Terrascan is an open-source static code analyzer for building secure Infrastructure as Code (IaC). The project was launched by the immutable security company Accurics last year. It includes templates to help avoid common security pitfalls in the cloud, built-in extensibility to support other technologies, and leverages the Open Policy Agent to help users write custom policies.
“The rapid adoption of Infrastructure as Code is clearly meeting its intended goal: to help organizations achieve more reliability by programmatically embedding policy checks earlier in the development lifecycle,” Cesar Rodriguez, head of developer advocacy at Accurics, said last year at the time of the project’s release. “This is vital in an environment where the scale and velocity of cloud breaches is constantly increasing, and organizations are required to implement policy guardrails to ensure that cloud native infrastructure is securely defined and managed. Terrascan is already playing a key role in this process within many organizations, and the newest iteration takes these important capabilities much further.”
Terrascan is designed to detect missing or misconfigured encryption, security groups left open, inadvertent exposure of cloud services, and insufficient logging. Version 1.5 of the project was released last month with a new execution mode to provide more security to clusters at runtime.
At this week’s KubeCon + CloudNativeCon Europe, Accurics announced Terrascan now integrates with the Argo Project, an open-source GitOps engine for Kubernetes. Together, Terrascan’s new admission controller feature, the project can enforce Open Policy Agent policies across the life cycle. By being able to scan repositories for violations and automating capabilities to the cluster,users can ensure the full pipeline is secure and aligned, according to the company.
“Optimal security in cloud native infrastructure requires constant innovation at different levels of the architecture, with seamless integration, revitalized support, and ongoing deployments,” said Om Moolchandani, co-founder, CTO & CISO at Accurics. “As the Kubernetes ecosystem expands and developers adopt GitOps with Infrastructure as Code and Deployment as Code, they need security tools that fit into these automated, codified workflows where experts cannot review every finding.”