News

Terrascan Update Leverages Cloud Native Computing Foundation's OPA Engine

• By John K. Waters
• August 17, 2020

Cloud security provider Accurics today announced a major update of its free and open-source Terrascan static code analyzer. In this release, the Terrascan v1.0 architecture leverages the Open Policy Agent (OPA) engine from the Cloud Native Computing Foundation (CNCF) to make it easier for developers to create custom compliance policies, and includes more than 500 out-of-the-box policies based on the CIS Benchmark.

The CNCF's OPA was developed to unify policy enforcement across the stack. It's an open-source, general-purpose policy engine that provides a high-level declarative language that allows developers to specify policy as code and simple APIs to offload policy decision-making from their software.

Terrascan was designed to help developers build secure infrastructure as code (IaC). It provides a scalable way to make sure that infrastructure was configured in adherence with security best practices. The tool emerged from research by its creator, Cesar Rodriguez, head of developer advocacy at Accurics, who was looking for a tool to scan Terraform, an infrastructure build tool developed by HashiCorp. The tool he developed grew beyond its focus on Terraform templates, he explained in a blog post, when he realized  the same techniques used for application code, such as static code analysis, could be used to identify security weaknesses in IaC.

"The rapid adoption of Infrastructure as Code is clearly meeting its intended goal: to help organizations achieve more reliability by programmatically embedding policy checks earlier in the development lifecycle," Rodriguez said in a statement. "This is vital in an environment where the scale and velocity of cloud breaches is constantly increasing, and organizations are required to implement policy guardrails to ensure that cloud native infrastructure is securely defined and managed. Terrascan is already playing a key role in this process within many organizations, and the newest iteration takes these important capabilities much further."

The latest release provides a pluggable architecture that can use the same approach to scan Terraform, AWS CloudFormation, Kubernetes, and any other type of IaC tooling.

The Pleasanton, CA-based company unveiled the Terrascan update during KubeCon + CloudNativeCon Europe 2020 Virtual, the CNCF's flagship conference underway online this week. The conference "gathers adopters and technologists from leading open-source and cloud native communities virtually…," the organizers said on the website, "…for four days to further the education and advancement of cloud native computing."

Terrascan is now available as a GitHub Action and is included in the popular Super-Linter GitHub Action. It can be installed as a pre-commit hook to help detect issues before code is pushed into your repository, and also integrated into the CI/CD pipeline. It can be downloaded here.