News

Terrascan Cloud Security Gets Kubernetes Support

• By John K. Waters
• September 17, 2020

Cloud security provider Accurics has release an update of its free and open-source Terrascan static code analyzer with new support for Kubernetes. Terrascan 1.1.0 works with Kubernetes YAML and JSON configurations, and includes policies for security risks present in those files, the company says.

"Cloud native apps and infrastructure are notoriously complex and difficult to secure with traditional tools," Accurics developer advocate Jon Jarboe wrote in a blog post. "Kubernetes adds automation and orchestration that escalate those problems to another level. Practically speaking, security automation is mandatory.  It's not realistic to expect humans to comprehend such complex, dynamic environments."

Terrascan is an extensible tool that enables software teams to detect compliance and security violations across Infrastructure as Code (IaC) to mitigate risk before provisioning cloud native infrastructure. "By adding Kubernetes support to Terrascan," Jarboe said, "we're ensuring that all teams, regardless of budget, have access to the tools they need to secure their cloud native apps and infrastructure well before they are ever deployed in the cloud."

IaC is the practice of provisioning and managing IT infrastructure using coding, rather than physical hardware configuration or interactive configuration tools.

The Pleasanton, CA-based company's flagship tool emerged from research conducted by its creator, Cesar Rodriguez, head of developer advocacy at Accurics, who was looking for a tool to scan Terraform, an infrastructure build tool developed by HashiCorp. The tool he developed grew beyond its focus on Terraform templates, he explained in an earlier blog post, when he realized the same techniques used for application code, such as static code analysis, could be used to identify security weaknesses in IaC.

Terrascan is usually run as a portable Go binary or a Docker container. Its command line interface can be adapted to run it from a terminal, a script, from within a pipeline, and numerous other contexts. Terrascan defaults to scanning YAML and JSON files in the current directory and subdirectories. By default, output is sent to the terminal in YAML format. The structured output includes a summary of the results as well as the details needed to prioritize and fix the findings.  It's suitable for humans to read, and for programmatic processing.

Terrascan is available as a GitHub Action and is included in the popular Super-Linter GitHub Action. It can be installed as a pre-commit hook to help detect issues before code is pushed into your repository, and also integrated into the CI/CD pipeline. It can be downloaded here. The company also supports a community forum here.