v1.6.0 (2021-05-10)
Implemented enhancements:
- Atlantis Integration #686
- Enhancement: support for all iac scan for cli #673
- Feature request: scan sub-folders too #411
Fixed bugs:
- Admission Controller Doesn't display feedback for kubectl "create" and "apply" #731
Closed issues:
- GKE Control Plane is exposed to few public IP addresses #743
- Error with finding Enable AWS CloudWatch Logs for APIs #730
- Task: Add to github actions ability to build/push terrascan_atlantis image #728
- accurics.azure.NS.161 does not work with tfplan #725
- terrascan "latest" docker image broken for tfplan #718
- Local expansion recursive infinite loop #690
Merged pull requests:
- Feature/aws new policies sp #751 (shreyas-phansalkar-189)
- Argocd doc volume field modification #742 (Rchanger)
- Update mkdocs.yml #741 (amirbenv)
- fix failing test #740 (patilpankaj212)
- AWS policy pack update #737 (harkirat22)
- Adding release checklist #734 (jlk)
- Gh action terrscan_atlantis release #733 (dev-gaur)
- adds agrocd integration dockerfile, scripts, doc and examples #732 (Rchanger)
- Fix NSG associations #727 (xortim)
- changes for argocd integration #724 (patilpankaj212)
- Update admission-controller-webhooks-usage.md #722 (amirbenv)
- fix - #718 #720 (patilpankaj212)
- doc: add homebrew badge #714 (chenrui333)
- update version #713 (chenrui333)
- adds skipped tests for server file scan when file is k8s yaml #706 (Rchanger)
- fixes infinte loop while local variable resolution #700 (patilpankaj212)
- add terrascan atlantis container files, scripts and doc. #684 (dev-gaur)
- adds support to scan directory with all iac providers in cli mode #674 (patilpankaj212)
- adds support to scan sub folders for terraform iac provider #640 (patilpankaj212)
v1.5.0 (2021-04-23)
Fixed bugs:
- Recursive loop expanding variables in included module #675
- Terrascan doesn't resolve terraform complex variables #656
- Panic while resolving floating point variable #652
- Terrascan using absolute path for "source" value of resource #642
- Failed to initialize terrascan. error : failed to install policies #614
- Terrascan not able to read modules within a subdirectory #600
- Terrascan init command doesn't work with -c flag #550
Closed issues:
- Not able to scan repo when google terraform module defined #681
- The link referencing the documentation to integrate Terrascan into CI/CD is broken #669
- Make saving of "admission request" configurable via an option in the config file for the validating admission webhook #664
- Add API_KEY to the /logs endpoint for the validating admission webhook #662
- Panic: not a string #647
- unit tests and e2e tests failing on windows #639
- Add support for private terraform repos #631
- policy not evaluating #629
- Terrascan does not support to download modules via SSH #621
- terrascan scan fails if path and rego_subdir are not provided together in the toml configfile #619
- Getting error while running scan on our terraform repo #607
- Terrascan not found policy id #601
Policies Violated
andViolated Policies
are confusing. #598- Invalid categories not being validated from config file #594
- Terrascan API server's file scan doesn't work for k8s yaml files #584
- Add
/go/bin
to the PATH variable in Docker image #577 - terrascan scan command doesn't work with TERRASCAN_CONFIG env variable #570
