Skip to content

ppscon/tf-static-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github
.github
 
 
examples
examples
 
 
policies
policies
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
demo-local.sh
demo-local.sh
 
 
run-scan.sh
run-scan.sh
 
 

Repository files navigation

TF Static Scan

Static security scanner for Terraform using REGO policies to detect Azure storage misconfigurations.

🎯 What This Does

Scans Terraform plan JSON files to detect security misconfigurations before deployment.

🚀 Quick Start

Prerequisites

Local Testing (macOS/Linux):

# Install OPA
brew install opa

CI/CD Pipeline (Linux):

# Download OPA binary
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod +x opa

Azure DevOps / Cloud Shell:

# Download OPA
wget https://openpolicyagent.org/downloads/latest/opa_linux_amd64 -O opa
chmod +x opa

Basic Usage

# 1. Generate Terraform plan JSON
terraform init -backend=false
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json

# 2. Run scan
opa eval \
  --data policies/azure-storage-misconfigurations.rego \
  --input tfplan.json \
  --format pretty \
  'data.azure.storage.deny'

# 3. Get summary
opa eval \
  --data policies/azure-storage-misconfigurations.rego \
  --input tfplan.json \
  --format pretty \
  'data.azure.storage.violation_summary'

📦 What's Included

  • Policies - REGO policies for Azure Storage security checks
  • Examples - Sample Terraform configurations for testing
  • Tests - Demo scripts and test cases

🔧 CI/CD Integration

GitHub Actions

- name: Terraform Plan
  run: |
    terraform plan -out=tfplan.binary
    terraform show -json tfplan.binary > tfplan.json

- name: Security Scan
  run: |
    curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
    chmod +x opa
    ./opa eval \
      --data policies/azure-storage-misconfigurations.rego \
      --input tfplan.json \
      --format pretty \
      'data.azure.storage.deny'

Azure DevOps Pipeline

- task: Bash@3
  displayName: 'Terraform Plan'
  inputs:
    targetType: 'inline'
    script: |
      terraform plan -out=tfplan.binary
      terraform show -json tfplan.binary > tfplan.json

- task: Bash@3
  displayName: 'Security Scan'
  inputs:
    targetType: 'inline'
    script: |
      wget https://openpolicyagent.org/downloads/latest/opa_linux_amd64 -O opa
      chmod +x opa
      ./opa eval \
        --data $(System.DefaultWorkingDirectory)/policies/azure-storage-misconfigurations.rego \
        --input tfplan.json \
        --format pretty \
        'data.azure.storage.deny'

📚 Learn More

About

Terraform static security scanner using REGO policies

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages