10 Infrastructure as Code (IaC) Scanning Tools Compared

Infrastructure as Code (IaC) is the process of configuring infrastructure using versioned code files. Your IaC tool then automatically updates your infrastructure so it matches the state defined in your files. This improves provisioning speed and repeatability while making it easier to detect configuration drift.

IaC config files can contain misconfigurations and vulnerabilities. These can range from minor issues, like a missing required tag, to more serious ones, like making an S3 bucket publicly accessible or opening a security group to 0.0.0.0/0. Most don’t come from a malicious commit. They come from a developer in a hurry, a copy-paste from Stack Overflow, or a Terraform module someone wrote two years ago that nobody has reviewed since.

IaC scanning tools check your files for these problems. They let you find and fix misconfigurations before you apply changes to your infrastructure, which is the difference between fixing a typo in a PR and rolling back a security incident.

In this article, we explore 10 of the best IaC scanners across what they scan, how they fit into a CI/CD pipeline, and which open-source projects are still actively maintained.

An Infrastructure as Code (IaC) scanning tool is a type of software designed to analyze IaC templates and configs to flag misconfigurations, security vulnerabilities, compliance violations, and policy drift before infrastructure gets deployed.

Scanners fall into four overlapping categories:

• Linters catch syntax errors, formatting issues, and obvious bugs. Fast feedback, low coverage.
• Static Code Analysis (SCA) reads the code without running it to find deeper misconfigurations.
• Vulnerability scanners look up known CVEs in the dependencies your IaC pulls in.
• Static Application Security Testing (SAST) combines SCA and vulnerability scanning into one assessment.

Most teams end up running two tools, not one: a fast linter for developer feedback and a broader scanner in CI. Below, we mark which category each tool fits so you can pick a stack rather than a single product.

Read more: Infrastructure as Code (IaC) Security Best Practices

IaC scanning tools analyze your infrastructure code and config files to detect potential issues. Here’s our guide to the leading IaC scanners. 

The best IaC scanning tools list includes:

1. Checkov
2. KICS
3. Terrascan
4. TFLint
5. tfsec
6. Trivy
7. GitLab IaC Scanning
8. Kubescape
9. Kube-Linter
10. Spectral

This isn’t an exhaustive index, but we hope it’s a useful starting point for SCA and vulnerability scanning with the most popular IaC tools.

What does each scanner actually scan?

Most teams pick a scanner based on what their pipeline already uses, not on feature lists. Here’s the coverage matrix at a glance. Use it to narrow the list before reading the entries below.

Scanner	Terraform	CloudFormation	Kubernetes	Helm	Ansible	Pulumi	Dockerfiles	Secrets	Live cluster scan
Checkov	✅	✅	✅	✅	✅	✅	✅	✅	❌
KICS	✅	✅	✅	✅	✅	✅	✅	✅	❌
Terrascan	✅	✅	✅	✅	❌	❌	✅	❌	⚠️ (limited)
TFLint	✅	❌	❌	❌	❌	❌	❌	❌	❌
tfsec	✅	❌	❌	❌	❌	❌	❌	❌	❌
Trivy	✅	✅	✅	✅	❌	❌	✅	✅	✅
GitLab IaC	✅	✅	✅	❌	✅	❌	✅	⚠️ (separate scanner)	❌
Kubescape	❌	❌	✅	✅	❌	❌	❌	❌	✅
KubeLinter	❌	❌	✅	✅	❌	❌	❌	❌	❌
Spectral	✅	✅	✅	✅	✅	✅	✅	✅	❌

✅ = supported, ⚠️ = partial or gated behind a paid tier,  ❌ = not supported

Checkov is an open-source IaC static analysis tool from Bridgecrew, which Palo Alto Networks acquired in 2021. Bridgecrew now sits inside Prisma Cloud as the commercial layer, while Checkov itself has stayed free, open source, and the most widely deployed scanner in this list.

Checkov reads Terraform, OpenTofu, Terraform plan output, CloudFormation, AWS SAM, Kubernetes manifests, Helm charts, Kustomize, Dockerfiles, ARM templates, Bicep, Serverless framework files, and OpenAPI specs.

Rules ship in two formats: Python for complex logic that needs the AST, or declarative YAML for simpler checks like tag enforcement, CIDR ranges, or missing arguments. That dual format is the main reason it spreads inside organizations. A security engineer writes the Python rule once, and a platform team can fork and tune the YAML version without touching Python.

