Skip to content

Commit

Permalink
Merge pull request #288 from accurics/terrascan-v1.0-docs
Browse files Browse the repository at this point in the history
Terrascan v1.0 docs
  • Loading branch information
kanchwala-yusuf authored Aug 16, 2020
2 parents 64c03e9 + 1aa2338 commit 4a318e3
Show file tree
Hide file tree
Showing 18 changed files with 1,107 additions and 127 deletions.
23 changes: 14 additions & 9 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,26 +1,31 @@
# Changelog

## 1.0.0 (UNRELEASED)
Major updates to Terrascan and the underlying architecture.
Major updates to Terrascan and the underlying architecture including:

- Pluggable architecture written in Golang. We updated the architecture to be easier to extend Terrascan with additional IaC languages and support policies for different cloud providers and cloud native tooling.
- Server mode. This allows Terrascan to be executed as a server and use it's API to perform static code analysis
- Notifications hooks. Will be able to integrate for notifications to external systems (e.g. email, slack, etc.)
- Uses OPA policy engine and policies written in Rego.

## 0.2.3 (2020-07-23)
* Introduces the '-f' flag for passing a list of ".tf" files for linting and the '--version' flag.
- Introduces the '-f' flag for passing a list of ".tf" files for linting and the '--version' flag.

## 0.2.2 (2020-07-21)
* Adds Docker image and pipeline to push to DockerHub
- Adds Docker image and pipeline to push to DockerHub

## 0.2.1 (2020-06-19)
* Bugfix: The pyhcl hard dependency in the requirements.txt file caused issues if a higher version was installed. This was fixed by using the ">=" operator.
- Bugfix: The pyhcl hard dependency in the requirements.txt file caused issues if a higher version was installed. This was fixed by using the ">=" operator.

## 0.2.0 (2020-01-11)
* Adds support for terraform 0.12+
- Adds support for terraform 0.12+

## 0.1.2 (2020-01-05)
* Adds ability to setup terrascan as a pre-commit hook
- Adds ability to setup terrascan as a pre-commit hook

## 0.1.1 (2020-01-01)
* Updates dependent packages to latest versions
* Migrates CI to GitHub Actions from travis
- Updates dependent packages to latest versions
- Migrates CI to GitHub Actions from travis

## 0.1.0 (2017-11-26)
* First release on PyPI.
- First release on PyPI.
60 changes: 23 additions & 37 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
![CI](https://github.com/accurics/terrascan/workflows/build/badge.svg)
[![codecov](https://codecov.io/gh/accurics/terrascan/branch/master/graph/badge.svg)](https://codecov.io/gh/accurics/terrascan)
[![community](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.accurics.com)](https://community.accurics.com)
[![Documentation](https://readthedocs.org/projects/terrascan/badge/?version=latest)](https://terrascan.readthedocs.io/en/latest/?badge=latest)
[![Documentation Status](https://readthedocs.com/projects/accurics-terrascan/badge/?version=latest)](https://docs.accurics.com/projects/accurics-terrascan/en/latest/?badge=latest)
[![downloads](https://img.shields.io/github/downloads/accurics/terrascan/total)](https://github.com/accurics/terrascan/releases)


Expand Down Expand Up @@ -30,13 +30,6 @@ $ install terrascan /usr/local/bin
$ terrascan --help
```

### Homebrew
Terrascan can be installed using Homebrew on macOS:

```
brew install terrascan
```

### Docker
Terrascan is also available as a Docker image and can be used as follows

Expand All @@ -49,49 +42,42 @@ $ docker run accurics/terrascan
To scan your code for security issues you can run the following

```
$ terrascan --iac terraform --iac-version v12 --cloud aws -d pkg/iac-providers/terraform/v12/testdata/moduleconfigs
$ terrascan scan -t aws
```

The following flags are available:
The following commands are available:

