v1.4.0 --future-release v1.5.0 ``` -------------------------------- ### Scanning for Docker Image Vulnerabilities with Terrascan (Shell) Source: https://github.com/tenable/terrascan/blob/master/README.md This command demonstrates how to use the `--find-vuln` flag with `terrascan scan` to collect vulnerability information from container registries. It requires specifying the IaC provider (e.g., AWS, Azure, GCP) and is compatible with registries like ECR, Azure Container Registry, Google Container Registry, and Google Artifact Registry. ```sh $ terrascan scan -i --find-vuln ``` -------------------------------- ### Scanning Infrastructure as Code with Terrascan Source: https://github.com/tenable/terrascan/blob/master/README.md This command initiates a scan of the current directory for security issues using Terrascan. By default, it scans Terraform files, and it will exit with an error code if violations are found. ```sh terrascan scan ``` -------------------------------- ### Configuring Persistent Storage for Terrascan Database (YAML) Source: https://github.com/tenable/terrascan/blob/master/deploy/helm/README.md This YAML snippet demonstrates how to configure persistent storage for the Terrascan admission controller database within the Helm chart. By setting `persistence.enabled` to `true` and providing an `existingclaim` name, Terrascan will use a pre-existing Persistent Volume Claim instead of a temporary `emptyDir` volume. ```yaml persistence: enabled: false existingclaim: pvcClaimName ``` -------------------------------- ### Creating a New Branch for Development - Git Source: https://github.com/tenable/terrascan/blob/master/CONTRIBUTING.md This command creates a new local branch for your bugfix or feature and switches to it. It's crucial for isolating your changes and preparing them for a pull request. Replace `name-of-your-bugfix-or-feature` with a descriptive name for your branch. ```Shell $ git checkout -b name-of-your-bugfix-or-feature ``` -------------------------------- ### Enabling Logging for GCP Cloud Storage Buckets (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that logging is enabled for Cloud Storage buckets. Enabling logging provides an audit trail of access and changes, crucial for security monitoring and compliance. ```policy description Ensure that logging is enabled for Cloud storage buckets. ``` -------------------------------- ### Updating Homebrew Formula for Terrascan Source: https://github.com/tenable/terrascan/blob/master/release_checklist.md This sequence of commands updates the Homebrew formula for Terrascan, creating a pull request to bump the version. It calculates the SHA256 checksum of the new release archive, which is required for Homebrew formula integrity. macOS users should use `shasum -a 256`. ```Shell export TERRASCAN_VERSION= brew bump-formula-pr --no-browse --url https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz --sha256 $(curl -sL https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz | sha256sum | awk '{print $1}') terrascan ``` -------------------------------- ### Enabling Uniform Bucket-Level Access for GCP Cloud Storage Buckets (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Cloud Storage buckets have uniform bucket-level access enabled. This simplifies access control by enforcing consistent IAM policies across all objects within a bucket. ```policy description Ensure that Cloud Storage buckets have uniform bucket-level access enabled. ``` -------------------------------- ### Enabling Object Versioning on Log Buckets for GCP Cloud Storage (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that object versioning is enabled on log-buckets. Versioning helps protect logs from accidental deletion or modification, ensuring data integrity for auditing purposes. ```policy description Ensure that object versioning is enabled on log-buckets. ``` -------------------------------- ### Ensuring MSSQL Debugger Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that MSSQL Debugger (TCP:135) is not exposed to more than 32 private hosts via Google Compute Firewall rules. It limits the attack surface for debugging services within private networks. ```policy description Ensure MSSQL Debugger (TCP:135) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Ensuring VM Disks Encrypted with CSEK for GCP Compute Disk (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that VM disks for critical virtual machines are encrypted with Customer Supplied Encryption Keys (CSEK). Using CSEK provides an additional layer of control over encryption keys for sensitive data. ```policy description Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) . ``` -------------------------------- ### Enabling DNSSEC for GCP Cloud DNS Managed Zone (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that DNSSEC is enabled for Cloud DNS managed zones. Enabling DNSSEC helps protect against DNS spoofing and other attacks by validating DNS responses. ```policy description Ensure that DNSSEC is enabled for Cloud DNS. ``` -------------------------------- ### Rego Policy to Flag Public GitHub Repositories Source: https://github.com/tenable/terrascan/blob/master/docs/policies.md This Rego policy, written for Open Policy Agent (OPA), checks if a `github_repository` resource is configured as public (`private = false` or `visibility != "private"`). It uses the normalized JSON input from Terrascan to identify non-private repositories. ```Rego package accurics privateRepoEnabled[api.id] { api := input.github_repository[_] not api.config.private == true not api.config.visibility == "private" } ``` -------------------------------- ### Ensuring Cassandra Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Cassandra (TCP:7001) is not exposed to more than 32 private hosts via Google Compute Firewall rules. It limits the attack surface for Cassandra services within private networks. ```policy description Ensure Cassandra (TCP:7001) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Ensuring Unencrypted Memcached Instances Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Unencrypted Memcached Instances (TCP:11211) are not exposed to more than 32 private hosts via Google Compute Firewall rules. It prevents unauthorized access to unencrypted Memcached data within private networks. ```policy description Ensure Unencrypted Memcached Instances (TCP:11211) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Preventing Weak Cipher Suites in GCP HTTPS/SSL Proxy Load Balancers (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites. It enforces the use of strong