Merge branch 'master' into helm_chart

README.md

@@ -8,49 +8,84 @@
 [![community](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.accurics.com)](https://community.accurics.com)
 [![Documentation Status](https://readthedocs.com/projects/accurics-terrascan/badge/?version=latest)](https://docs.accurics.com/projects/accurics-terrascan/en/latest/?badge=latest)
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](code_of_conduct.md)
-[![Homebrew](https://img.shields.io/badge/dynamic/json.svg?url=https://formulae.brew.sh/api/formula/terrascan.json&query=$.versions.stable&label=homebrew)](https://formulae.brew.sh/formula/terrascan)
 
-Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.
+## Introduction
 
+Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allow you to:
 
-* Documentation: https://docs.accurics.com/projects/accurics-terrascan
+- seamlessly scan infrastructure as code for misconfigurations
+- monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
+- Detect security vulnerabilities and compliance violations.
+- Mitigate risks before provisioning cloud native infrastructure.
+- Offers flexibility to run locally or integrate with your CI\CD.
+
+### Resources
+
+* To learn more about Terrascan's features and capabilities, see the documentation portal: https://docs.accurics.com/projects/accurics-terrascan
 * Discuss: https://community.accurics.com
 
-## Features
+## Key features
 * 500+ Policies for security best practices
 * Scanning of Terraform (HCL2)
 * Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
 * Support for AWS, Azure, GCP, Kubernetes and GitHub
 
-
 ## Quick Start
+
+1. [Install](#install)
+2. [Scan](#scan)
+3. [Integrate](#integrate)
+
 ### Step 1: Install
-Terrascan's supports multiple ways to install, including [brew](https://github.com/accurics/terrascan#install-via-brew).
-Here, we will download the terrascan binary directly from the [releases](https://github.com/accurics/terrascan/releases) page. Make sure to select the right binary for your machine. Here's an example of how to install it:
+Terrascan's supports multiple ways to install and is also available as a Docker image.
+See Terrascan's [releases](https://github.com/accurics/terrascan/releases) page for latest version of builds in all supported platforms. Select the correct binary for your platform.
+
+#### Install as a native executable
 
 ```sh
 $ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
 $ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
 $ install terrascan /usr/local/bin && rm terrascan
 $ terrascan
 ```
-### Step 2: Run
+
+#### Install via `brew`
+
+[Homebrew](https://brew.sh/) users can install by:
+
+```sh
+$ brew install terrascan
+```
+
+#### Docker image
+
+Terrascan is also available as a Docker image and can be used as follows
+
+```sh
+$ docker run accurics/terrascan
+```
+Refer to [documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/getting-started/) for information.
+
+### Step 2: Scan
 To scan your code for security issues you can run the following (defaults to scanning Terraform).
 
 ```sh
 $ terrascan scan
 ```
-Terrascan will exit 3 if any issues are found.
+**Note**: Terrascan will exit with an error code 3 if any issues are found during a scan.
+
+### Step 3: Integrate with CI\CD
+
+Terrascan can be integrated into CI/CD pipelines to enforce security best practices.
+Please refer to our [documentation to integrate with your pipeline](https://docs.accurics.com/projects/accurics-terrascan/en/latest/integrations/cicd/).
 
-The following commands are available:
+## Terrascan Commands
+You can use terrascan command with the following options:
 
 ```sh
 $ terrascan
 Terrascan
 
-Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
-For more information, please visit https://docs.accurics.com
-
 Usage:
   terrascan [command]
 
@@ -71,51 +106,47 @@ Flags:
 Use "terrascan [command] --help" for more information about a command.
 ```
 
-### Step 3: Integrate with CI\CD
-Please refer to our [documentation to integrate with your pipeline](https://docs.accurics.com/projects/accurics-terrascan/en/latest/integrations/cicd/).
+## Policies
+Terrascan policies are written using the [Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). Every rego includes a JSON "rule" file which defines metadata for the policy.
+By default, Terrascan downloads policies from Terrascan repositories while scanning for the first time. However if you want to download the latest policies, you need to run the Initialization process. See [Usage](./usage.md) for information about the Initialization process.
 
+Note: The scan command will implicitly run the initialization process there are no policies found.
 