Runtime is reasonable on small repos (seconds) and tolerable on large ones (a few minutes for thousands of resources). The GitHub Action, GitLab template, and pre-commit hook are all first-party, so wiring it into CI takes minutes, not hours.

What it catches:

• Cloud provider misconfigurations across AWS, Azure, GCP, and OCI: open security groups, unencrypted storage, public buckets, missing flow logs, weak TLS settings
• IAM and access control issues, including wildcard policy actions, missing MFA enforcement, and overly permissive trust relationships
• Kubernetes manifest issues: privileged containers, missing resource limits, host network or PID use, missing pod security contexts
• Hardcoded secrets and credentials accidentally committed inside IaC files
• Custom organizational policies, defined in YAML for tag and naming enforcement, or in Python for anything that needs to walk the resource graph

Price/license: Free (Open-source). Prisma Cloud sells a paid layer with central dashboards, drift detection, and runtime context.

Website: https://www.checkov.io/ 

Adoption signals:

• ~8.7k GitHub stars
• ~40 releases in the last 12 months

Use case example: Checkov Features, Use Cases & Examples

KICS (Keeping Infrastructure as Code Secure) is an open-source scanner from Checkmarx. Where Checkov leans on Python and YAML, KICS leans on a query library. It ships with over 2,400 built-in queries across Terraform, CloudFormation, Pulumi, Ansible, Kubernetes, Helm, Knative, Docker Compose, OpenAPI, and Google Deployment Manager.

The query-as-rule model has trade-offs. Adding a new check means writing a Rego or query file, testing it against KICS’ own test framework, and ideally contributing it back.

That’s slower than Checkov’s YAML format for simple checks but more expressive for chained conditions. Teams that already write OPA policies tend to find KICS’ rule authoring familiar.

The official Docker image is the fastest way to try it. One command scans a directory and produces a JSON, SARIF, or HTML report. Output formats matter here because KICS is often used as the scanner behind a CI dashboard rather than as the dashboard itself. GitLab IaC Scanning, for instance, uses KICS under the hood for several of its supported formats.

What it catches:

• Misconfigurations across Terraform, CloudFormation, Pulumi, Ansible, Kubernetes, Helm, Docker Compose, and Google Deployment Manager
• Insecure cloud defaults: S3 ACL exposure, RDS without encryption, public Lambda functions, and missing CloudTrail logging
• Hardcoded passwords, API keys, and tokens embedded in IaC files
• CIS Benchmark violations for the major cloud providers
• Custom queries written in Rego or KICS’ own query format

Price/license: Free (Open source)

Website: https://kics.io/index.html 

Adoption signals:

• ~2.6k GitHub stars
• ~15 releases in the last 12 months

Terrascan was built by Accurics and then acquired by Tenable in 2021. It scans Terraform, CloudFormation, Kubernetes, Helm, Kustomize, Dockerfiles, and several other formats, with 500+ built-in policies covering CIS Benchmarks, NIST, HIPAA, PCI-DSS, and SOC2.

Project status (2026): Tenable archived the `tenable/terrascan` repository on November 20, 2025. The README now states the project is no longer maintained, will accept no further updates, issues, or pull requests, and invites forks for anyone who wants to continue development. 

Tenable’s commercial focus has moved to Tenable Cloud Security (the broader CNAPP). The final release was v1.19.9. If you’re starting fresh, pick Checkov or Trivy. If Terrascan is already in a pipeline, the binary still runs, but the rule set is frozen and CVE backports have stopped.

What still makes Terrascan interesting is the OPA/Rego rule engine. Custom policies are Rego files that drop into a folder, which is the same model Kubescape and Conftest use. 

If you’ve already written OPA policies for admission control or CI gates, Terrascan reuses them with minor adjustments. The drift detection feature, which compares deployed cloud state against IaC source, was ahead of its time when it shipped, though most teams now get drift checks from their IaC platform rather than from the scanner.

What it catches:

• Cloud misconfigurations across AWS, Azure, and GCP, for Terraform and CloudFormation
• Compliance violations mapped to CIS, NIST, HIPAA, PCI-DSS, and SOC2
• Kubernetes manifest issues such as privileged pods, missing security contexts, and over-permissive RBAC
• Custom rules written as Rego policies that drop into a folder, reusing whatever OPA library you already have
• Drift between deployed cloud state and IaC source files, when the optional cloud scanning mode is enabled

Price/license: Free (Open source)

Website: https://www.tenable.com/cloud-security/solutions/iac

Adoptions signals:

• ~5.2k GitHub stars

Use case example: Terrascan Features, Use Cases & Custom Policies

TFLint is a Terraform-only linter. It’s the one tool in this list that doesn’t pretend to be a security scanner, and that’s its point. It catches the boring class of bugs that terraform validate misses: deprecated instance types, invalid IAM action strings, unused variables, missing required attributes, and provider-specific gotchas that only surface at apply time.