```
$ terrascan -h
$ terrascan
Terrascan
Scan IaC files for security violations
Usage
terrascan -cloud [aws|azure|gcp] [options...]
Options
Cloud
-cloud Required. Cloud provider (supported values: aws, azure, gcp)
An advanced IaC (Infrastructure-as-Code) file scanner written in Go.
Secure your cloud deployments at design time.
For more information, please visit https://www.accurics.com
IaC (Infrastructure as Code)
-d IaC directory path (default: current working directory)
-f IaC file path
-iac IaC provider (supported values: terraform, default: terraform)
-iac-version IaC version (supported values: 'v12' for Terraform, default: v12)
-p Policy directory path
Usage:
terrascan [command]
Mode
-server Run Terrascan in server mode
Available Commands:
help Help about any command
init Initialize Terrascan
scan Scan IaC (Infrastructure-as-Code) files for vulnerabilities.
server Run Terrascan as an API server
Logging
-log-level Logging level (supported values: debug, info, warn, error, panic, fatal)
-log-type Logging type (supported values: json, yaml, console, default: console)
Flags:
-c, --config-path string config file path
-h, --help help for terrascan
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output-type string output type (json, yaml, xml) (default "yaml")
-v, --version version for terrascan
Miscellaneous
-config Configuration file path
-version Print the Terrascan version
Use "terrascan [command] --help" for more information about a command.
```

## Documentation

To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a break down of it's commands, and how to write your own policies.
To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a break down of it's commands, and a deep dive into policies.

## Developing Terrascan
To learn more about developing and contributing to Terrascan refer to our [contributing guide](CONTRIBUTING.md).
Expand Down
4 changes: 2 additions & 2 deletions build/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ RUN addgroup --gid 101 terrascan && \
USER terrascan

# copy terrascan binary from build
COPY --from=builder /go/bin/terrascan /go/bin/terrascan
COPY --from=builder /go/bin/terrascan /go/bin/terrascan

EXPOSE 9010

ENTRYPOINT ["/go/bin/terrascan", "--server"]
ENTRYPOINT ["/go/bin/terrascan", "server"]
CMD ["--log-type", "json"]
39 changes: 39 additions & 0 deletions docs/architecture.diagrams.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
from diagrams import Cluster, Diagram
from diagrams.aws.compute import ECS
from diagrams.aws.management import Cloudformation
from diagrams.aws.integration import ConsoleMobileApplication
from diagrams.azure.compute import VM
from diagrams.gcp.compute import GCE
from diagrams.programming.language import Bash
from diagrams.onprem import iac
from diagrams.onprem.compute import Server


with Diagram("Terrascan architecture", show=False):
cli = Bash("CLI")
server = Server("API server")
notifier = ConsoleMobileApplication("Notifier (Webhook)")
writer = Bash("Writer (JSON, YAML, XML)")

with Cluster("Runtime"):
ECS("Input Validate")
output = ECS("Output")
ECS("Process")

with Cluster("IaC Providers"):
tf = iac.Terraform("Terraform")
ansible = iac.Ansible("Ansible")
cft = Cloudformation("CloudFormation")


with Cluster("Policy Engine"):
policy = [
VM("Azure"),
GCE("GCP"),
ECS("AWS")
]

server >> output >> tf >> policy >> notifier
cli >> output >> ansible >> policy >> writer
output >> cft >> policy

14 changes: 11 additions & 3 deletions docs/architecture.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
# Architecture

## Runtime
Terrascan's architecture is built to be modular to facilitate adding IaC languages and policies. At a high level Terrascan is composed of the following architectural components: a command line interface, API server, runtime, pluggable IaC proviers, pluggable policy engine, notifier, and writter.

* Command Line Interface = Provides CLI input to Terrascan.
* API Server = Provider input to Terrascan through an API.
* Runtime = Performs input validation and process inputs
* IaC Providers = Converts IaC language into normalized JSON
* Policy Engine = Applies policies against normalized JSON
* Notifier = Providers webhooks for results of Terrascan scans.
* Writter = Writes results into various formats like JSON, YAML, or XML.

![Terrascan architecture](terrascan_architecture.png)

## IaC Language Providers

## Policy Engine
Loading

0 comments on commit 4a318e3

Please sign in to comment.