Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

terrascan: scanning terraform files vs terraform plan #407

Closed
ismailyenigul opened this issue Nov 25, 2020 · 5 comments · Fixed by #562
Closed

terrascan: scanning terraform files vs terraform plan #407

ismailyenigul opened this issue Nov 25, 2020 · 5 comments · Fixed by #562

Comments

@ismailyenigul
Copy link

ismailyenigul commented Nov 25, 2020

Actually this is not a bug report it is a feature request.

Terrascan downloads remote source in terraform modules and evaluate the variables while checking terraform codes.
some other iac tools(regula,checkov) and OPA itself can scan terraform plan output in JSON.

Do you have any plan to support terraform plan output in JSON or do you think that scanning terraform plan provides better result?
From checkov documentation: https://github.com/bridgecrewio/checkov/blob/master/docs/2.Concepts/Evaluate%20Terraform%20Plan.md#evaluate-checkov-policies-on-terraform-plan

Evaluate Checkov policies on Terraform plan

Checkov supports the evaluation of policies on resources declared in .tf files. It can also be used to evaluate terraform plan expressed in a json file.
Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result.
Since Terraform plan files may contain arguments (like secrets) that are injected dynamically, it is advised to run a plan evaluation using Checkov in a secure CI/CD pipeline setting.

@amirbenv
Copy link
Contributor

amirbenv commented Jan 8, 2021

Hi @ismailyenigul!
We do plan to support plan based scanning! Will follow up with timelines

@ismailyenigul
Copy link
Author

Thanks @amirbenv
Happy to test it when it is implemented. Is there an estimated time frame for this feature?

@amirbenv
Copy link
Contributor

Not yet, but should be in the next few weeks. It would be good to know how popular this feature is- If others are interested let us know by commenting on this thread!

@tx-kstav
Copy link

I would like to have this feature.

@justhys
Copy link

justhys commented Feb 2, 2021

I would like to have this feature too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants