Terrafirma is a Terraform static analysis tool designed for detecting security misconfigurations. Inspired by projects such as bandit and SecurityMonkey it is designed for use in a continous integration/deployment environment.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Terrafirma requires tfjson. Terraform does not support JSON output (see PR:3170).
go get github.com/philips/tfjson
If you encounter errors with newer versions of go, try the following:
rm -rf "${GOPATH}/src/github.com/philips/tfjson/vendor"
rm -rf "${GOPATH}/src/github.com/philips/Gopkg.lock"
cd "${GOPATH}/src/github.com/philips/"
dep ensure
go install ./...
The package has half-populated dependencies, which dep does not like and a hardcoded Gopkg.lock.
build and install terrafirma as well as it's requirements. One way is to use wheels and virtualenv:
virtualenv -p python3 virtualenv
source virtualenv/bin/activate
pip install -r requirements.txt
python setup.py build bdist_wheel
pip install terrafirma --find-links=dist
You can determine if it was installed correctly by running the checks in the next section.
to check that terrafirma is installed and functioning correctly you can execute the included tests:
python setup.py test
- See Basic Usage for examples of how to use Terrafirma
- See Writing Checks for help understanding the check types and implementing new checks
- See Tests for running terrafirma unit tests to ensure it's functioning correctly.