Infrastructure as Code Security Scanning: Checkov, tfsec, Snyk, and KICS Compared

If you are writing Terraform, CloudFormation, Kubernetes manifests, or Helm charts and not scanning them before they reach production, you are shipping misconfigurations. That is not an exaggeration: most cloud breaches trace back not to zero-days but to overly permissive IAM policies, public S3 buckets, unencrypted databases, and missing network controls that could have been caught with a 10-second CLI scan.

Infrastructure as Code security scanners perform static analysis on your IaC files before deployment. They parse the resource graph, evaluate each resource against a policy library, and flag anything that deviates from secure baselines: CIS benchmarks, NIST controls, PCI-DSS requirements, and common sense rules like “do not expose port 22 to 0.0.0.0/0.” The output is actionable: a list of findings with severity, file path, line number, and a description of the remediation.

This guide is aimed at platform engineers, DevOps teams, and security engineers who need to choose a scanner (or a combination of scanners) and integrate it into their pipelines. We cover the four tools that see the most real-world use, plus Trivy as an increasingly important fifth option, and give you honest trade-offs for each.

The Tools at a Glance

Checkov

Checkov is the most widely deployed open-source IaC scanner. It is maintained by Palo Alto Networks and has accumulated over 80 million downloads. The current major version, Checkov 3.x, ships with more than 2,500 built-in policies and supports Python 3.9 through 3.13.

What Checkov Scans

Checkov covers more IaC formats than any other standalone open-source tool: Terraform, Terraform plan JSON, CloudFormation, AWS SAM, Kubernetes manifests, Helm charts, Kustomize overlays, Dockerfiles, Serverless Framework, Bicep, OpenAPI specs, ARM templates, and OpenTofu.

The Graph-Based Difference

Most IaC scanners evaluate resources in isolation: “does this S3 bucket have encryption enabled?” Checkov also builds a graph of resource relationships and evaluates cross-resource policies. A practical example: it can verify that an S3 bucket referenced by a CloudFront distribution has the correct Origin Access Control configured, not just that each resource individually passes its own checks. This eliminates an entire class of false negatives that single-resource scanners miss.

Custom Policies

Checkov supports custom policies written in Python (for complex logic) or YAML (for simpler rule patterns). YAML-based custom checks are approachable for security engineers who are not Python developers:

metadata:
  name: "Ensure S3 bucket has versioning enabled"
  id: "CKV2_AWS_CUSTOM_1"
  category: "GENERAL_SECURITY"
definition:
  cond_type: "attribute"
  resource_types:
    - "aws_s3_bucket_versioning"
  attribute: "versioning_configuration.0.status"
  operator: "equals"
  value: "Enabled"

Running Checkov

# Install
pip install checkov

# Scan a Terraform directory
checkov -d ./terraform --framework terraform

# Output as SARIF for GitHub Code Scanning
checkov -d ./terraform --output sarif --output-file-path results.sarif

# Scan a Kubernetes manifest
checkov -f deployment.yaml --framework kubernetes

# Scan with a specific check
checkov -d . --check CKV_AWS_18,CKV_AWS_20

Checkov Gotchas

Variable references are a common source of false positives. If you pass sensitive values via var.encryption_key and Checkov cannot resolve the variable at scan time, it may flag the check as failing. Use a checkov.yaml config file to suppress known false positives with justification:

soft-fail-on:
  - CKV_AWS_135
skip-check:
  - CKV2_AWS_6

Also be aware that Checkov’s SCA scanning (open-source package CVEs) requires a Prisma Cloud API key for full results; the standalone IaC scanning is fully free.

KICS (Keeping Infrastructure as Code Secure)

KICS is Checkmarx’s open-source IaC scanner, licensed under Apache 2.0. As of January 2026, the latest release is v2.1.19. The project has over 9,700 commits and 141 contributors.

Format Coverage

KICS supports 22 platforms including everything Checkov covers plus Ansible, Docker Compose, gRPC, Azure Blueprints, Google Deployment Manager, AWS CDK, Pulumi, Crossplane, Knative, GitHub Actions workflows, and Databricks. If you are running a polyglot infrastructure that spans Pulumi code, Ansible playbooks, and Kubernetes manifests, KICS is the only open-source tool with a single query engine that covers all three.

Rego Queries

KICS uses 2,400+ Rego-based security queries. If your organization already uses OPA (Open Policy Agent) for admission control, this is a meaningful consistency win: the same policy language across static analysis and runtime enforcement.

Output Format Richness

KICS produces output in JSON, SARIF, JUnit XML, HTML, PDF, CSV, CycloneDX, GitLab SAST, SonarQube, Code Climate, and AWS Security Hub ASFF. If you are feeding results into a SIEM, a vulnerability management platform, or a compliance dashboard, KICS likely has a native output format for it.

Running KICS

# Run via Docker (no install required)
docker run -v $(pwd):/path checkmarx/kics:latest scan \
  -p /path/terraform \
  -o /path/results \
  --report-formats json,sarif

# Run the binary directly
kics scan -p ./terraform --report-formats html -o ./kics-results

# Scan only for specific categories
kics scan -p . --type "Terraform" \
  --categories "Encryption,Networking,IAM"

KICS Gotchas

Query maintenance can lag behind new provider releases. A freshly released AWS resource type may take several weeks before KICS ships queries for it. Checkov tends to have faster policy coverage for new Terraform provider releases. KICS also has a steeper learning curve for writing custom queries (Rego vs. Checkov’s YAML approach).

tfsec (and Its Successor, Trivy)

tfsec was the first widely adopted dedicated Terraform security scanner. Aqua Security has since migrated its rule library and engineering attention into Trivy; tfsec itself is in maintenance mode at v1.28.13 with no new features planned. Existing tfsec users should migrate to Trivy: the rules are identical, the output format is compatible, and inline suppressions using #tfsec:ignore comments are honored.