The provider plugins do the heavy lifting. The AWS plugin alone covers hundreds of provider-specific checks, like flagging an EC2 instance type that was deprecated in a recent AWS region update, or catching an IAM policy with an invalid action name. 

The Azure and GCP plugins do the same for their respective providers. Without the plugins, TFLint is a thin shell. With them, it catches a class of error that no security scanner will tell you about.

Runtime is sub-second on most modules, which is what makes it useful as a pre-commit hook or IDE check. The security scanner runs once in CI, but TFLint runs every time the developer saves the file.

What it catches:

• Provider-specific errors that terraform validate misses: deprecated instance types, invalid IAM action strings, invalid policy ARNs, missing required attributes
• Code style issues and unused variables, which keeps PR review focused on logic rather than housekeeping
• Module structure problems: missing version constraints, unpinned providers, naming convention violations
• Custom rules written as Go plugins (high effort) or through the OPA integration

Price/license: Free (Open source)

Website: https://github.com/terraform-linters/tflint 

Adoption signals:

• ~5.7k GitHub stars
• ~10 releases in the last 12 months

Use case example: How to Lint Your Terraform Code

Note: Aqua Security has consolidated tfsec into Trivy. Trivy now ships the tfsec HCL scanner as one of its modules, and Aqua has redirected new feature work there. tfsec itself still installs, still runs, and still catches the issues it always caught, but no new rules or fixes are landing. 

If you’re picking a Terraform scanner now, skip directly to Trivy or Checkov.

tfsec was, for a long stretch, the best HCL parser in the open-source IaC scanning space. It walked module references, evaluated expressions, and handled remote modules in a way that early Checkov and Terrascan did not. 

The IDE plugin for VS Code gave Terraform developers inline findings, which was the first time most teams saw security feedback at editor speed rather than CI speed.

That parser is now Trivy’s parser. From a capability standpoint, you’re not losing anything by migrating. You’re trading a feature-frozen CLI for an actively maintained one with broader scope.

What it caught (and still does, with the rules that shipped before the freeze):

• Terraform misconfigurations for AWS, Azure, GCP, and Kubernetes provider resources
• Encryption-at-rest gaps for S3, RDS, EBS, and similar services
• IAM policy issues, including wildcard actions and overly broad trust relationships
• Public exposure of resources that should stay private: security groups open to 0.0.0.0/0, public storage buckets, publicly accessible databases
• Inter-resource issues that required walking module references and evaluating HCL expressions, which was tfsec’s original strength

Price/license: Free (open source, feature-frozen)

Website: https://github.com/aquasecurity/tfsec 

Use case example: What is tfsec? How to Install, Config, Ignore Checks

Trivy is Aqua Security’s flagship scanner and the most actively developed open-source scanner in this list. It started as a container vulnerability scanner and grew into a general-purpose security tool that covers container images, filesystems, Git repositories, Kubernetes clusters, SBOMs, and (since absorbing tfsec) IaC.

For IaC specifically, Trivy scans Terraform, CloudFormation, Kubernetes manifests, Helm charts, Azure ARM templates, Dockerfiles, and Docker Compose files. The Terraform support is the inherited tfsec engine, which means coverage of HCL parsing, module references, and inter-resource expressions is the same as tfsec at its peak.

What makes Trivy interesting beyond IaC is consolidation. One binary covers four scan categories. A single CI step can scan your Terraform, scan the container image your Terraform deploys, scan the Helm chart that schedules it, and emit an SBOM for the dependencies.

Teams that consolidate around Trivy can drop two or three other tools, which matters more for operational simplicity than any individual feature.

What it catches (IaC scope):

• Terraform, CloudFormation, Kubernetes manifest, Helm chart, Azure ARM, and Dockerfile misconfigurations
• The same Terraform issues tfsec caught, since Trivy now ships that engine
• Hardcoded secrets and credentials inside IaC files
• Misconfigurations evaluated against built-in compliance bundles (CIS Benchmarks, NSA, and similar)
• Container base image CVEs referenced by your Dockerfile in the same scan run

Price/license: Free (Open source). Aqua sells a paid platform (Aqua Enterprise) on top.

