Terrascan: OPA-Based IaC Scanner (Archived 2025)

Name: Terrascan
Availability: OnlineOnly

Terrascan is an open-source static code analyzer for Infrastructure as Code. Built by Tenable, it ships 500+ security policies and uses the Open Policy Agent (OPA) engine for custom rules written in Rego. The project accumulated 5.2k GitHub stars and 542 forks before being archived.

Project Archived

Terrascan was archived by its maintainers on November 20, 2025. The GitHub repository is now read-only — no new issues, pull requests, or releases are accepted. The documentation site (runterrascan.io) redirects to Tenable’s commercial cloud security page. The codebase remains available under Apache 2.0 for community forks. For actively maintained alternatives, see Checkov, KICS, or Trivy.

What Terrascan Does

Terrascan scans IaC files against a policy library and flags security misconfigurations before they reach production. It covers seven IaC formats: Terraform HCL2, CloudFormation, Kubernetes manifests, Helm v3, Kustomize, ARM Templates, and Dockerfiles.

The scanner also handles Docker image vulnerability detection across ECR, Azure Container Registry, GCP Artifact Registry, and Harbor.

Policies map to compliance frameworks including CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA, and SOC 2. Each policy includes a risk description and remediation steps.

500+ Built-in Policies

Covers AWS, Azure, GCP, and Kubernetes. Aligned to CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA, and SOC 2.

OPA/Rego Custom Rules

Write organization-specific policies using the same Rego language as Open Policy Agent. Custom rules run alongside built-in ones.

7 IaC Formats

Terraform HCL2, CloudFormation, Kubernetes, Helm v3, Kustomize, ARM Templates, and Dockerfiles in a single binary.

Key Features

Feature	Details
Policy count	500+ built-in policies across all supported cloud providers
Policy engine	Open Policy Agent (OPA) with Rego language
IaC formats	Terraform HCL2, CloudFormation, K8s, Helm v3, Kustomize, ARM, Dockerfile
Cloud providers	AWS, Azure, GCP, GitHub
Compliance mapping	CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA, SOC 2
Output formats	Human-readable, JSON, SARIF, YAML, XML
K8s admission controller	Validating webhook blocks non-compliant resources at deploy time
Drift detection	Compares IaC definitions against live cloud resources
Container scanning	Docker image vulnerability detection (ECR, ACR, GAR, Harbor)
Server mode	Runs as HTTP API server for integration with other tools

Scan Output

Terrascan reports violations with the policy name, description, severity level, file path, and line number. Exit codes indicate the result: 0 for clean, 3 for violations found, 4 for errors, 5 for both.

Terrascan scan output showing policy violations with severity, description, and file location

Custom Policies with Rego

Teams write their own rules in Rego and place them alongside the built-in policy set. Useful for things standard benchmarks don’t cover: naming conventions, tagging policies, region restrictions, or internal network rules.

Kubernetes Admission Controller

Terrascan can deploy as a Kubernetes validating webhook. Every resource submitted to the API server gets checked against the policy set before admission. Resources that fail checks are rejected with a clear error message.

Drift Detection

The scanner compares your IaC definitions against live cloud resources and flags differences. Useful for catching manual changes made outside of Terraform that cause configuration drift.

Skip Rules

You can suppress specific policies per resource using inline comments in your IaC files. Terrascan reads #ts:skip=RULE_ID annotations directly from the code.

Terrascan skip rules annotation in Kubernetes YAML to suppress specific policy violations

Getting Started

Install Terrascan — Use Homebrew (brew install terrascan), Docker (docker run tenable/terrascan), or download the binary from GitHub releases. Available for Linux, macOS, and Windows.

Initialize policies — Run terrascan init to download the latest policy set. Policies are stored locally and can be updated independently.

Run a scan — Execute terrascan scan -t aws -i terraform -d ./infrastructure/ to scan Terraform files. Replace the type and directory flags for other IaC formats.

Review results — Check violations in the terminal output, or use -o sarif to generate SARIF files for GitHub Code Scanning integration.

Configuration

Create a .terrascan.toml file to customize scan behavior:

Terrascan configuration file showing rule skipping and notification settings

The config file supports skipping specific rules by ID, setting minimum severity thresholds, and configuring webhook notifications for scan results.

CI/CD Integration

Terrascan plugs into CI/CD pipelines through its Docker image or the official GitHub Action (tenable/terrascan-action). SARIF output feeds directly into GitHub Code Scanning alerts, putting IaC violations in the same Security tab as your other code analysis findings.

For GitLab CI, the Docker image runs in a pipeline stage and produces SAST-compatible reports. Jenkins and other CI tools work through the CLI binary or Docker container.

SARIF Integration

Use terrascan scan -o sarif > results.sarif to generate output compatible with GitHub Code Scanning. Upload the file with the github/codeql-action/upload-sarif action to see IaC violations in your repository’s Security tab.

When to Consider Terrascan

Terrascan made sense for teams that wanted a free IaC scanner with broad compliance coverage and OPA/Rego extensibility. The policy library covers most common misconfigurations without needing custom rule development.

Given the November 2025 archival, new adopters should evaluate actively maintained alternatives. Checkov and KICS are both open-source and cover similar IaC formats. Trivy adds container and dependency scanning to its IaC capabilities.

Existing Terrascan users can continue running the last release, but there will be no patches for new vulnerabilities or support for newer versions of Terraform, Kubernetes, or cloud provider APIs.

For a broader view of IaC security strategy, see our cloud infrastructure security guide. Browse other IaC security tools to compare options.

Note: Project archived by maintainers in November 2025; codebase remains available for community forks.

Frequently Asked Questions

What is Terrascan?

Terrascan is an open-source IaC static code analyzer originally maintained by Tenable with 5.2k GitHub stars. It scans Terraform, CloudFormation, Kubernetes, Helm, Docker, and more with 500+ built-in policies. The project was archived in November 2025.

Is Terrascan still maintained?

No. Terrascan was archived by its maintainers on November 20, 2025. The GitHub repository is now read-only. No new issues, pull requests, or releases are accepted. The codebase remains available for community forks. Consider Checkov, KICS, or Trivy as actively maintained alternatives.

What IaC frameworks does Terrascan support?

Terrascan supports Terraform HCL2, CloudFormation (YAML and JSON), Kubernetes manifests, Helm v3, Kustomize, ARM Templates, and Dockerfiles. Custom policies are written in OPA/Rego.

Can Terrascan run in CI/CD pipelines?

Yes, Terrascan integrates with GitHub Actions and GitLab CI, outputs SARIF for GitHub Code Scanning alerts, and can run as a Kubernetes admission controller to block non-compliant resources at deploy time.

What are the alternatives to Terrascan?

Actively maintained IaC scanners include Checkov (by Prisma Cloud), KICS (by Checkmarx), Trivy (by Aqua Security), and Snyk IaC. All cover Terraform, CloudFormation, and Kubernetes with active development and community support.