Checkov | Cloudrail | Kics | Snyk | Terrascan | Tfsec | |
---|---|---|---|---|---|---|
Vendor | Bridgecrew | Indeni | Checkmarx | Snyk | Accurics | Aqua Security |
License | OSS | Freemium | OSS | Freemium | OSS | OSS |
Written in | Python | Python | Rego | Unknown | Rego | Go |
Custom Rule Support | Yes | Yes | Yes | No | Yes | Yes |
CI/CD-specific Integrations | CircleCI, GitLab, GitHub | CircleCI, GitLab, GitHub | GitHub | None | CircleCI, GitHub | CircleCI, GitHub |
Output Formats (for generic CI/CD support) | Text, JSON, JUnit, SARIF | Text, JSON, JUnit, SARIF, GitLab-SAST | Text, JSON, SARIF, HTML | Text, JSON, SARIF, HTML | Text, JSON, JUnit | Text, JSON, JUnit, SARIF |
Coverage for live environment | Not in OSS, use paid product | Yes, integrated into scans | No | No | Not in OSS, use paid product | Yes via differnet product |
Last update: 2022-03-14
Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec | |
---|---|---|---|---|---|---|
Tested Version | 2.0.941 | 1.3.836 | 1.5.3 | 1.864.0 | 1.13.2 | 1.8.0 |
Terraform - AWS | 69% | 93% | 94% | 62% | 73% | 61% |
Terraform - Advanced Language Expressions | 20% | 100% | 20% | 0% | 0% | 0% |
Total Catch Rate | 67% | 93% | 90% | 59% | 70% | 58% |
test-cases/terraform/aws/best-practices
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
alb_drop_http_headers | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
cloudfront_not_using_waf | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
cloudtrail_enabled_on_multi_region | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
config_aggregator_all_regions | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
deploy_ec2_to_default_vpc | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
deploy_redshift_in_ec2_classic_mode | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
dynamodb_without_recovery_enabled | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
ec2_ebs_not_optimized | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
ecr_make_tags_immutable | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
ecr_use_image_scanning | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
ecs_cluster_container_insights | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
elasticache_automatic_backup | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ |
kms_uses_rotation | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
rds_retention_period_set | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ |
security_group_no_description_for_rules | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
security_group_no_description_for_securi.. | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
security_group_no_unused | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
tag_all_items | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
using_public_amis | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Sub-category Catch Rate | 84% | 84% | 89% | 63% | 63% | 79% |
test-cases/terraform/aws/encryption/at-rest
test-cases/terraform/aws/encryption/in-transit
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
alb_use_http | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
cloudfront_distribution_not_encrypted | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
cloudfront_protocol_version_is_low | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
ecs_task_definition_not_encrypted_in_tra.. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
elasticache_replication_group_not_encryp.. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
elasticsearch_encrypt_node_to_node_disab.. | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
load_balancer_listener_http | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
vpc_has_only_dynamodb_vpce_gw_connection | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Sub-category Catch Rate | 75% | 100% | 88% | 75% | 88% | 88% |
test-cases/terraform/aws/iam/iam-entities
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
human_users_defined | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
iam_user_inline_policy_attach | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
iam_user_managed_policy_direct_attachmen.. | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
passrole_and_lambda_permissions_cause_pr.. | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
policy-too-broad | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
policy_missing_principal | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
public_and_private_ec2_same_role | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
role_assume_policy_principal_all | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Sub-category Catch Rate | 50% | 100% | 88% | 38% | 50% | 0% |
test-cases/terraform/aws/iam/resource-authentication
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
rds_without_authentication | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
rest_api_without_authorization | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Sub-category Catch Rate | 100% | 50% | 100% | 100% | 50% | 0% |
test-cases/terraform/aws/iam/resource-policies
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
cloudwatch_log_destination_insecure_poli.. | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
ecr_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
efs_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
elasticsearch_domain_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
glacier_vault_not_secure_policy | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ |
glue_data_catalog_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
kms_key_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
lambda_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
rest_api_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
s3_bucket_acl_public_all_authenticated_u.. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
s3_bucket_acl_public_all_users_canned | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
s3_bucket_acl_public_all_users_canned_wi.. | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
s3_bucket_policy_public_to_all_authentic.. | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
secrets_manager_not_secure_policy | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
Sub-category Catch Rate | 21% | 100% | 93% | 21% | 71% | 21% |
test-cases/terraform/aws/logging
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
api_gateway_no_xray | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
cloudfront_distribution_without_logging | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
cloudtrail_file_log_validation_disabled | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
cloudwatch_log_groups_no_retention | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
docdb_audit_logs_missing | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
ec2_without_monitoring | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
eks_logging_disabled | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
elasticsearch_domain_logging_disabled | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
elb_without_access_logs | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
globalaccelerator_accelerator_no_flow_lo.. | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
lambda_without_explicit_log_group | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
lambda_without_xray | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
neptune_cluster_no_logging | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
rds_without_logging | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
redshift_without_logging | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
rest_api_no_access_logging | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
s3_access_logging_disabled | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Sub-category Catch Rate | 94% | 82% | 94% | 71% | 94% | 59% |
test-cases/terraform/aws/networking/vpc-endpoints
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
dynamodb-vpce-exist-without-routeassocia.. | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
sqs-vpc-endpoint-without-dns-resolution | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
Sub-category Catch Rate | 0% | 100% | 100% | 0% | 0% | 0% |
test-cases/terraform/hcl_language_complexity
Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
---|---|---|---|---|---|---|
using_count_and_ternary_expr | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
using_for_each | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
using_locals | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
using_module_multi | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
using_module_simple | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Sub-category Catch Rate | 20% | 100% | 20% | 0% | 0% | 0% |