cryptographic ciphers to protect data in transit. ```policy description Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites. ``` -------------------------------- ### Ensuring MSSQL Server Not Exposed to Entire Internet for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that MSSQL Server (TCP:1433) is not exposed to the entire internet via Google Compute Firewall rules. It prevents unauthorized external access to sensitive database services. ```policy description Ensure MSSQL Server (TCP:1433) is not exposed to entire internet for Google Compute Firewall ``` -------------------------------- ### Ensuring SSH Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that SSH (TCP:20) is not exposed to more than 32 private hosts via Google Compute Firewall rules. It limits the attack surface for SSH access within private networks. ```policy description Ensure SSH (TCP:20) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Preventing Admin Privileges for Service Accounts in GCP IAM (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Service Accounts do not have Admin privileges. Limiting service account permissions to the least privilege necessary reduces the blast radius in case of compromise. ```policy description Ensure that Service Account has no Admin privileges. ``` -------------------------------- ### Restricting Service Account Roles at Project Level for GCP IAM (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that IAM users are not assigned the Service Account User or Service Account Token Creator roles at the project level. This prevents excessive privileges that could be used to impersonate service accounts. ```policy description Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level. ``` -------------------------------- ### Ensuring Memcached SSL Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Memcached SSL (TCP:11215) is not exposed to more than 32 private hosts via Google Compute Firewall rules. It limits the attack surface for Memcached services within private networks. ```policy description Ensure Memcached SSL (TCP:11215) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Ensuring Known Internal Web Port (8080) Not Exposed to Broad Private Hosts for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that the known internal web port (TCP:8080) is not exposed to more than 32 private hosts via Google Compute Firewall rules. It limits the attack surface for internal web applications within private networks. ```policy description Ensure Known internal web port (TCP:8080) is not exposed to private hosts more than 32 for Google Compute Firewall ``` -------------------------------- ### Ensuring Cassandra Internode Communication Not Publicly Exposed for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Cassandra Internode Communication (TCP:7000) is not exposed to the public internet via Google Compute Firewall rules. It prevents unauthorized external access to Cassandra services. ```policy description Ensure Cassandra Internode Communication (TCP:7000) is not exposed to public for Google Compute Firewall ``` -------------------------------- ### Ensuring Telnet Not Exposed to Entire Internet for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Telnet (TCP:23) is not exposed to the entire internet via Google Compute Firewall rules. It prevents unauthorized external access to Telnet, which is an insecure protocol. ```policy description Ensure Telnet (TCP:23) is not exposed to entire internet for Google Compute Firewall ``` -------------------------------- ### Ensuring DNS Not Publicly Exposed for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that DNS (UDP:53) is not exposed to the public internet via Google Compute Firewall rules. It prevents unauthorized external access to DNS services. ```policy description Ensure DNS (UDP:53) is not exposed to public for Google Compute Firewall ``` -------------------------------- ### Ensuring Known Internal Web Port (8000) Not Publicly Exposed for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that the known internal web port (TCP:8000) is not exposed to the public internet via Google Compute Firewall rules. It prevents unauthorized external access to internal web applications. ```policy description Ensure Known internal web port (TCP:8000) is not exposed to public for Google Compute Firewall ``` -------------------------------- ### Ensuring SNMP Not Exposed to Entire Internet for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that SNMP (UDP:161) is not exposed to the entire internet via Google Compute Firewall rules. It prevents unauthorized external access to SNMP services, which can reveal network information. ```policy description Ensure SNMP (UDP:161) is not exposed to entire internet for Google Compute Firewall ``` -------------------------------- ### Ensuring Oracle DB Not Publicly Exposed for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Oracle Database (TCP:2483) is not exposed to the public internet via Google Compute Firewall rules. It prevents unauthorized external access to sensitive database services. ```policy description Ensure Oracle DB (TCP:2483) is not exposed to public for Google Compute Firewall ``` -------------------------------- ### Preventing Anonymous/Public Access to GCP Cloud Storage Bucket (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Cloud Storage buckets are not anonymously or publicly accessible. Restricting public access prevents unauthorized data exposure and maintains data confidentiality. ```policy description Ensure that Cloud Storage bucket is not anonymously or publicly Accessible. ``` -------------------------------- ### Preventing RSASHA1 for DNSSEC Keys in GCP DNS Managed Zone (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that RSASHA1 is not used for zone-signing and key-signing keys in Cloud DNS DNSSEC. It mandates the use of stronger cryptographic algorithms for DNSSEC to enhance security. ```policy description Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC. ``` -------------------------------- ### Ensuring Elastic Search Not Publicly Exposed for GCP Compute Firewall (Policy Description) Source: https://github.com/tenable/terrascan/blob/master/docs/policies/gcp.md This policy ensures that Elastic Search (TCP:9300) is not exposed to the public internet via Google Compute Firewall rules. It prevents unauthorized external access to Elastic Search services. ```policy description Ensure Elastic Search (TCP:9300) is not exposed to public for Google Compute Firewall ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.