[Sandbox] Terrascan

[rai-praveen]

Application contact email(s)

prai@tenable.com, tlikhar@tenable.com, nbajaj@tenable.com, bhollowed@tenable.com, vchhabria@tenable.com, cajah@tenable.com

Trademark and accounts

• If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF

Contributing or sponsoring entity contact email(s)

N/A

Project summary

Terrascan is a static code analyzer for Infrastructure as Code(IaC).

Project description

Terrascan is an open source static code analyzer that helps secure modern infrastructure by detecting compliance and security violations across Infrastructure as Code (IaC). It enables DevOps teams to identify misconfigurations and policy violations before infrastructure is provisioned, reducing risk and accelerating secure cloud-native deployments.

Terrascan supports a wide range of IaC providers including Terraform, Kubernetes YAML, Helm, Kustomize, and AWS CloudFormation. It uses a powerful policy-as-code engine built on Open Policy Agent (OPA), offering hundreds of out-of-the-box security and compliance policies while allowing teams to define and enforce custom rules tailored to their organization’s requirements.

By integrating seamlessly into CI/CD pipelines, GitOps workflows, and developer tools, Terrascan enables organizations to adopt a shift-left security approach—catching issues early in the development lifecycle. This improves security posture, ensures regulatory compliance, and enhances the reliability of cloud-native infrastructure.

Org repo URL (provide if all repos under the org are in scope of the application)

N/A

Project repo URL in scope of application

https://github.com/tenable/terrascan

Additional repos in scope of the application

No response

Website URL

https://runterrascan.io/

Roadmap

N/A

Roadmap context

N/A

Contributing guide

https://github.com/tenable/terrascan/blob/master/CONTRIBUTING.md

Code of Conduct (CoC)

https://github.com/tenable/terrascan/blob/master/code_of_conduct.md

Adopters

No response

Maintainers file

https://github.com/orgs/tenable/teams/terrascan-maintainers?query=role%3Amaintainer

Security policy file

https://github.com/tenable/terrascan?tab=security-ov-file

IP policy

• If the project is accepted, I agree the project will follow the CNCF IP Policy

Will the project require a license exception?

N/A

Standard or specification?

N/A

Why CNCF?

We believe CNCF is the best home for Terrascan because it ensures open governance, accelerates community adoption, and aligns with our shared mission to secure cloud-native infrastructure. Being part of CNCF will help Terrascan mature, integrate deeply with other CNCF projects, and stay vendor-neutral, ultimately benefiting both the project and the broader ecosystem.

Benefit to the landscape

Terrascan enhances the CNCF landscape by providing a robust, open source static analysis tool designed to detect security misconfigurations and compliance violations in Infrastructure as Code (IaC). It supports widely used IaC frameworks like Terraform, Kubernetes, Helm, and more. By integrating security checks early into the development lifecycle, Terrascan helps teams shift security left, reduce risk, and improve the overall security posture of cloud-native deployments, aligning well with CNCF’s goals of fostering secure, scalable, cloud-native ecosystems.

Cloud native 'fit'

Terrascan sits at the intersection of cloud native security, DevSecOps, and policy enforcement, ensuring that infrastructure is secure and compliant before it is deployed into cloud native environments. It helps teams achieve secure, automated, declarative, and resilient infrastructure — key tenets of the cloud native paradigm.

Cloud native 'integration'

Terrascan itself is intentionally lightweight and doesn’t have runtime dependencies on other CNCF projects — it’s designed to run locally, in CI/CD, or inside build systems. However:

• It leverages OPA/Rego under the hood for policy evaluation. While it embeds OPA, its approach is aligned with and dependent on the open policy ecosystem OPA defines.
• It integrates with Kubernetes tools (like kubectl, Helm, and YAML manifests) as input sources. So while it does not strictly depend on these projects at runtime, it is deeply aligned with them.

Cloud native overlap

Terrascan’s primary overlap is with CNCF projects like OPA/Gatekeeper and Kyverno, which also enforce policies on Kubernetes resources. However, Terrascan addresses these concerns earlier in the SDLC by scanning IaC files across multiple formats (Kubernetes, Terraform, Helm, CloudFormation) in CI/CD pipelines, complementing runtime and admission-based tools. It also overlaps conceptually with Kubernetes-focused security scanners (like Kubescape), but differentiates through multi-IaC coverage and a developer-first shift-left approach.

Similar projects

N/A

Landscape

N/A

Business Product or Service to Project separation

This project is unrelated to any product or service.

Project "Domain Technical Review"

No response

CNCF contacts

No response

Additional information

No response

[dims]

@rai-praveen looks like the first release was way back in 2017 and the last one was in Sep 2024. Can you give us any insights into adoption? impediments to adoption? general health? community building efforts over this long time? (and why now to CNCF?)

[angellk]

@nik

[nicholasjackson]

/assign @nicholasjackson

[bschaatsbergen]

/assign @nicholasjackson, @bschaatsbergen

[rai-praveen]

@rai-praveen looks like the first release was way back in 2017 and the last one was in Sep 2024. Can you give us any insights into adoption? impediments to adoption? general health? community building efforts over this long time? (and why now to CNCF?)

Hi @dims, my sincere apologies for the delayed response. Terrascan was first conceptualized in 2017 and later became part of Accurics in 2020. The tool was integrated into Accurics’ IaC and Cloud Security modules, serving many customers. In 2021, Accurics was acquired by Tenable, and Terrascan continued to be used actively until Tenable’s acquisition of a new CNAPP cloud security company. At that point, Accurics’ Cloud Security platform was marked End-of-Life in September 2024, which is why there have been no further releases since then.

Terrascan saw meaningful adoption especially between 2020 and 2022. During that time, it was integrated into Accurics’ IaC and Cloud Security modules, serving a number of enterprise customers. Its OPA integration and large set of built-in policies made it appealing for developers and security teams looking to embed IaC checks into CI/CD workflows. Adoption continued even after the acquisition, though focus shifted once Tenable moved toward its broader CNAPP strategy.

With the EOL of Accurics’s Cloud Security platform in September 2024, we’ve seen adoption plateau, with community use now concentrated on open-source practitioners rather than enterprise expansions.

[bschaatsbergen]

Thank you to the maintainers for submitting Terrascan for consideration as a CNCF Sandbox project. We recognize the value Terrascan has brought to the community in making IaC security scanning more accessible, and we appreciate the work that has gone into developing it.

After reviewing the project against the sandbox entry criteria, we identified several concerns that prevent us from recommending acceptance at this time:

• Repository activity has declined significantly. In the past 12 months, only 6 commits were merged (5 of which were maintenance-related).
• The last closed issue was on March 6, 2024. Current open issues show low maintainer engagement, with some community contributions and questions going unanswered.
• The most recent GitHub release was on September 18, 2024. However, fixes for known security vulnerabilities have not yet been released, raising concerns about security hygiene and release processes.
• Policies have not been updated or added in over 2 years, which could limit the continued relevance of the project for IaC practitioners.
• The lack of engagement on community issues and contributions suggests challenges in sustainability and governance maturity.
• Documentation provides installation and usage instructions, but some areas (e.g., changelog, policy instrumentation examples) are outdated.
• We were unable to find an active Discord community link; existing invite links appear broken, which may further hinder community support and collaboration.
• There is limited evidence of active roadmap planning, community-driven scope discussions, or contributor/maintainer growth.

From our initial review the project does not appear to meet CNCF Sandbox criteria, particularly around active maintenance, community growth, security practices, and roadmap clarity. These factors are hugely important when it comes to the success of an application.

To support Terrascan's growth, the maintainers might explore:

• Define and publish a clear roadmap and contribution process.
• Improve release cadence, especially for security-related fixes.
• Re-engage with community issues, PRs, and contributions to build sustainability.
• Refresh and expand policies and documentation.
• Restore and maintain community channels (e.g., Discord) to encourage participation.

[jeremyrickard]

Hello @rai-praveen,

Thank you for submitting this sandbox application. We appreciate the time you have spent responding above and for the effort put into the project. The TOC discussed this issue during a sandbox review today and we agree with the assessment from @bschaatsbergen.

At this time, we are not going to move Terrascan forward for a sandbox vote. We would like to see a clear roadmap, along with increased contributions and continued releases for the project before we reconsider Terrascan for sandbox.

[angellk]

Please come back in 6-12 months after showing community growth! Moving to the 'Postponed' queue.