Skip to content
Latchkey

terrascan scan: Policy Scan IaC for Violations

terrascan scan evaluates infrastructure as code against built-in OPA/Rego policies and reports security violations.

Terrascan is another static IaC scanner, policy-driven via OPA/Rego, covering Terraform, Kubernetes, Helm, and Dockerfiles. It overlaps with Checkov and tfsec, and teams often pick one as the gate.

What it does

terrascan scan parses IaC in the current directory, runs the bundled Rego policies for the detected or selected type, and prints violations with a rule ID, severity, and file location. It exits non-zero when violations are found (configurable), so it gates a pipeline like the other scanners.

Common usage

Terminal
# scan the current directory (auto-detect)
terrascan scan
# Terraform on AWS, SARIF output
terrascan scan -i terraform -t aws -o sarif > terrascan.sarif
# scan a Kubernetes manifest tree
terrascan scan -i k8s -d ./manifests

Options

FlagWhat it does
-i <type>IaC type: terraform, k8s, helm, kustomize, etc.
-t <provider>Cloud provider policy set: aws, gcp, azure, github
-d <dir>Directory to scan
-o <fmt>Output: human, json, yaml, sarif, junit-xml
--config-onlyEmit the normalized config without scanning
-p <path>Use policies from a custom path

In CI

terrascan needs no cloud credentials and works offline. SARIF output (-o sarif) uploads to GitHub code scanning the same way Checkov and TFLint do, behind continue-on-error plus security-events: write. Note on tfsec: tfsec is now part of Trivy, and Aqua recommends trivy config (or trivy fs) for Terraform misconfiguration scanning going forward, so new pipelines often choose Trivy, Checkov, or Terrascan rather than the standalone tfsec binary.

Common errors in CI

"None of the Iac files in the path were scanned" means -i/-t did not match the files, or the directory has no recognized IaC. "error while fetching policies" on first run means it could not download the default policy repo; pre-fetch with terrascan init or point -p at a local copy. A non-zero exit with listed violations is the intended gate result, not a crash.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →