terratest VS terrascan

Terratest is a Go library that provides tools and patterns for testing infrastructure, with first-class support for Terraform, Packer, Docker, Kubernetes, and more. It's used to write automated tests for your infrastructure code.

I think I found it. This is the one right? https://github.com/gruntwork-io/terratest/

What it does in parallel is basically init/plan/show using terratest on every subdirectory on your repository tree or provided paths. The output is either a JSON summary or a custom made Junit XML test file you can ingest into your tests reader. It took it around 8 minutes to map the entirety of our bloated repository.

You could deploy to a separate account (usually dev first), you can use terratest, you could try something like LocalStack. I dare say there’s other methods.

Was wondering if anyone has tried https://github.com/gruntwork-io/terratest to test their infrastructure. I like it because I can write golang tests! Thats a big plus for me.

Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)

https://github.com/gruntwork-io/terratest/blob/master/test/azure/terraform_azure_example_test.go https://github.com/gruntwork-io/terratest/blob/master/examples/terraform-backend-example/main.tf

Another plus is to add tests into your workflow, just by adding a run step with terratest

Terratest: Framework de testes para Terraform, os testes devem ser escritos em Golang.

2. Terrascan: https://github.com/tenable/terrascan Terrascan detects security vulnerabilities and compliance violations across your IaC. Supports multiple cloud providers, ensuring that your infrastructure complies with security best practices.

Terrascan Owner/Maintainer: Tenable (acquired in 2022) Age: First release on GitHub on November 28th, 2017 License: Apache License 2.0

‍Terrascan is a static code analysis tool that scans your Infrastructure-as-Code (IaC) for security vulnerabilities and compliance violations. It supports multiple platforms like (AWS, Azure, GCP, K8s, Atlantis, etc), including Terraform. Terrascan allows you to enforce security best practices, compliance policies, and governance across your IaC deployments.

Terrascan could also be useful : https://github.com/tenable/terrascan

Terrascan - Scan for Infrastructure-as-Code vulnerabilities

(https://runterrascan.io/) They seem to like it, don't have a ton of my own experience though.

Nessus Expert - newer offering. Nessus Pro + terrascan + basic external attack surface mapping. Doesn’t scan from the internet, but shows you all your public domains, DNS, etc so you can pick what you want to scan/ fix

It is always a good practice to scan your Kubernetes deployment or Helm chart before deploying. We can use Checkov to scans Kubernetes manifests and identifies security and configuration issues. It also supports Helm chart scanning. We can also use terrascan and kubeLinter to scan the Kubernetes manifest.