tenable · cesar-rodriguez · Apr 14, 2021 · Apr 14, 2021 · Apr 14, 2021
@@ -25,9 +25,11 @@ Your Terrascan instance has the following requirements for being able to scan K8
 
 ### Run Terrascan in Server Mode
 Run Terrascan docker image in your server using the following command:
- ```bash
+
+ ``` Bash
   sudo docker run -p 443:9443 -v <DATA_PATH>:/data -u root -e K8S_WEBHOOK_API_KEY=<API_KEY> accurics/terrascan server --cert-path /data/cert.pem --key-path /data/key.pem -c /data/config.toml
  ```
+
 `<API_KEY>` is a key used for authentication between your K8s environment and  the Terrascan server. Generate your preferred key and use it here.
 
 `<DATA_PATH>` is a directory path in your server where both the certificate and the private key .pem files are stored.
@@ -36,20 +38,21 @@ In addition, this directory is used to save the webhook logs. (An SQLite file)
 You can specify a config file that specifies which policies to use in the scan and which violations should lead to rejection. Policies below the [severity] level will be ignored. Policies below the [k8s-deny-rules] denied-severity will be logged and displayed by terrascan, but will not lead to a rejected admission response to the k8s API server.
 
 A config file example: ```config.toml```
-  ```bash
-[severity]
-level = "medium"
-[rules]
-    skip-rules = [
-        "accurics.kubernetes.IAM.107"
-    ]
 
-[k8s-deny-rules]
-  denied-categories = [
-      "Network Ports Security"
-  ]
-  denied-severity = "high"
-  ```
+``` Bash
+  [severity]
+  level = "medium"
+  [rules]
+      skip-rules = [
+          "accurics.kubernetes.IAM.107"
+      ]
+
+  [k8s-deny-rules]
+    denied-categories = [
+        "Network Ports Security"
+    ]
+    denied-severity = "high"
+```
 
 You can specify the following configurations:
 *  **scan-rules** - one or more rules to scan
@@ -66,39 +69,41 @@ You can specify the following configurations:
 Configure a new ```ValidatingWebhookConfiguration``` in your Kubernetes environment and specify your Terrascan server endpoint.
 
 Example:
-   ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: admissionregistration.k8s.io/v1
-    kind: ValidatingWebhookConfiguration
-    metadata:
-      name: my.validation.example.check
-    webhooks:
-      - name: my.validation.example.check
-        rules:
-          - apiGroups:
-              - ""
-            apiVersions:
-              - v1
-            operations:
-              - CREATE
-              - UPDATE
-            resources:
-              - pods
-              - services
-        failurePolicy: Fail
-        clientConfig:
-          url: https://<SERVER_ADDRESS>/v1/k8s/webhooks/<API_KEY>/scan
-        sideEffects: None
-        admissionReviewVersions: ["v1"]
-    EOF
-  ```
+
+``` Bash
+  cat <<EOF | kubectl apply -f -
+  apiVersion: admissionregistration.k8s.io/v1
+  kind: ValidatingWebhookConfiguration
+  metadata:
+    name: my.validation.example.check
+  webhooks:
+    - name: my.validation.example.check
+      rules:
+        - apiGroups:
+            - ""
+          apiVersions:
+            - v1
+          operations:
+            - CREATE
+            - UPDATE
+          resources:
+            - pods
+            - services
+      failurePolicy: Fail
+      clientConfig:
+        url: https://<SERVER_ADDRESS>/v1/k8s/webhooks/<API_KEY>/scan
+      sideEffects: None
+      admissionReviewVersions: ["v1"]
+  EOF
+```
 
 * You can modify the `rules` that trigger the webhook according to your preferences.
 * Update the ```clientConfig``` URL with your terrascan server address and the API key you generated before.
 
 
 ### Test your settings
 Try to run a new pod / service. For example:
+
 ``` Bash
   kubectl run mynginx --image=nginx
 ```

@@ -11,8 +11,9 @@ In either scenario, the configuration of Atlantis is a diverse topic which will
 Through this method, you will modify or create a custom workflow for atlantis so your repositories will be scanned by terrascan as part of the pull request automation.
 
 **Requirements**
+
 * The atlantis server must have TCP connectivity to where the terrascan server is running.
-* The `curl` command needs to be installed on the system so the `terrascan-remote-scan.sh` script can make the scan request. Atlantis's [docker image](https://hub.docker.com/r/runatlantis/atlantis/) has curl preinstalled. 
+* The `curl` command needs to be installed on the system so the `terrascan-remote-scan.sh` script can make the scan request. Atlantis's [docker image](https://hub.docker.com/r/runatlantis/atlantis/) has curl preinstalled.
 
 ### Workflow
 Next, you will need to modify your workflow to call `terrascan-remote-scan.sh` during the plan stage. In the plan below, the first three `run: terraform` commands are the default for an atlantis workflow; the fourth `run terrascan-remote-scan.sh` is where the terrascan scan is requested. The `terrascan-remote-scan.sh` script can be found under the `scripts` directory in this project; you will need to copy it to a location where it can be executed by the atlantis server. If the `terrascan-remote-scan.sh` script is not in the directory where the atlantis server command is being run to, you will have to specify the path to the script.
@@ -51,7 +52,7 @@ Descriptions of these settings are as follows:
 * `IAC`, `IAC_VERSION`, and `CLOUD_PROVIDER` are terrascan options. Descriptions and valid values can be found by running `terrascan scan -h`.
 
 ### Running atlantis
-Run atlantis with your terrascan-workflow.yaml as a [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html). This can depend on how you choose to [deploy atlantis](https://www.runatlantis.io/docs/deployment.html#deployment-2). 
+Run atlantis with your terrascan-workflow.yaml as a [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html). This can depend on how you choose to [deploy atlantis](https://www.runatlantis.io/docs/deployment.html#deployment-2).
 If running the atlantis binary directly, note the following command:
 
 ```bash
@@ -75,4 +76,4 @@ Once the systems are running, when atlantis is called via pull request, or a com
 
 ## Custom Atlantis Contaier
 (coming soon...)
-  
+