terrascan: scanning terraform files vs terraform plan

[ismailyenigul]

Actually this is not a bug report it is a feature request.

Terrascan downloads remote source in terraform modules and evaluate the variables while checking terraform codes.
some other iac tools(regula,checkov) and OPA itself can scan terraform plan output in JSON.

Do you have any plan to support terraform plan output in JSON or do you think that scanning terraform plan provides better result?
From checkov documentation: https://github.com/bridgecrewio/checkov/blob/master/docs/2.Concepts/Evaluate%20Terraform%20Plan.md#evaluate-checkov-policies-on-terraform-plan

Evaluate Checkov policies on Terraform plan

Checkov supports the evaluation of policies on resources declared in .tf files. It can also be used to evaluate terraform plan expressed in a json file.
Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result.
Since Terraform plan files may contain arguments (like secrets) that are injected dynamically, it is advised to run a plan evaluation using Checkov in a secure CI/CD pipeline setting.

[amirbenv]

Hi @ismailyenigul!
We do plan to support plan based scanning! Will follow up with timelines

[ismailyenigul]

Thanks @amirbenv
Happy to test it when it is implemented. Is there an estimated time frame for this feature?

[amirbenv]

Not yet, but should be in the next few weeks. It would be good to know how popular this feature is- If others are interested let us know by commenting on this thread!

[tx-kstav]

I would like to have this feature.

[justhys]

I would like to have this feature too.