TerraGuard is a Python-based security validation tool that helps developers identify potential security issues in their Terraform configurations before deployment. Think of it as a friendly security guard that reads through your Terraform files and points out potential security problems before they become real issues.
TerraGuard analyzes your Terraform configurations for common security issues including:
- S3 bucket misconfigurations (public access, missing encryption)
- Network security risks (open security groups, exposed ports)
- IAM security concerns (overly permissive policies, hardcoded credentials)
- Database vulnerabilities (public access, missing encryption)
- API Gateway security issues
- Container and Kubernetes security risks
- Cloud service configuration problems
The tool provides both console output with color-coded findings and detailed HTML reports with remediation suggestions.
- Clone the repository:
git clone https://github.com/yourusername/terraguard.git
cd terraguard- Create a virtual environment (recommended):
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate- Install dependencies:
pip install -r requirements.txtTo scan a single Terraform file:
python src/main.py path/to/your/terraform/file.tfThe tool will generate:
- Console output with color-coded findings
- An HTML report in the
reports/directory
Console output includes:
- Total number of findings
- Findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Detailed description of each issue
- Suggested fixes
HTML reports provide:
- Comprehensive security analysis
- Statistics and metrics
- Detailed findings with code snippets
- Remediation recommendations
TerraGuard implements various security rules across different categories:
- Encryption validation
- Public access checks
- Logging configuration verification
- Security group analysis
- VPC configuration validation
- Port exposure detection
- Policy permission analysis
- Role configuration validation
- Credential exposure checks
- Password policy verification
- Access control validation
- Encryption verification
- Backup configuration checks
- ECS task definition validation
- EKS cluster security checks
- DynamoDB configuration analysis
Run the test suite:
python -m unittest discover teststerraguard/
├── src/
│ ├── parser/ # Terraform file parsing
│ ├── rules/ # Security rule definitions
│ └── report/ # Report generation
├── tests/ # Test suite
├── examples/ # Example Terraform files
└── reports/ # Generated security reports
The examples/ directory contains sample Terraform configurations demonstrating both secure and insecure practices:
api_gateway_example.tf: API Gateway configurationscloud_services_example.tf: Various cloud service setupscontainer_db_example.tf: Container and database configurationsdatabase_example.tf: Database configurationsiam_example.tf: IAM policies and rolesnetwork_example.tf: Network security configurationssecure_example.tf: Secure configuration examplesinsecure_example.tf: Examples of security issues
Contributions are welcome! Here's how you can help:
- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
Please ensure your code includes appropriate tests and documentation.
This project is licensed under the MIT License - see the LICENSE file for details.
Special thanks to the security community and Terraform developers who have documented common security issues and best practices that this tool helps identify.
While the current version is fully functional, future enhancements could include:
- Custom rule creation support
- Configuration file for rule customization
- CI/CD pipeline integration
- Real-time scanning capabilities
- Enhanced performance metrics
- Additional cloud provider support
For bugs, feature requests, or questions, please open an issue in the GitHub repository.