Skip to content

SalilLambe/iacscan-tool-compare

BranchesTags

Repository files navigation

What tools are there?

Checkov Cloudrail Kics Snyk Terrascan Tfsec
Vendor Bridgecrew Indeni Checkmarx Snyk Accurics Aqua Security
License OSS Freemium OSS Freemium OSS OSS
Written in Python Python Rego Unknown Rego Go
Custom Rule Support Yes Yes Yes No Yes Yes
CI/CD-specific Integrations CircleCI, GitLab, GitHub CircleCI, GitLab, GitHub GitHub None CircleCI, GitHub CircleCI, GitHub
Output Formats (for generic CI/CD support) Text, JSON, JUnit, SARIF Text, JSON, JUnit, SARIF, GitLab-SAST Text, JSON, SARIF, HTML Text, JSON, SARIF, HTML Text, JSON, JUnit Text, JSON, JUnit, SARIF
Coverage for live environment Not in OSS, use paid product Yes, integrated into scans No No Not in OSS, use paid product Yes via differnet product

Summary

Last update: 2022-03-14

Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
Tested Version 2.0.941 1.3.836 1.5.3 1.864.0 1.13.2 1.8.0
Terraform - AWS 69% 93% 94% 62% 73% 61%
Terraform - Advanced Language Expressions 20% 100% 20% 0% 0% 0%
Total Catch Rate 67% 93% 90% 59% 70% 58%
test-cases/terraform/aws/best-practices
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
alb_drop_http_headers
cloudfront_not_using_waf
cloudtrail_enabled_on_multi_region
config_aggregator_all_regions
deploy_ec2_to_default_vpc
deploy_redshift_in_ec2_classic_mode
dynamodb_without_recovery_enabled
ec2_ebs_not_optimized
ecr_make_tags_immutable
ecr_use_image_scanning
ecs_cluster_container_insights
elasticache_automatic_backup
kms_uses_rotation
rds_retention_period_set
security_group_no_description_for_rules
security_group_no_description_for_securi..
security_group_no_unused
tag_all_items
using_public_amis
Sub-category Catch Rate 84% 84% 89% 63% 63% 79%
test-cases/terraform/aws/encryption/at-rest
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
athena_not_encrypted
cloudtrail_not_encrypted
cloudwatch_groups_not_encrypted
codbuild_using_aws_key
dax_cluster_not_encrypted
docdb_cluster_encrypted_at_rest_using_cm..
docdb_cluster_encrypted_without_kms_key
docdb_clusters_non_encrypted
dynamodb_not_encrypted
ecr_repo_not_encrypted
elasticache_replication_group_not_encryp..
elasticsearch_not_encrypted
kinesis_stream_not_encrypted
neptune_cluster_no_encryption
rds_cluster_encrypt_at_rest_disabled
redshift_not_encrypted
rest_api_cache_non_encrypted
s3_bucket_non_encrypted
s3_bucket_object_non_encrypted
sagemaker_not_encrypted
secretsmanager_secrets_encrypted_at_rest..
secretsmanager_secrets_encrypted_at_rest..
sns_topic_encrypted_at_rest_with_aws_man..
sqs_queue_not_encrypted
workgroups_non_encrypted
workspace_root_volume_not_encrypted_at_r..
workspace_user_volume_not_encrypted_at_r..
Sub-category Catch Rate 74% 100% 100% 81% 78% 89%
test-cases/terraform/aws/encryption/in-transit
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
alb_use_http
cloudfront_distribution_not_encrypted
cloudfront_protocol_version_is_low
ecs_task_definition_not_encrypted_in_tra..
elasticache_replication_group_not_encryp..
elasticsearch_encrypt_node_to_node_disab..
load_balancer_listener_http
vpc_has_only_dynamodb_vpce_gw_connection
Sub-category Catch Rate 75% 100% 88% 75% 88% 88%
test-cases/terraform/aws/iam/iam-entities
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
human_users_defined
iam_user_inline_policy_attach
iam_user_managed_policy_direct_attachmen..
passrole_and_lambda_permissions_cause_pr..
policy-too-broad
policy_missing_principal
public_and_private_ec2_same_role
role_assume_policy_principal_all
Sub-category Catch Rate 50% 100% 88% 38% 50% 0%
test-cases/terraform/aws/iam/resource-authentication
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
rds_without_authentication
rest_api_without_authorization
Sub-category Catch Rate 100% 50% 100% 100% 50% 0%
test-cases/terraform/aws/iam/resource-policies
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
cloudwatch_log_destination_insecure_poli..
ecr_not_secure_policy
efs_not_secure_policy
elasticsearch_domain_not_secure_policy
glacier_vault_not_secure_policy
glue_data_catalog_not_secure_policy
kms_key_not_secure_policy
lambda_not_secure_policy
rest_api_not_secure_policy
s3_bucket_acl_public_all_authenticated_u..
s3_bucket_acl_public_all_users_canned
s3_bucket_acl_public_all_users_canned_wi..
s3_bucket_policy_public_to_all_authentic..
secrets_manager_not_secure_policy
Sub-category Catch Rate 21% 100% 93% 21% 71% 21%
test-cases/terraform/aws/logging
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
api_gateway_no_xray
cloudfront_distribution_without_logging
cloudtrail_file_log_validation_disabled
cloudwatch_log_groups_no_retention
docdb_audit_logs_missing
ec2_without_monitoring
eks_logging_disabled
elasticsearch_domain_logging_disabled
elb_without_access_logs
globalaccelerator_accelerator_no_flow_lo..
lambda_without_explicit_log_group
lambda_without_xray
neptune_cluster_no_logging
rds_without_logging
redshift_without_logging
rest_api_no_access_logging
s3_access_logging_disabled
Sub-category Catch Rate 94% 82% 94% 71% 94% 59%
test-cases/terraform/aws/networking/vpc-endpoints
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
dynamodb-vpce-exist-without-routeassocia..
sqs-vpc-endpoint-without-dns-resolution
Sub-category Catch Rate 0% 100% 100% 0% 0% 0%
test-cases/terraform/hcl_language_complexity
Test Case Checkov Indeni Cloudrail Kics Snyk Terrascan Tfsec
using_count_and_ternary_expr
using_for_each
using_locals
using_module_multi
using_module_simple
Sub-category Catch Rate 20% 100% 20% 0% 0% 0%

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages