Create a Terrascan Scan Configuration

Note: You can only create a Terrascan scan configuration in Tenable Nessus Expert. If you do not have Tenable Nessus Expert, you need to run the Terrascan executable from the command line interface (CLI) to gather scan results.

Tenable Nessus Expert allows you to create a Terrascan scan configuration, similar to other scan configurations in Nessus. However, you manage Terrascan scan configurations separately, under the Terrascan tab.

Before you begin:

To create a new scan configuration with Terrascan:

  1. Under Resources in the left-side navigation pane, click Terrascan.

    The Scans page appears.

  2. In the upper-right corner, click the New Scan button.

    The New Terrascan Configuration page appears.

  3. Set up the new scan configuration:

    Setting Description
    Configuration Name The name of the Terrascan scan configuration.
    Logging
    Command Output Format Determines the output logging format (separate from the actual scan results). You can choose json or console.
    Log Level

    Determines the output verbosity level:

    • info

    • debug

    • warn

    • error

    • panic

    • fatal

    Verbose Violations Determines whether the scan logs violations with details.
    Scanning
    IAC Type

    Determines the Infrastructure as Code (IAC) type.

    • all

    • arm

    • cft

    • docker

    • helm

    • k8s

    • kustomize

    • terraform

    • tfplan

    Minimum Severity Determines the minimum violation severity that Terrascan reports. You can choose low, medium, or high.
    Non-recursive Determines whether the scan recurses into subdirectories of the repository.
    Output Format

    Determines the scan result output format:

    • human

    • json

    • yaml

    • xml

    • junit-xml

    • sarif

    • github-sarif

    Output Passed Rules Determines whether the scan results show passed rules.
    Policy Type

    The policy type or types to include in the scan:

    • all

    • aws

    • azure

    • docker

    • gcp

    • github

    • k8s

    Remote Type

    Determines the remote repository type:

    • git

    • s3

    • gcs

    • http

    • terraform-registry

    Note: You need to make Git available on the Nessus host to select the Git type.
    Remote URL

    The URL of the remote IAC registry.

    Remote URL Branch The branch of the remote IAC registry.
  4. Click Save.

    Tenable Nessus Expert saves the new scan configuration, and you can now select it from the Terrascan > Scans page.

What to do next:

  • Launch a Terrascan scan.

  • Download a Terrascan scan's results.

  • Manage the Terrascan scan's histories and results.

  • Edit a Terrascan scan configuration.

  • Delete a Terrascan scan configuration.