terraform
nctl scan terraform
Scan Command
Scan Terraform resources by validating them against custom policies.
nctl scan terraform -r <tfplan.json> -p <path to policies>
To scan a Terraform file using nctl, convert the Terraform file to its JSON equivalent using the following steps:
- Initialize Terraform:
terraform init
- Create Binary Terraform Plan:
terraform plan -out tfplan.binary
- Convert Binary to JSON Payload:
terraform show -json tfplan.binary | jq > tfplan.json
Following the above steps, use the produced tfplan.json file to scan it against policies:
nctl scan terraform -r <tfplan.json> -p <path to policies>
Scan Options
| Flag | Shorthand | Description |
|---|---|---|
--file <string> |
mention the file name to store scan result | |
--audit-as-warn |
Report violations from policies as warnings instead of failures | |
--help |
-h |
help for json command |
--insecure |
allow connection to an address with a self-signed or non-verifiable certificate (not recommended) | |
--output <string> |
-o |
choose the output format of scan result. Available options are: json, text,yaml and sarif with the default option being text |
--policies <strings> |
-p |
specify path to policy files (local path, github URL, helm URL) to scan against custom policies |
--publish |
Publish reports (default true) | |
--publish-token <string> |
scan reports publish token | |
--report-sourceid <string> |
Source ID used when publishing a report | |
--resources <strings> |
-r |
path to resource files (local path, github URL). scan specific resource files instead of all resources in a cluster, use this flag to point to a local path or gitHub URL containing the resource files |
--scan-report <string> |
-u |
Output scan report file (in JSON format) |
--token <string> |
Nirmata API Login Key (env NIRMATA_TOKEN) | |
--url <string> |
Nirmata server base URL (env NIRMATA_URL) |