// the find
tenable/terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Terrascan is a static analyzer for IaC files — Terraform, CloudFormation, ARM, Kubernetes manifests, Helm charts, and Dockerfiles — that checks them against 500+ Rego-based security policies before you provision anything. It was backed by Tenable and had real enterprise adoption. The repo is now archived and dead.
Policies are written in Rego, which means you can write your own without forking the tool. The coverage across IaC formats is genuinely broad — most tools pick one or two, this one handles all the major ones including Kustomize. The server mode and webhook integration made it viable as a Kubernetes admission controller, not just a CI step. Exit codes are well-designed for pipeline use: separate codes for errors vs violations vs both.
Archived as of late 2024 — Tenable pulled the plug and no community fork has taken over with any momentum, so you're adopting a dead codebase. The policy download model fetches Rego rules from a remote repository at scan time, which is a dependency on external infrastructure that no longer has an active maintainer. For Terraform specifically, HCL2 parsing at static analysis time will miss anything that depends on runtime values or modules with dynamic sources, creating a false sense of coverage. KICS (by Checkmarx) and Checkov (by Bridgecrew/Prisma) are the living alternatives doing the same job.