Last Updated on August 7, 2025 by Arnav Sharma
Terrascan is a robust tool designed to enhance security and compliance in Infrastructure as Code (IaC) environments. As cloud technologies and IaC have become central to modern IT infrastructure, tools like Terrascan play a critical role in ensuring these environments are secure and compliant with various regulations and best practices.
Terrascan
Terrascan is a static code analyzer for IaC, capable of identifying potential security risks and compliance issues before the infrastructure is provisioned. It supports various IaC languages and frameworks, such as Terraform, Kubernetes, Helm, and Docker, among others.
The core function of Terrascan is to scan IaC files for security violations and compliance issues. It performs automatic classification routines to detect compliance and security violations across infrastructure as code deployments, helping organizations to mitigate risk before provisioning cloud native infrastructure.
Install Terrascan
To install Terrascan, users can download the latest version from the releases page on GitHub or install it via package managers like Homebrew for macOS. The installation process is straightforward, making it accessible for both developers and DevOps professionals.
Use Terrascan
Using Terrascan involves running scans directly from the command line or integrating it into CI/CD pipelines. It can be executed as a standalone tool or embedded within automated pipelines to identify policy violations in real-time during code commits.
Key Features
Terrascan’s key features include:
- Extensive Policy Library: Over 500 out-of-the-box policies that cover security best practices and compliance requirements such as the CIS benchmark.
- Multi-IaC Support: Compatibility with various IaC languages ensures that Terrascan can be used in diverse development environments.
- Custom Policies: Users can write custom policies using the Rego language, allowing for tailored security specifications that fit specific organizational needs.
Azure DevOps and Terrascan
Using Terrascan in Azure DevOps can significantly enhance the security and compliance of your Infrastructure as Code (IaC) deployments by integrating automated scans into your CI/CD pipelines. Here’s a detailed guide on how to incorporate Terrascan into your Azure DevOps environment to ensure your deployments are secure and compliant from the start.
Step 1: Install Terrascan
First, you need to ensure Terrascan is installed and accessible in your build environment. If Terrascan isn’t pre-installed in your Azure DevOps agents, you can add a step to install it during your pipeline execution.
- script: |
curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://[^"]*terrascan_[^"]*_Linux_x86_64.tar.gz")" | tar -xz -C /usr/local/bin terrascan
displayName: 'Install Terrascan'
This script downloads the latest Terrascan release from GitHub and extracts it to a directory included in the system’s PATH.
Step 2: Add Terrascan Scan Task
Once Terrascan is installed, you can add a task to your pipeline to perform the scan. This task will execute Terrascan against your IaC configurations.
- script: |
terrascan scan -i azure -d ./path_to_your_iac_files
displayName: 'Run Terrascan Scan'
Replace ./path_to_your_iac_files with the path to the directory containing your Azure resource configurations, such as Terraform files or ARM templates.
Step 3: Configure Failure Criteria
To make the pipeline react to the findings of Terrascan, configure it to fail upon detecting issues that exceed your risk tolerance. This is achieved by using the --exit-code 1 option, which makes the Terrascan command exit with a non-zero code if it finds policy violations.
- script: |
terrascan scan -i azure -d ./path_to_your_iac_files --exit-code 1
displayName: 'Run Terrascan Scan'
failOnStderr: true
Step 4: Review and Act on the Results
After Terrascan runs, it will output a report detailing any violations it has detected. You should review these results and adjust your IaC code accordingly to resolve any issues. This feedback loop is crucial for maintaining security and compliance standards.
Step 5: Integrate into Azure DevOps Artifacts
For better traceability and reporting, integrate the output of Terrascan scans into Azure DevOps artifacts. You can save the scan reports as artifacts for later review or auditing purposes.
- script: |
terrascan scan -i azure -d ./path_to_your_iac_files --output json > terrascan-report.json
displayName: 'Generate Terrascan Report'
- publish: $(System.DefaultWorkingDirectory)/terrascan-report.json
artifact: Terrascan_Report