A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons

This page summarizes the projects mentioned and recommended in the original post on dev.to
infrastructure-as-code Security Devsecops HacktoberFest Terraform

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • kics

    Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

    • KICS (stands for "Keeping Infrastructure as Code Secure"): Owner/Maintainer: Checkmarx Age: First released on GitHub on November 30th, 2020 License: Apache License 2.0

  • tfsec

    Security scanner for your Terraform code

    • tfsec Owner/Maintainer: Aqua Security (acquired in 2021) Age: First released on GitHub on March 5th, 2019 License: MIT License tfsec project is no longer actively maintained in favor of the Trivy tool. But because many people still use it and it's quite famous, I added tfsec to this comparison. However, I recommend against using it for new projects.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    • Trivy Owner/Maintainer: Aqua Security Age: First released on GitHub on May 7th, 2019 License: Apache License 2.0 backward-compatible with tfsec

  • terrascan

    Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

    • Terrascan Owner/Maintainer: Tenable (acquired in 2022) Age: First release on GitHub on November 28th, 2017 License: Apache License 2.0

  • checkov

    Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

    • Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    • Semgrep OSS Owner/Maintainer: Semgrep Age: First release on GitHub on February 6th, 2020 License: GNU Lesser General Public License v2.1

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts