🔐 Strengthen Your IaC with Terrascan: A Complete Guide for Terraform Security

🛠️ Introduction

Infrastructure as Code (IaC) brings speed and consistency to cloud deployments—but it also opens the door to misconfigurations and vulnerabilities. Just like application code, your IaC must be secured.

In this article, we’ll dive into Terrascan, a powerful open-source SAST tool for IaC, and show how to use it to analyze and secure your Terraform infrastructure before it ever hits production.

By the end, you’ll know:

• What Terrascan is and how it works.
• How to use it on a real Terraform project.
• How to automate it using GitHub Actions.

🔍 What Is Terrascan?

Terrascan is a static code analyzer developed by Tenable that detects security and compliance violations in your Terraform (as well as Kubernetes, CloudFormation, ARM, and more) code.

It uses Rego policies from Open Policy Agent (OPA) to enforce security best practices.

🎯 Terrascan Highlights:

• Supports over 500 built-in policies.
• Scans Terraform HCL files.
• Integrates with CI/CD pipelines.
• Detects AWS, Azure, GCP, and Kubernetes misconfigurations.

✅ Step-by-Step Demo

Let’s walk through scanning a vulnerable Terraform project.

📁 Step 1: Prepare Vulnerable Terraform Code
We’ll create an insecure AWS S3 bucket in main.tf:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "example" {
  bucket = "my-unsecure-bucket"
  acl    = "public-read" # ❌ Publicly accessible!
}

This configuration violates AWS security best practices because it allows
public access.

🔍 Step 2: Install Terrascan

Install via Homebrew (macOS/Linux):
brew install terrascan

Or use Docker:
docker run --rm -v $(pwd):/iac tenable/terrascan scan -t terraform

Or download the binary from the official GitHub repo.

📦 Step 3: Run Terrascan Locally
To scan your code:
terrascan scan -t terraform -d .

Output:

Violation detected:
 - Rule Name: AWS S3 bucket should not have public READ access.
 - Severity: HIGH
 - File: main.tf
 - Line: 7

✅ Terrascan catches the misconfiguration before deployment!

🧹 Step 4: Fix the Issue
Replace the bucket ACL with a private setting:

resource "aws_s3_bucket" "example" {
  bucket = "my-secure-bucket"
  acl    = "private" # ✅ Private access only
}

Scan again and verify no violations are found:
terrascan scan -t terraform -d .

⚙️ Bonus: Automate with GitHub Actions

Terrascan integrates easily with CI/CD.
Create a .github/workflows/terrascan.yml file:

name: Terraform Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  terrascan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Install Terrascan
        run: |
          curl -L https://github.com/tenable/terrascan/releases/latest/download/terrascan_linux_amd64 -o terrascan
          chmod +x terrascan
          sudo mv terrascan /usr/local/bin/

      - name: Run Terrascan
        run: terrascan scan -t terraform -d .

🚀 Every push or PR will now trigger a security scan!

💻 GitHub Repository

👉 Demo Code + GitHub Actions ready to deploy: 🔗 View on GitHub

Includes:

• Vulnerable and fixed Terraform files
• .github/workflows/terrascan.yml
• README instructions

🧠 Conclusion

Terrascan makes it incredibly easy to integrate SAST into your Infrastructure as Code workflows. By catching risks early, you ensure cloud security and compliance—without slowing development.

✅ Key Benefits:

• Fast and free.
• Over 500 built-in policies.
• Works locally and in CI/CD.
• Secures Terraform, Kubernetes, and more.

Start using Terrascan today and protect your infrastructure from the start!

💬 Got feedback?

Drop a comment below or share how you’re securing your IaC.
Happy scanning! 👨‍💻🛡️