Lees alles over: PFAS-onderzoek op voormalige stortplaats bevestigt: geen risico’s voor milieu en volksgezondheid | op Westfriesland Praat, Voor en door Westfriezen | #abwf #bodemonderzoek #bodemzorg #drechterland #milieubeleid #milieuzorg #Pfas #Terrascan
westfrieslandpraat.nl/pfas-onderzo...

🔐 Strengthen Your IaC with Terrascan: A Complete Guide for Terraform Security ## 🛠️ Introduction Infrastructure as Code (IaC) brings speed and consistency to cloud deployments—but it also opens the door to misconfigurations and vulnerabilities. Just like application code, your IaC must be secured. In this article, we’ll dive into Terrascan, a powerful open-source SAST tool for IaC, and show how to use it to analyze and secure your Terraform infrastructure before it ever hits production. By the end, you’ll know: * What Terrascan is and how it works. * How to use it on a real Terraform project. * How to automate it using GitHub Actions. ## 🔍 What Is Terrascan? Terrascan is a static code analyzer developed by Tenable that detects security and compliance violations in your Terraform (as well as Kubernetes, CloudFormation, ARM, and more) code. It uses Rego policies from Open Policy Agent (OPA) to enforce security best practices. **🎯 Terrascan Highlights:** * Supports over 500 built-in policies. * Scans Terraform HCL files. * Integrates with CI/CD pipelines. * Detects AWS, Azure, GCP, and Kubernetes misconfigurations. ## ✅ Step-by-Step Demo Let’s walk through scanning a vulnerable Terraform project. **📁 Step 1: Prepare Vulnerable Terraform Code** We’ll create an insecure AWS S3 bucket in `main.tf`: provider "aws" { region = "us-east-1" } resource "aws_s3_bucket" "example" { bucket = "my-unsecure-bucket" acl = "public-read" # ❌ Publicly accessible! } _This configuration violates AWS security best practices because it allows public access._ **🔍 Step 2: Install Terrascan** Install via Homebrew (macOS/Linux): `brew install terrascan` Or use Docker: `docker run --rm -v $(pwd):/iac tenable/terrascan scan -t terraform` Or download the binary from the official GitHub repo. **📦 Step 3: Run Terrascan Locally** To scan your code: `terrascan scan -t terraform -d .` Output: Violation detected: - Rule Name: AWS S3 bucket should not have public READ access. - Severity: HIGH - File: main.tf - Line: 7 _✅ Terrascan catches the misconfiguration before deployment!_ **🧹 Step 4: Fix the Issue** Replace the bucket ACL with a private setting: resource "aws_s3_bucket" "example" { bucket = "my-secure-bucket" acl = "private" # ✅ Private access only } Scan again and verify no violations are found: `terrascan scan -t terraform -d .` ## ⚙️ Bonus: Automate with GitHub Actions Terrascan integrates easily with CI/CD. Create a `.github/workflows/terrascan.yml` file: name: Terraform Security Scan on: push: branches: [main] pull_request: jobs: terrascan: runs-on: ubuntu-latest steps: - name: Checkout Code uses: actions/checkout@v3 - name: Install Terrascan run: | curl -L https://github.com/tenable/terrascan/releases/latest/download/terrascan_linux_amd64 -o terrascan chmod +x terrascan sudo mv terrascan /usr/local/bin/ - name: Run Terrascan run: terrascan scan -t terraform -d . _🚀 Every push or PR will now trigger a security scan!_ ## 💻 GitHub Repository 👉 Demo Code + GitHub Actions ready to deploy: 🔗 View on GitHub Includes: * Vulnerable and fixed Terraform files * `.github/workflows/terrascan.yml` * README instructions ## 🧠 Conclusion Terrascan makes it incredibly easy to integrate SAST into your Infrastructure as Code workflows. By catching risks early, you ensure cloud security and compliance—without slowing development. **✅ Key Benefits:** * Fast and free. * Over 500 built-in policies. * Works locally and in CI/CD. * Secures Terraform, Kubernetes, and more. Start using Terrascan today and protect your infrastructure from the start! ## 💬 Got feedback? Drop a comment below or share how you’re securing your IaC. Happy scanning! 👨‍💻🛡️