Website: https://trivy.dev/

Adoption signals:

• ~35k GitHub stars
• ~15 releases in the last 12 months

GitLab Infrastructure as Code Scanning is built into GitLab CI/CD. There’s no separate binary to install, no separate dashboard to maintain, and the results appear inline in Merge Requests next to the changes that triggered them. For teams already on GitLab, that integration is the entire selling point.

Under the hood, GitLab IaC Scanning runs KICS for every supported format: Terraform, CloudFormation, Kubernetes, Ansible, Azure ARM (JSON only), Dockerfile, Google Deployment Manager, and OpenAPI. The rule set is KICS’ rule set, which means coverage and update cadence are tied to that project.

The pricing is where it gets specific. Basic IaC scanning is available on GitLab’s Free and Premium tiers, but the features most security teams actually want, like custom rule sets, vulnerability management dashboards, security policies that block MR merges, and compliance frameworks, are gated behind the Ultimate tier. 

The decision isn’t “do I want IaC scanning?” but “is the Ultimate uplift worth it over running KICS directly?”

What it catches:

• Whatever KICS catches: Terraform, CloudFormation, Kubernetes, Ansible, Azure ARM, Dockerfile, Google Deployment Manager, and OpenAPI misconfigurations
• Findings rendered inline on the Merge Request, with severity, file and line, and a remediation note
• High and critical findings that block the MR merge (Ultimate tier, via a security policy)
• Findings that flow into the cross-project Security Dashboard with trending over time (Ultimate tier)

Price/license: Available across different GitLab pricing tiers, each offering varying features and capabilities

Website: https://docs.gitlab.com/ee/user/application_security/iac_scanning

Kubescape is a CNCF incubating project, originally built by ARMO. It scans Kubernetes YAML manifests, Helm charts, and live clusters against named security frameworks: NSA-CISA hardening guide, MITRE ATT&CK for Kubernetes, CIS Kubernetes Benchmark, and SOC2.

The framework-first approach is what sets it apart. Where Checkov and Trivy give you findings keyed to internal rule IDs, Kubescape gives you a compliance score against a named standard. 

For teams that need to show an auditor “we meet the NSA-CISA hardening guide,” that mapping saves real work. The output includes the framework, the control ID, the failing resource, and a remediation snippet.

Live cluster scanning is the second differentiator. Kubescape can run as a CronJob inside the cluster and continuously evaluate workloads as they change. Runtime threat detection went GA in Kubescape 4.0, released at KubeCon Europe 2026, and uses eBPF-based monitoring inside the cluster. That puts Kubescape in the same category as Falco for runtime monitoring, alongside its original shift-left role.

What it catches:

• Kubernetes manifest and Helm chart misconfigurations evaluated against named frameworks: NSA-CISA, MITRE ATT&CK for Kubernetes, CIS Kubernetes Benchmark, SOC2
• Pod security issues: privileged containers, host path mounts, dangerous capabilities, missing security contexts
• RBAC issues such as over-broad ClusterRoleBindings, service accounts with cluster-admin, and unscoped permissions
• Network policy gaps and Services exposed beyond their intended scope
• (Live cluster mode) Runtime threats via the eBPF module, including unexpected process execution and file access

Price/license: Free tier (CLI and in-cluster), plus a paid platform from ARMO with hosted dashboards and longer retention.

Website: https://kubescape.io 

Adoption signals:

• ~11.4k GitHub stars
• ~40 releases in the last 12 months

KubeLinter is a Kubernetes manifest and Helm chart linter, originally built by StackRox and now maintained by Red Hat. It’s smaller in scope than Kubescape and deliberately so: it doesn’t scan live clusters, it doesn’t ship compliance frameworks, and it doesn’t do runtime monitoring. It lints YAML.

The defaults are the value. KubeLinter ships with a set of opinionated checks that map to known Kubernetes production failures: missing liveness or readiness probes, containers running as root, deployments with a single replica, hostPath volumes, privileged security contexts, and missing resource limits. 

Most are catchable on day one with a kube-linter lint command and zero configuration, which is rare in this space.

Custom checks use a template system. You pick a template (for example, “container property must match value”), set parameters, and it becomes a rule. That’s lower ceiling than full OPA but lower floor too. Most teams can write a working custom rule in five minutes.