- Format junit-xml need to have passed test results, not only failed test #563
- optimize policy download process in
terrascan init
#535
Merged pull requests:
- Release v1.5.0 #689 (kanchwala-yusuf)
- Adds support to configure dashboard mode in k8s validating webhook #683 (patilpankaj212)
- Updating documentation for k8s admission control #679 (kanchwala-yusuf)
- Fix recursive variable reference resolution #677 (patilpankaj212)
- Update mkdocs-material to 7.1.2 #676 (pyup-bot)
- Fixes broken link in README #671 (cesar-rodriguez)
- Docs- fix argo image path.md #667 (amirbenv)
- Makes saving of admission requests configurable via a config file option #665 (kanchwala-yusuf)
- Add authentication with API key for the /logs endpoint #663 (kanchwala-yusuf)
- Fixes docs format #661 (cesar-rodriguez)
- Update mkdocs.yml #660 (amirbenv)
- Support for authenticated tf module download #658 (jlk)
- Fix - terraform complex variables are not getting resolved #657 (patilpankaj212)
- Reorganized and Updated docs #655 (amirbenv)
- Fix- panic when terraform list variable doesn't have a type #654 (patilpankaj212)
- Fix panic for floating point variables #653 (patilpankaj212)
- Adding support to scan IAC from atlantis workflow #648 (jlk)
- Fix - k8s resources config data has absolute source paths for resources #644 (patilpankaj212)
- Fix - terrascan not able to read modules within a subdirectory #641 (patilpankaj212)
- Add /go/bin to PATH. #637 (seancallaway)
- Update mkdocs-material to 7.1.0 #636 (pyup-bot)
- Fix windows tests #635 (patilpankaj212)
- Fix kustomize scan breakage on windows #630 (dev-gaur)
- Update route53LoggingDisabled.rego to ignore private zones #626 (matt-slalom)
- Adding openssh for downloading modules via ssh #625 (sachinar)
- Fix - init behavior change #624 (patilpankaj212)
- Add support for validating admission webhook in terrascan #620 (kanchwala-yusuf)
- Policy download refactor #618 (dev-gaur)
- Update mkdocs-material to 7.0.6 #615 (pyup-bot)
- Log error in LoadIacDir before continuing #613 (jlk)
- K8S Risk Category Changes #608 (Avanti19)
- GCP Risk Category Changes #606 (shreyas-phansalkar-189)
- Category flag e2e tests #605 (gaurav-gogia)
- Azure Risk Category Changes #604 (gaurav-gogia)
- AWS Risk Category Changes #603 (harkirat22)
- Bugfix/revert policies #602 (kanchwala-yusuf)
- Server mode: take file extension from uploaded file #593 (jlk)
- filepath fixes in e2e tests #591 (patilpankaj212)
- Update mkdocs-material to 7.0.5 #590 (pyup-bot)
- update helm default chart name and namespace values #589 (williepaul)
- v1.4.0 doc updates #588 (cesar-rodriguez)
- Terrascan K8s New categories and ruleRef ID changes #583 (Avanti19)
- GCP Category Changes #582 (shreyas-phansalkar-189)
- AWS new Categories #581 (harkirat22)
- New Policies for Azure & Category Updates. #580 (gaurav-gogia)
- Terrascan init and config handling refactor #576 (dev-gaur)
- Feature: add options to specify desired categories of violations to be reported #547 (gaurav-gogia)
v1.4.0 (2021-03-05)
Implemented enhancements:
- Scanning terraform plan files #407
- Adds support for junit xml output #527
- Adds e2e test scenarios for help and scan command #564
- Adds e2e tests for api server #585
- Please checkout our new Github Action!
