terrascan scan: Policy Scan IaC for Violations
terrascan scan evaluates infrastructure as code against built-in OPA/Rego policies and reports security violations.
Terrascan is another static IaC scanner, policy-driven via OPA/Rego, covering Terraform, Kubernetes, Helm, and Dockerfiles. It overlaps with Checkov and tfsec, and teams often pick one as the gate.
What it does
terrascan scan parses IaC in the current directory, runs the bundled Rego policies for the detected or selected type, and prints violations with a rule ID, severity, and file location. It exits non-zero when violations are found (configurable), so it gates a pipeline like the other scanners.
Common usage
# scan the current directory (auto-detect)
terrascan scan
# Terraform on AWS, SARIF output
terrascan scan -i terraform -t aws -o sarif > terrascan.sarif
# scan a Kubernetes manifest tree
terrascan scan -i k8s -d ./manifestsOptions
| Flag | What it does |
|---|---|
| -i <type> | IaC type: terraform, k8s, helm, kustomize, etc. |
| -t <provider> | Cloud provider policy set: aws, gcp, azure, github |
| -d <dir> | Directory to scan |
| -o <fmt> | Output: human, json, yaml, sarif, junit-xml |
| --config-only | Emit the normalized config without scanning |
| -p <path> | Use policies from a custom path |
In CI
terrascan needs no cloud credentials and works offline. SARIF output (-o sarif) uploads to GitHub code scanning the same way Checkov and TFLint do, behind continue-on-error plus security-events: write. Note on tfsec: tfsec is now part of Trivy, and Aqua recommends trivy config (or trivy fs) for Terraform misconfiguration scanning going forward, so new pipelines often choose Trivy, Checkov, or Terrascan rather than the standalone tfsec binary.
Common errors in CI
"None of the Iac files in the path were scanned" means -i/-t did not match the files, or the directory has no recognized IaC. "error while fetching policies" on first run means it could not download the default policy repo; pre-fetch with terrascan init or point -p at a local copy. A non-zero exit with listed violations is the intended gate result, not a crash.