What it catches:

• Pods running as root or with privilege escalation enabled
• Deployments with fewer than the recommended replica count for high availability
• Missing liveness probes, readiness probes, or resource limits
• Use of latest image tags and other unpinned versions
• HostPath volumes and privileged security contexts

Price/license: Free (Open source)

Website: https://docs.kubelinter.io 

Adoption signals:

• ~3.5k GitHub stars
• ~5 releases in the last 12 months

Spectral is a commercial code security platform from Check Point, which acquired it in February 2022. It’s the only fully paid tool on this list (GitLab Ultimate aside), and it’s pitched at a different buyer: a security organization that wants source code, IaC, container images, and secrets covered in one product, with central reporting and SSO.

For IaC specifically, Spectral scans Terraform, CloudFormation, Kubernetes, Helm, and Ansible files, with rule packs for the major cloud providers and the usual compliance frameworks. The technical coverage overlaps heavily with Checkov and Trivy. 

The difference is what surrounds it: a hosted dashboard, role-based access, integrations with Jira and ServiceNow for ticket routing, and customer support with an SLA.

Pricing is by quote rather than by tier, which is the usual signal for enterprise sales motion. Expect a per-developer or per-repo model and a procurement cycle measured in weeks, not minutes.

What it catches:

• IaC misconfigurations across Terraform, CloudFormation, Kubernetes, Helm, and Ansible (technical coverage similar to Checkov and Trivy)
• Hardcoded secrets and credentials in source code, IaC files, and configuration files
• Exposed secrets in log files and chat tools like Slack and Teams, which is genuinely less common in OSS scanners
• License and compliance issues in project dependencies
• Custom rules defined per team or per repo, with findings routed to the appropriate owner

Price/license: Pricing details available upon request

Website: https://spectralops.io 

Run scans in two places: locally for fast feedback, and in CI as the gate before apply. A typical setup for a Terraform stack looks like this:

# GitHub Actions example
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: TFLint (style + deprecated APIs)
        uses: terraform-linters/setup-tflint@v4
      - run: tflint --recursive
      - name: Checkov (security + compliance)
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
          soft_fail: false

The linter runs first because it’s faster and catches the boring stuff. Checkov runs second and fails the build on any high or critical finding. terraform apply only runs if both pass.

Two principles to enforce:

1. Developers don’t apply locally. All apply runs through CI, behind the scan gate. Local apply skips every check you just paid to install.
2. Local scans are encouraged. Devs should be able to run checkov -d . or tflint before they push. Catching a violation in the editor is cheaper than catching it in a failed PR.

A platform like Spacelift can help you and your organization fully manage cloud resources within minutes. Spacelift is the infrastructure orchestration platform for the AI-accelerated software era, supporting tools like OpenTofu, Terraform, Ansible, Pulumi, CloudFormation, Kubernetes, and more.

You can use Spacelift and its Custom Inputs feature to integrate tfsec, Checkov, Terrascan, Kics, and others in your workflows.

Security is one of Spacelift’s biggest priorities, so there are also robust security capabilities embedded in the product, like policy as code, encryption, single sign-on (SSO), MFA, and private workers.

Would you like to see this in action? Check out the video below:

Spacelift includes drift detection capabilities that periodically check your infrastructure for discrepancies compared to your repository’s state. It can then launch reconciliation jobs to restore the correct state, ensuring your infrastructure operates predictably and reliably.

With Spacelift, you get:

• Policies to control what kind of resources engineers can create, what parameters they can have, how many approvals you need for a run, what kind of task you execute, what happens when a pull request is open, and where to send your notifications
• Stack dependencies to build multi-infrastructure automation workflows with dependencies, having the ability to build a workflow that, for example, generates your EC2 instances using Terraform and combines it with Ansible to configure them
• Self-service infrastructure via Blueprints and Templates enabling your developers to do what matters – developing application code while not sacrificing control
• Creature comforts such as contexts (reusable containers for your environment variables, files, and hooks), and the ability to run arbitrary code
• Drift detection and optional remediation
• Spacelift Intelligence for natural language provisioning, diagnostics, and operational insight across both traditional and AI-driven workflows

Read more about integrating security tools with Spacelift. And if you want to learn more about Spacelift, create a free account or book a demo with one of our engineers.

IaC scanning tools find misconfigurations, vulnerabilities, and compliance issues in your IaC config files. They let you fix possible problems before they reach your live infrastructure resources.

We’ve looked at 10 of the top IaC scanners for protecting your infrastructure deployments. There’s no universal solution because the best option depends on which IaC tools you’re using.

Options such as Checkov and Trivy are good starting points for broad coverage, while more specialist scanners like TFLint and Kubescape provide tailored features for specific IaC platforms.