Fixed bugs:
- Fixed a few bugs in the init command and downloading of fresh policies, including #561
- Difference in violated policies for the same terraform file #519
- false positive for AWS.Instance.NetworkSecurity.Medium.0506 #404
- accurics.gcp.IAM.122 needs to take into account the new name for Uniform bucket-level access flag #329
- fix the 'repo already exist' bug and improve error logging for terrascan init #552 (dev-gaur)
Closed issues:
- terrascan API server's file scan always returns the resource config #578
- Issue on Azure DevOps Agents since 1.3.2 : failed to initialize terrascan #561
- Could not get terrascan init to work - would not download policy documents #551
Merged pull requests:
- release 1.4.0 #586 (kanchwala-yusuf)
- adds e2e tests for api server #585 (patilpankaj212)
- adds support to use 'config_only' attribute in api server's file scan #579 (patilpankaj212)
- adds support to display passed rules #572 (patilpankaj212)
- Update mkdocs-material to 7.0.1 #567 (pyup-bot)
- fix filepaths and home directory lookup #566 (dev-gaur)
- adds e2e test scenarios for help and scan command #564 (patilpankaj212)
- Adds support for scanning tfplan json file #562 (kanchwala-yusuf)
- fix: renamed the json file to remove spaces #560 (harkirat22)
- fix: Changed the description message to handle the violation correctly #559 (harkirat22)
- bump versions to v1.3.3 #558 (dev-gaur)
- updated go module files #557 (dev-gaur)
- Initial changes for e2e testing framework #553 (patilpankaj212)
- Add code of conduct #545 (jlk)
- Fixes incorrect description of RDS encryption policy #542 (alex-petrov-vt)
- changes in log level and messages for load iac functions #541 (patilpankaj212)
- Update mkdocs-material to 6.2.8 #539 (pyup-bot)
- Updates docs for v1.3.2 #537 (cesar-rodriguez)
- update readme for v1.3.2 #534 (dev-gaur)
- fix - improved description for init command in help #532 (nathannaveen)
- Adds support for junit xml output #527 (patilpankaj212)
- enhancement: scan terraform registry modules as remote type #513 (patilpankaj212)
- support for terraform registry remote modules #505 (patilpankaj212)
- feature: add options to specify desired severity level of violations to be reported #501 (dev-gaur)
- Bump github.com/spf13/cobra from 1.0.0 to 1.1.1 #493 (dependabot[bot])
v1.3.2 (2021-02-03)
Fixed bugs:
- terrascan init should download new policies #521
Closed issues:
- How to get rid of "Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. This is only recommended if absolutely necessary." #405
- False Positive for accurics.azure.NS.161 when Security Groups Association and Subnets are defined indepently from VNet #391
- Calico is not supported as a valid Network Security for azurerm_kubernetes_cluster #376
Merged pull requests:
- Update readme for v1.3.2 #534 (dev-gaur)
- bump terrascan version to v1.3.2 #533 (dev-gaur)
- refactor init command for robust policy download checks #531 (dev-gaur)
- terrascan init will download new policies. #529 (dev-gaur)
- bugfix: Checks for security group association defined independently from vnet #526 (harkirat22)
- Update mkdocs-material to 6.2.7 #524 (pyup-bot)
- Fixed typos in docs #523 (gauravgahlot)
- Enhancement: new set of policies for AWS EC2 instance. #522 (harkirat22)
- Harkirat22/bug fix #520 (harkirat22)
- fixes #376 #518 (gaurav-gogia)
- fixes #405 #517 (gaurav-gogia)
- Policy/aws launch config #516 (harkirat22)
- add support for pod container #515 (harkirat22)
- Update mkdocs-material to 6.2.6 #514 (pyup-bot)
- Update README.md and changelog for 1.3.1 #509 (amirbenv)
v1.3.1 (2021-01-22)
Implemented enhancements:
- Support for remote modules
- Tag container image with release version #504
Fixed bugs:
- Build error on ARM MacOS
- terrascan consider source = "terraform-aws-modules/vpc/aws" as local path #418
- Failed to read module directory #332
Closed issues:
- Custom Variable Validation no longer experiemental in 0.13 #500
Merged pull requests:
- release v1.3.1 #508 (kanchwala-yusuf)
- fix dependencies that were breaking the darwin/arm64 build #507 (williepaul)
- support for terraform registry remote modules #505 (patilpankaj212)
- Readme rule supression #503 (amirbenv)
- Bump github.com/hashicorp/go-retryablehttp from 0.6.6 to 0.6.8 #496 (dependabot[bot])
- Bump github.com/hashicorp/go-getter from 1.5.1 to 1.5.2 #495 (dependabot[bot])
v1.3.0 (2021-01-19)
Implemented enhancements:
- Prints output in human friendly format #168
- Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file.
