Terrascan: How to config IacType and IacVersion in terrascan gdnconfig

[ktran1005]

Hi everyone, I am trying to use MicrosoftDevOps task in Azure DevOps with Terrascan and only want to scan with k8s, helm and dockerfile. I have tried the following ways with env variable, but all gave me errors. Does anyone know the way we can specify certain IAC type in terrascan.

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'v1, v3, v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'k8s: v1, helm: v3, docker: v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'

it works fine when I only choose only ine IAC_TYPE and pass in the corresponding version. However, when I try with more than one IAC type and IAC version, it gave me the error like this:

[JiandongJiang]

According to the Terrascan CLI Options documentation at https://runterrascan.io/docs/usage/command_line_mode/#terrascan-commands, the scan command/functionality supports flags to configure the following:

• Specify a directory to be scanned
• Specify a particular IaC file to be scanned
• Configure IaC provider type
• Directory path to policies
• Specify policy type
• Retrieve vulnerability scanning results from docker images referenced in IaC

The MicrosoftSecurityDevOps@1 task runs the Terrascan tool CLI for the scan command. As Terrascan does not support scanning multiple IAC types in a single run, you can use the MicrosoftSecurityDevOps@1 task to run Terrascan multiple times with each time just for one IAC type (and the corresponding version).