-## Rule Suppression
-If a resource should not be tested against a particular rule, you can tell terrascan to skip it.
+## Customizing scans
 
-### Terraform
-In Terraform scripts, you can tell terrascan to skip rules by inserting a comment with the phrase "ts:skip=RULENAME SKIP_REASON". The comment should be inside the resource.
+By default, Terrascan scans your entire configuration against all policies. However you can configure what you want to scan in the following ways:
 
-![tf](https://user-images.githubusercontent.com/74685902/105115888-847b8a00-5a7e-11eb-983e-7f49f7c36ae1.png)
-
-### Kubernetes
-In Kubernetes yamls, you can tell terrascan to skip rules by adding an annotation as seen in the snippet below.
+- [Exclude a particular policy for a specific resource.](#How_to_exclude_a_policy_while_scanning_a_resource)
+- [Manually configure policies to be suppressed or applied globally from a scan across all resources or, for just a particular resource.](#_How_to_include_or_exclude_specific_policies_or_resources_from_being_scanned)
 
-![k8s](https://user-images.githubusercontent.com/74685902/105115885-834a5d00-5a7e-11eb-9190-e8b64d77c5ac.png)
+### How to exclude a policy while scanning a resource
 
-### Broad Rule Suppression
-Use our config file to manually pick which rules should be applied or suppressed from the entire scan. This is suitable for edge use cases. Please use in-file suppression to specify resources that shouldn't be tested against particular rules. This ensures that the rules are skipped only for particular resources, rather than all of the resources.
+You can configure Terrascan to skip a particular policy (rule) while scanning a resource. Follow these steps depending on your platform:
 
-![config](https://user-images.githubusercontent.com/74685902/105115887-83e2f380-5a7e-11eb-82b8-a1d18c83a405.png)
+#### Terraform
+Use Terraform scripts to configure Terrascan to skip rules by inserting a comment with the phrase `"ts:skip=<RULENAME><SKIP_REASON>"`. The comment should be included inside the resource as shown in the example below.
 
-### Sample Output
-![Screenshot 2021-01-19 at 10 52 47 PM](https://user-images.githubusercontent.com/74685902/105115731-32d2ff80-5a7e-11eb-93b0-2f0620eb1295.png)
+![tf](https://user-images.githubusercontent.com/74685902/105115888-847b8a00-5a7e-11eb-983e-7f49f7c36ae1.png)
 
-## Other Installation Options
+#### Kubernetes
+In Kubernetes yamls, you can configure Terrascan to skip policies by adding an annotation as seen in the snippet below.
 
+![k8s](https://user-images.githubusercontent.com/74685902/117906943-b9f4ef00-b28a-11eb-8224-37af18275ba1.png)
 
-### Install via `brew`
+### How to include or exclude specific policies or resources from being scanned
 
-[Homebrew](https://brew.sh/) users can install by:
+Use the Terrascan config file to manually select the policies which should be included or excluded from the entire scan. This is suitable for edge use cases.
+Use the "in-file" suppression option to specify resources that should be excluded from being tested against selected policies. This ensures that the policies are skipped only for particular resources, rather than all of the resources.
 
-```sh
-$ brew install terrascan
-```
+![config](https://user-images.githubusercontent.com/74685902/105115887-83e2f380-5a7e-11eb-82b8-a1d18c83a405.png)
 
-### Docker
-Terrascan is also available as a Docker image and can be used as follows
+### Sample scan output
 
-```sh
-$ docker run accurics/terrascan
-```
+Terrascan's default output is a list of violations present in the scanned IaC. A sample output:
 
+![Screenshot 2021-01-19 at 10 52 47 PM](https://user-images.githubusercontent.com/74685902/105115731-32d2ff80-5a7e-11eb-93b0-2f0620eb1295.png)
 
-### Building Terrascan
+## Building Terrascan
 Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan.
 
 ```sh
@@ -136,7 +167,6 @@ RUN git clone https://github.com/accurics/terrascan && cd terrascan \
 
 ```
 
-
 ## Developing Terrascan
 To learn more about developing and contributing to Terrascan refer to the [contributing guide](CONTRIBUTING.md).
 

build/Dockerfile

@@ -32,7 +32,7 @@ RUN mkdir -p /home/terrascan/.ssh /home/terrascan/bin && \
     chown -R terrascan:terrascan /home/terrascan
 
 # run as non root user
-USER terrascan
+USER 101
 
 ENV PATH /go/bin:$PATH