- New Policies for Kubernetes #480
- Tag released Docker images #398
- Add policy for checking insecure_ssl configuration for github_repository_webhook in GitHub provider #355
- Introduced support for terraform .14 and .13. Note: This will introduce some breaking changes for terraform v.12 files, even if using --iac-version v.12 flag. Notably we will no longer support multiple providers blocks, and certain references inside provisioner blocks (objects other than self, count or each, where when = destroy) . For more details see: https://github.com/hashicorp/terraform/releases/tag/v0.13.0
Fixed bugs:
- terrascan doesn't allow registering multiple versions for an iac-type #471
- Debug resource lock #432
- terrascan panic: not a string #412
- False positive for aws rule vpcFlowLogsNotEnabled #408
- accurics.GCP.EKM.132 and accurics.GCP.EKM.131 wrong violation using disk_encryption_key #382
- s3EnforceUserACL - False Positive #359
- How to fix accurics.azure.EKM.20 #331
- Why accurics.gcp.IAM.104 suggests enabling a client certificate? #330
Closed issues:
- terraform can't detect violations in terraform modules #468
- uniformBucketEnabled.rego referencing deprecated config #453
- Unable to run terrascan scan #446
- Terrascan doesn't exit with error on CLI or Parsing errors. #442
- Terrascan Failure When Using Terraform 13 + Variable Validation #426
- Update policy example in documentation to use latest GitHub implementation #422
- Fix link to repo playground in policies documentation #421
- terrascan scan crashes with runtime: goroutine stack exceeds 1000000000-byte limit #406
- Typo error in the terrascan Architecture page #403
- accurics.gcp.OPS.114 should also check for cos_containerd image #395
- accurics.gcp.NS.112 suggest basic auth is enabled when is not #394
- Test coverage missing for kustomize iac-provider #379
- Why is vpcFlowLogsNotEnabled determined to be a violation? #352
Merged pull requests:
- update version to v1.3.0 #502 (kanchwala-yusuf)
- Add v13 flag option for terraform iac #499 (dev-gaur)
- Fix: potential bug added in PR #470 #497 (dev-gaur)
- Bump sigs.k8s.io/kustomize/api from 0.7.1 to 0.7.2 #494 (dependabot[bot])
- Bump github.com/mattn/go-isatty from 0.0.8 to 0.0.12 #492 (dependabot[bot])
- solves issue #382, and improved policy to relate disk with the instance #490 (harkirat22)
- solves issue #331 #489 (harkirat22)
- Update mkdocs-material to 6.2.5 #488 (pyup-bot)
- Bump go.uber.org/zap from 1.13.0 to 1.16.0 #486 (dependabot[bot])
- Bump github.com/spf13/afero from 1.3.4 to 1.5.1 #485 (dependabot[bot])
- Bump github.com/iancoleman/strcase from 0.1.1 to 0.1.3 #484 (dependabot[bot])
- Bump github.com/hashicorp/go-version from 1.2.0 to 1.2.1 #482 (dependabot[bot])
- Bump github.com/pelletier/go-toml from 1.8.0 to 1.8.1 #481 (dependabot[bot])
- Policy update 2021 01 14 #480 (williepaul)
- fix panic for list variables #479 (patilpankaj212)
- adding an else condition to relate management lock with resource group #476 (harkirat22)
- adding an else condition to relate the flow log with vpc #475 (harkirat22)
- including a check for verifying in-line policy is included #474 (harkirat22)
- adding rule to check if waf is enabled at cloud front distribution #473 (harkirat22)
- Added terraform v14 support besides v12. #470 (dev-gaur)
- support comment with rule skipping for resource and scan summary modifications #466 (patilpankaj212)
- recognize metadata.generateName #465 (acc-jon)
- Update mkdocs-material to 6.2.4 #464 (pyup-bot)
- Update README.md #463 (amirbenv)
- Deprecated gcs bucket #462 (jdyke)
- changed the description to include the vulnerable versions #460 (harkirat22)
- Fix exit code on error #458 (patilpankaj212)
- policy for CVE-2020-8555 #457 (harkirat22)
- Update README.md #456 (amirbenv)
- rule skipping for resources in k8s #455 (patilpankaj212)
