In this section of the IaC Scanning Tools Guide, we will be doing a comparison of Checkov, tfsec, and Terrascan, comparing key features and examining the test results from our vulnerabilities test. You can explore the other parts of this guide below.

Jump to section:

Comparing Checkov vs. tfsec vs. Terrascan

General Comparison

Below you’ll find a matrix to compare these three tools.

Tool Comparison Checkov tfsec Terrascan
Language Python Go Go
GitHub Stars 5.5k 5.8k 4k
Backed by Bridgecrew Aqua Security Tenable
Latest Version v2.3.176 v1.28.1 v1.18.1
IaC Frameworks Supported Terraform, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates Terraform Terraform, CloudFormation, ARM Templates, Kubernetes, Helm v3, Kustomize, Dockerfiles
Scan Type HCL or PLAN HCL HCL
Custom Checks Language Python YAML Rego
Output Readability CLI, JSON, Junit, XML, GitHub Markdown, text JSON, CSV, Checkstyle, Sarif, Junit, text YAML, JSON, XML, JUNIT-XML, SARIF, text
Direct CI/CD Integrations GitHub, GitLab, Bitbucket GitHub GitHub, GitLab
VS Code Extension Yes Yes Yes
Can Ignore Checks Yes Yes Yes

Our Test Results

Check the results of our tests with the number of violations detected by each tool below.

Vulnerabilities for our Terraform Files tfsec Checkov Terrascan
Critical Vulnerabilities 5 1 0
High Vulnerabilities 18 3 7
Medium Vulnerabilities 4 9 1
Low Vulnerabilities 6 14 0
Total Vulnerabilities 33 27 8

Conclusion

In this blog post, we examined three of the most popular tools to scan your infrastructure. These are Checkov, tfsec, and Terrascan. We saw the benefits and key features of each tool. We also viewed how to get started with each along with some use cases for scanning Terraform and Kubernetes files. We also examined how to create custom policies for each of these tools.

We’ve seen how to use these tools in isolation using the CLI. If you’re interested in using one of these tools or a combination within your CI/CD pipelines, then take a look at env0 for seamless integration.

Finally, the choice of which tool to use depends on your use case. If you are looking for a tool that covers more than just Terraform, then you would narrow your seach to Checkov and Terrascan. If you prefer using Rego to build custom policies then Terrascan or tfsec would be your options. If you’re looking for a simple and fast solution to scan your Terraform code then tfsec would be a good choice for you. You can also opt to use more than one tool together. 

<< What is Terrascan?

References

In this section of the IaC Scanning Tools Guide, we will be doing a comparison of Checkov, tfsec, and Terrascan, comparing key features and examining the test results from our vulnerabilities test. You can explore the other parts of this guide below.

Jump to section:

Comparing Checkov vs. tfsec vs. Terrascan

General Comparison

Below you’ll find a matrix to compare these three tools.

Tool Comparison Checkov tfsec Terrascan
Language Python Go Go
GitHub Stars 5.5k 5.8k 4k
Backed by Bridgecrew Aqua Security Tenable
Latest Version v2.3.176 v1.28.1 v1.18.1
IaC Frameworks Supported Terraform, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates Terraform Terraform, CloudFormation, ARM Templates, Kubernetes, Helm v3, Kustomize, Dockerfiles
Scan Type HCL or PLAN HCL HCL
Custom Checks Language Python YAML Rego
Output Readability CLI, JSON, Junit, XML, GitHub Markdown, text JSON, CSV, Checkstyle, Sarif, Junit, text YAML, JSON, XML, JUNIT-XML, SARIF, text
Direct CI/CD Integrations GitHub, GitLab, Bitbucket GitHub GitHub, GitLab
VS Code Extension Yes Yes Yes
Can Ignore Checks Yes Yes Yes

Our Test Results

Check the results of our tests with the number of violations detected by each tool below.

Vulnerabilities for our Terraform Files tfsec Checkov Terrascan
Critical Vulnerabilities 5 1 0
High Vulnerabilities 18 3 7
Medium Vulnerabilities 4 9 1
Low Vulnerabilities 6 14 0
Total Vulnerabilities 33 27 8

Conclusion

In this blog post, we examined three of the most popular tools to scan your infrastructure. These are Checkov, tfsec, and Terrascan. We saw the benefits and key features of each tool. We also viewed how to get started with each along with some use cases for scanning Terraform and Kubernetes files. We also examined how to create custom policies for each of these tools.

We’ve seen how to use these tools in isolation using the CLI. If you’re interested in using one of these tools or a combination within your CI/CD pipelines, then take a look at env0 for seamless integration.

Finally, the choice of which tool to use depends on your use case. If you are looking for a tool that covers more than just Terraform, then you would narrow your seach to Checkov and Terrascan. If you prefer using Rego to build custom policies then Terrascan or tfsec would be your options. If you’re looking for a simple and fast solution to scan your Terraform code then tfsec would be a good choice for you. You can also opt to use more than one tool together. 

<< What is Terrascan?

References

Logo Podcast
With special guest
Andrew Brown

Schedule a technical demo. See env0 in action.

Footer Illustration