Scanning Kustomize IaC configurations with Terrascan

Kustomize support was added in Terrascan v1.2.0. More information about v1.2.0 is available in the release announcement.

Quick start instructions are provided below for convenience. Full documentation is available in the Terrascan docs, and we have a blog post as well.

  1. Open a shell/command prompt and cd into a working directory for your Kustomize project.

  2. Run Terrascan. By default, Terrascan will scan the current directory and subdirectories. You can use the -d option to specify a different directory, and you can use that option more than once if everything isn’t in one place. Depending on how you want to run Terrascan, run one of the following options:

    • If you’re running a native Terrascan binary:

      terrascan scan -i kustomize

    • If you want to run the Docker container in a *nix-style shell:

      docker run --rm -v "$(pwd):/iac" -w /iac accurics/terrascan scan -i kustomize
      

      Note how we use the -v and -w options to mount the current directory on the host into /iac in the container for scanning.

  3. Terrascan’s output will go to stdout, in YAML format by default. The structured output includes a summary of the results as well as the details needed to prioritize and fix the findings.

  4. If violations are found, Terrascan’s exit code will be non-zero. This can be useful when Terrascan is run from a script, since you may be able to avoid parsing the output if you only want to know whether or not violations were identified. When running under Docker, note that Docker’s exit code may differ from Terrascan’s.

Now that you can run Terrascan from the command line, it should be easy to run from your preferred scripts, CI/CD tools, IDEs, etc. Check out our integrations category for more examples.

Terrascan is specialized for scanning infrastructure as code. If you’re interested in capabilities such as dashboards, historical reporting, policy enforcement in the cloud runtime, and automated remediation workflows, please check out our other free and commercial Accurics offerings.

If you have any questions, suggestions, or pull requests, please let us know here in the forums or on github.