- terrascan argo-cd instructions #454 (storebot)
- Adds CI/CD integration docs #452 (cesar-rodriguez)
- Bump github.com/zclconf/go-cty from 1.2.1 to 1.7.1 #449 (dependabot[bot])
- Bump sigs.k8s.io/kustomize/api from 0.6.5 to 0.7.1 #448 (dependabot[bot])
- Bump github.com/gorilla/mux from 1.7.4 to 1.8.0 #447 (dependabot[bot])
- Update mkdocs-material to 6.2.3 #445 (pyup-bot)
- deps: add dependabot support #444 (chenrui333)
- bump go to 1.15 #443 (chenrui333)
- implement scan and skip rules #441 (patilpankaj212)
- scan command refactor #436 (patilpankaj212)
- Fixes dead link to old getting started page #435 (cesar-rodriguez)
- Add support to extract rules to skip from terraform comments #434 (kanchwala-yusuf)
- bash output improvements #431 (patilpankaj212)
- APE-1319: Revamped Getting Started Section #430 (acc-jon)
- Add policy AC-K8-NS-SE-M-0188 for CVE-2020-8554 #428 (gauravgogia-accurics)
- set console mode on windows so colors render #427 (acc-jon)
- Update mkdocs-material to 6.1.7 #425 (pyup-bot)
- Update policy example in the documentation #424 (HorizonNet)
- Fix link to rego playground in policies documentation #423 (HorizonNet)
- hopefully remove test failures due to non-deterministic comparisons #420 (acc-jon)
- IMDSv1 policy: update category, description #419 (acc-jon)
- IMDSv1 check policy #417 (harkirat22)
- Add Docker image release tagging on release #410 (HorizonNet)
- Fix typo in architecture documentation #409 (HorizonNet)
- accurics.gcp.IAM.104 Fire rule when client certificate is enabled #402 (lucas-giaco)
- Update mkdocs-material to 6.1.6 #401 (pyup-bot)
- Added Unit test coverage for Kustomize V3 Iac-provider #399 (dev-gaur)
- Fixes GCP cos node image policy #397 (cesar-rodriguez)
- #394: recognize that empty values for username and password in master… #396 (acc-jon)
- Fix infinite loop on variable resolution #393 (dinedal)
- Remove demo badge #389 (kklin)
- Update mkdocs-material to 6.1.5 #387 (pyup-bot)
v1.2.0 (2020-11-16)
Implemented enhancements:
- Add support for Helm #353
- Add 'git' to container image, or run container as 'root' user by default #349
- Add policy for checking insecure_ssl configuration for github_organization_webhook in GitHub provider #339
- Rule for github_repository seems to be wrongly placed under gcp #325
Fixed bugs:
- Fail to validate when there are multiple properties with the same name in a resource #1
Closed issues:
- Deep modules location mis-proccessed. #365
- 20MB binary file included in repo now #364
- Private GitHub repositories are not recognized with version 3.0.0+ of GitHub provider #326
- Terrascan -var-file=../another dir #144
- Error in test_aws_security_group_inline_rule_open and test_aws_security_group_rule_open #138
- Intial setup after installation #136
- Add support for data sources #3
- Support from modules #2
Merged pull requests:
- Bring Go to 1.15 in Github Actions #384 (gliptak)
- Bring Go to 1.15 in Github Actions #383 (gliptak)
- fix a bug when rendering subcharts #381 (williepaul)
- Added kustomize support #378 (dev-gaur)
- Adds support for Helm v3 #377 (williepaul)
- Update mkdocs-material to 6.1.4 #374 (pyup-bot)
- properly handle nested submodules (#365) #373 (acc-jon)
- Address #365 by properly handling submodule path #372 (acc-jon)
- Update mkdocs-material to 6.1.3 #371 (pyup-bot)
- Update mkdocs-material to 6.1.2 #370 (pyup-bot)
- Allow use of multiple policy types (scan -t x,y or scan -t x -t y) #368 (acc-jon)
- Remove large binary that was included in the repo #366 (cesar-rodriguez)
- fix send request method, previously hardcoded #361 (kanchwala-yusuf)
- Add git binary to terrascan docker image, required by downloader #360 (kanchwala-yusuf)
- Adds new policies/regos for AWS serverless services #357 (cesar-rodriguez)
- Update mkdocs-material to 6.1.0 #356 (pyup-bot)
- Allow configuration of global policy config, fix some typos #354 (acc-jon)
