nctl scan terraform

Scan Command

Scan Terraform resources by validating them against custom policies.

nctl scan terraform -r <tfplan.json> -p <path to policies>

To scan a Terraform file using nctl, convert the Terraform file to its JSON equivalent using the following steps:

  1. Initialize Terraform:
terraform init
  1. Create Binary Terraform Plan:
 terraform plan -out tfplan.binary
  1. Convert Binary to JSON Payload:
terraform show -json tfplan.binary | jq > tfplan.json

Following the above steps, use the produced tfplan.json file to scan it against policies:

nctl scan terraform -r <tfplan.json> -p <path to policies>

Scan Options

Flag Shorthand Description
--file <string> mention the file name to store scan result
--help -h help for json command
--output <string> -o choose the output format of scan result. Available options are: json, text,yaml and sarif with the default option being text
--policies <strings> -p specify path to policy files (local path, github URL, helm URL) to scan against custom policies
--policy-sets <string> scan against different policy sets in one command, use this flag to provide a comma-separated list of policy sets to scan the resources(pss-baseline, pss-restricted, rbac-best-practices)
--resources <strings> -r path to resource files (local path, github URL). scan specific resource files instead of all resources in a cluster, use this flag to point to a local path or gitHub URL containing the resource files
--values-file <string> use this flag followed by the file path to extract values of policy variables