tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.75k stars 499 forks source link

[Question/Suggestion] Are simultaneous multiple output types supported? if not could they be please? #1300

Open RolfMoleman opened 2 years ago

RolfMoleman commented 2 years ago

environment1

environment 2

Description

I am trying to get Terrascan to output in multiple file formats at at the same time without having to run multiple scans. This enables users to choose what file format they wish to look at and best caters for accessibility needs.

What I Did

i have an azure devops repo with the folder structure as follows

+---.build ¦ +---arm-templates ¦ ¦ +---dev_parameters ¦ ¦ +---prod_parameters ¦ ¦ +---uat_parameters ¦ +---pipelines ¦ ¦ +---code_quality_templates ¦ ¦ +---iac_templates ¦ +---terraform ¦ +---.terraform ¦ +---providers ¦ +---registry.terraform.io ¦ +---hashicorp ¦ +---azuread ¦ ¦ +---2.22.0 ¦ ¦ +---windows_amd64 ¦ +---azurerm ¦ ¦ +---3.8.0 ¦ ¦ ¦ +---windows_amd64 ¦ ¦ +---3.9.0 ¦ ¦ +---windows_amd64 ¦ +---time ¦ +---0.7.2 ¦ +---windows_amd64 +---assets +---docs ¦ +---code_quality +---images

I run Terrrascan locally, locally via docker or via docker in Azure Devops and neither appear to support he option to specifyy mutiple output types.

      mkdir TerraScanReports
      docker pull tenable/terrascan:latest
      docker run \
      --volume "$(pwd)/.build"/:/repo/build \
      --volume $(System.DefaultWorkingDirectory)/TerraScanReports:/reports \
      --name terrascan \
      --workdir /repo tenable/terrascan:latest \
      scan \
      --verbose \
      --show-passed \
      --log-output-dir /reports \
      --output human \
      --output junit-xml \
      --output sarif

the command above only produces a scan-result.sarif and terrascan.log so only processes the last --output in effect running

      mkdir TerraScanReports
      docker pull tenable/terrascan:latest
      docker run \
      --volume "$(pwd)/.build"/:/repo/build \
      --volume $(System.DefaultWorkingDirectory)/TerraScanReports:/reports \
      --name terrascan \
      --workdir /repo tenable/terrascan:latest \
      scan \
      --verbose \
      --show-passed \
      --log-output-dir /reports \
      --output sarif

I would expect this to behave similarly to either Checkov, Checkmarx KICS or TFSec whereby I could either specify the output flag multiple times, or specify a list/array of output types. it would also be nice to be able to specify a partial filename

RolfMoleman commented 2 years ago

Any updates on this at all please?