- Feature/support resolve variable references #351 (kanchwala-yusuf)
- Add new policy for checking insecure_ssl on github_organization_webhook #350 (HorizonNet)
- Update mkdocs-material to 6.0.2 #348 (pyup-bot)
- Add support for colorized output #347 (acc-jon)
- Update mkdocs-material to 6.0.1 #346 (pyup-bot)
- Adds support for remote Terraform modules and scanning remotely for other IaC tools #345 (kanchwala-yusuf)
- fix supported providers unit test, sort the wanted result #344 (kanchwala-yusuf)
- Fix typo on AWS IAM account password policy rego name #343 (kmonticolo)
- Update mkdocs-material to 5.5.14 #340 (pyup-bot)
- Adds docs section for GitHub policies #337 (cesar-rodriguez)
- Automatically populate usage with supported IaC providers, versions, and policies #336 (kanchwala-yusuf)
- Add line about kubernetes YAML/JSON support #335 (williepaul)
- Add policy set for GitHub provider #334 (HorizonNet)
- Add check for visibility for github_repository #333 (HorizonNet)
- Add instructions for booting terrascan demo #319 (kklin)
v1.1.0 (2020-09-16)
Implemented enhancements:
- Initial kubernetes support #313 (williepaul)
- Adds different exit code when issues are found #299 (cesar-rodriguez)
- Adding terrascan to Homebrew #293
Fixed bugs:
- Oudated Docker image #294
- Error with XML output #290
- Fixed checkIpForward rule (gcp) #323 (williepaul)
Closed issues:
- Terrascan wrongly reports a accurics.gcp.NS.130 (checkIpForward) violation #320
- Allow structure output (Json) #252
- Throwing Errors when parsing nested brackets in HCL #233
- Be able to generate xml/html reports #119
Merged pull requests:
- Revert "fixed a bug in checkIpForward" #322 (cesar-rodriguez)
- Fixed a bug in checkIpForward #321 (williepaul)
- Move server command out of ENTRYPOINT and into CMD #318 (williepaul)
- Send logs to stderr instead of stdout #317 (williepaul)
- Fix template rendering bug #316 (williepaul)
- chore(docs): add homebrew installation #315 (chenrui333)
- Update badges in readme #314 (acc-jon)
- Update mkdocs-diagrams to 1.0.0 #312 (pyup-bot)
- Add support to print resource config as an output #309 (kanchwala-yusuf)
- Manage relative module path #308 (guilhem)
- Update mkdocs-material to 5.5.12 #307 (pyup-bot)
- chore(docs): fix indent of tar extraction #306 (zmarouf)
- Fixes issue template and rego capitalization #301 (cesar-rodriguez)
- Update mkdocs-material to 5.5.8 #300 (pyup-bot)
- Update about.md #298 (Upa-acc)
- Updated policies to the latest set #297 (williepaul)
- Fixes docker latest tag #296 (cesar-rodriguez)
- Typo fixes #295 (erichs)
- Update mkdocs-material to 5.5.7 #292 (pyup-bot)
- Fix xml output #291 (kanchwala-yusuf)
Major updates to Terrascan and the underlying architecture including:
- Pluggable architecture written in Golang. We updated the architecture to be easier to extend Terrascan with additional IaC languages and support policies for different cloud providers and cloud native tooling.
- Server mode. This allows Terrascan to be executed as a server and use it's API to perform static code analysis
- Notifications hooks. Will be able to integrate for notifications to external systems (e.g. email, slack, etc.)
- Uses OPA policy engine and policies written in Rego.
- Introduces the '-f' flag for passing a list of ".tf" files for linting and the '--version' flag.
- Adds Docker image and pipeline to push to DockerHub
- Bugfix: The pyhcl hard dependency in the requirements.txt file caused issues if a higher version was installed. This was fixed by using the ">=" operator.
- Adds support for terraform 0.12+
- Adds ability to setup terrascan as a pre-commit hook
- Updates dependent packages to latest versions
- Migrates CI to GitHub Actions from travis
- First release on PyPI.
* This Changelog was automatically generated by github_changelog_generator