This does not mean tfsec is broken or dangerous to use today. It runs, it catches things, and for small teams with a working tfsec setup, there is no urgency to migrate immediately. But do not build new pipelines on tfsec.

Trivy

Trivy (Aqua Security) is an all-in-one open-source security scanner. The latest release as of February 2026 is v0.69.1. It has over 31,000 GitHub stars and 513 contributors, making it the most-starred open-source security scanner on GitHub.

Trivy scans container images, file systems, Git repositories, Kubernetes clusters, cloud configurations, and IaC files in a single tool. After absorbing tfsec’s rules, its misconfiguration scanner covers Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfiles, ARM templates, and Ansible.

Running Trivy for IaC

# Scan a directory of IaC files (auto-detects format)
trivy config ./terraform

# Scan with severity filter
trivy config --severity HIGH,CRITICAL ./terraform

# Output as SARIF
trivy config --format sarif --output results.sarif ./

# Kubernetes manifest scan
trivy config ./k8s-manifests/

Trivy’s key practical advantage is pipeline consolidation: you can run one tool that checks your container image for CVEs, your Terraform for misconfigurations, your repo for secrets, and your packages for license issues. If your team already uses Trivy for container scanning, extending it to IaC adds zero new dependencies.

The trade-off is that Trivy has fewer IaC-specific policies than Checkov and lacks Checkov’s graph-based cross-resource checks. For teams where the container supply chain is as important as infrastructure configuration, Trivy wins on operational simplicity. For teams that primarily care about IaC depth, Checkov wins on policy coverage.

Snyk IaC

Snyk IaC is the commercial option in this comparison, though it offers a meaningful free tier. It supports Terraform, CloudFormation, Kubernetes manifests, Helm charts, and ARM templates.

What Differentiates Snyk

The differentiator is the developer experience. Snyk’s IDE plugins (VS Code, JetBrains, Eclipse) surface misconfigurations inline while writing IaC, with specific remediation suggestions. In a CI/CD pipeline, Snyk can comment directly on pull requests with findings scoped to the diff, rather than flooding the PR with pre-existing issues. This “shift left” approach reduces friction significantly for teams where developers, not security engineers, own IaC files.

Pricing

• Free: $0/developer, limited to public repos (private repos have a monthly test limit)
• Team: $25/developer/month, minimum 5 developers
• Enterprise: Custom pricing

IDE plugin scans do not count against test limits on any plan. For small teams scanning private repos frequently, test limits on the free tier become a practical constraint to evaluate.

Snyk IaC Gotchas

Snyk IaC does not have the raw policy count of Checkov or KICS. It prioritizes coverage of common, high-impact misconfigurations over exhaustive rule sets. For compliance-heavy environments requiring CIS Level 2 benchmark coverage, you may find gaps. Snyk is also a SaaS product: results are transmitted to Snyk’s infrastructure unless you are on an Enterprise plan with a self-hosted option. This matters for teams in regulated industries.

CI/CD Integration Patterns

All of these tools produce SARIF output, which integrates natively with GitHub Code Scanning (Advanced Security). A minimal GitHub Actions workflow:

name: IaC Security Scan
on: [pull_request]

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform/
          output_format: sarif
          output_file_path: results.sarif
          soft_fail: true
      - name: Upload to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

For GitLab CI, use the SAST report artifact type; most tools produce a compatible format with a single flag.

A practical pipeline strategy: run a fast scanner (Trivy or tfsec) on every commit for immediate feedback, and run Checkov or KICS on pull requests for deeper analysis with compliance reporting. This avoids adding 60+ seconds to every push while still catching the things that matter before merge.

Recommendations by Use Case

Solo developer or small startup (under 10 engineers): Start with Checkov. It is free, has the best coverage for Terraform and CloudFormation, and the GitHub Action is a three-line addition to any existing workflow. Add Trivy if you are also building container images.

Mid-size team that uses Kubernetes heavily: Trivy gives you a single tool across containers, manifests, and IaC. Its Kubernetes cluster scanning mode (not just manifest files) is a capability that none of the other tools in this comparison match.

Organization with Ansible, Pulumi, or Databricks infrastructure: KICS is the only open-source tool with first-class support for this breadth of IaC formats. Its Rego query language also integrates well with existing OPA investments.

Teams with developer-owned IaC who need buy-in: Snyk IaC’s IDE integration and PR commenting experience reduce the friction of making developers responsible for fixing their own misconfigurations. The free tier is viable for teams up to about 5 developers with moderate scan volumes.

Enterprise with compliance requirements (PCI-DSS, HIPAA, SOC 2): Run Checkov for depth on AWS/Azure/GCP Terraform, and supplement with KICS for its richer compliance reporting output formats. Both tools include compliance framework mappings out of the box.

Teams migrating off tfsec: Move to Trivy. The migration is a one-line change to most pipeline configurations, the rules are identical, and you gain IaC coverage for non-Terraform formats in the same step.

🔍 Free scanner: Terraform Security Scanner — paste your .tf config and get 9 security checks (hardcoded secrets, open security groups, encryption, IAM) with an A–F grade instantly.