Top 7 Terraform Scanning Tools You Should Know in 2026

Securing infrastructure starts long before deployment. Terraform scanning tools help detect misconfigurations, security risks, and policy violations before infrastructure is deployed.

In this article, we explore the top Terraform security scanners and how they help teams automate checks and prevent drift in every pipeline.

IaC scanning refers to the automated analysis of Terraform code to detect security, compliance, and configuration issues before deployment. It helps identify misconfigurations, hardcoded secrets, or policy violations in Infrastructure as Code files.

IaC scanning tools analyze .tf files to ensure that resources like IAM roles, security groups, or S3 buckets follow security and compliance best practices.

IaC scanning is typically integrated into CI/CD pipelines or Git workflows to prevent risky infrastructure from being deployed. It supports shift-left security by catching issues early in the development lifecycle.

The most popular Terraform scanning tools include:

1. Terrascan
2. Checkov
3. Tfsec
4. KICS
5. TFLint
6. Trivy
7. Open Policy Agent (OPA)

All of these can be integrated into your Spacelift workflow. We’ll cover that later in the article.

Terrascan is an open-source IaC security scanner maintained by Tenable that analyzes Terraform code pre-deploy to catch misconfigurations against policy-as-code rules, supports multi-cloud targets, and integrates with developer workflows and CI/CD via machine-readable outputs and remote repo scanning.

It uses OPA/Rego policies (built-in and customizable), supports skipping/targeting rules, and can optionally surface container image vulnerabilities referenced in your IaC.

# Scan Terraform in the current directory (default IaC provider) and target AWS policies
terrascan scan -t aws -d .

# CI-friendly example: Terraform scan with SARIF output
terrascan scan -i terraform -o sarif -d .

Key features

• Policy-as-code with OPA/Rego: Write or extend rules in Rego, manage metadata via rule JSON, update local/bundled policies with terrascan init, and selectively skip rules when needed.
• Broad Terraform & multi-cloud coverage: Scans Terraform (HCL2) with provider-specific policies (e.g., -t aws) and supports other IaC types when you need them.
• Built for pipelines and developers: Integrates with GitHub/GitLab and pre-commit, outputs JSON/YAML/JUnit-XML/SARIF for automated gates, and can fetch vulnerability results from major container registries.

Official documentation: https://runterrascan.io/docs/

Read more: What is Terrascan? Features, Use Cases & Custom Policies

Maintenance status: Archived. Tenable stopped maintaining Terrascan and made the GitHub repository read-only on November 20, 2025. Its scanning capabilities now live on inside Tenable Cloud Security.

Terrascan shipped around 500 Rego policies at the time it was archived. The CLI still runs against existing code, but it will not pick up new CVEs, provider changes, or policy updates, so treat it as a reference implementation rather than a tool to adopt in 2026.

Checkov is an open-source static-analysis tool for Infrastructure as Code (IaC) that inspects templates (Terraform, CloudFormation, Kubernetes, Helm, ARM, Serverless, etc.) early in the delivery pipeline to detect misconfigurations, policy violations, and security gaps before deployment.

# Run Checkov against a Terraform directory
checkov -d ./infrastructure/terraform

# Example: scan a Terraform plan (JSON) with SARIF output
terraform plan -out tfplan
terraform show -json tfplan > tfplan.json
checkov -f tfplan.json --output sarif

Key features

• Vast built-in policy library: Supports 1,000+ pre-defined checks across major clouds and templates, including CIS, PCI-DSS and other compliance frameworks
• Graph-based resource relationship analysis: Beyond simple attribute checks, Checkov builds a graph of IaC resources and analyzes dependencies and connections to catch deeper configuration issues
• Flexible CI/CD & workflow integration: Easily plugs into GitHub, GitLab, pre-commit hooks, IDEs, and supports output formats like JSON, JUnit-XML, SARIF to fit DevOps pipelines

Maturity: Maintained by Prisma Cloud (Palo Alto Networks) under the Apache 2.0 license, with one of the largest built-in policy libraries of any open-source IaC scanner. Checkov 3.0 added graph-based policies that evaluate relationships between resources, not just single attributes.

The standalone CLI is free with no scan limits. The paid value sits in Prisma Cloud, which wraps Checkov with centralized policy management and pull-request annotations, not in the binary itself.

Official documentation: https://www.checkov.io 

Read more: What is Checkov? Features, Use Cases & Examples

tfsec is an open-source Terraform security scanner (from Aqua Security) that performs static analysis on HCL to flag risky or non-compliant configurations before apply. It remains available as a standalone CLI, but its scanning engine has been folded into Aqua’s Trivy, so most new development happens there.

# Scan the current Terraform project and emit SARIF for CI code scanning
tfsec . --format sarif

Key features

• Terraform-first analysis: Uses the official HCL parser, runs fast and locally without cloud creds or state, and targets misconfigurations across major providers.
• Flexible outputs & CI hooks: Exports results as JSON, CSV, Checkstyle, JUnit, and SARIF, and ships a ready-to-use GitHub Action for pipeline gating.
• Custom rules via simple JSON/YAML: Add org-specific policies with *_tfchecks.json|yaml in .tfsec/, or load rules via --custom-check-dir / --custom-check-url.

Official documentation: https://github.com/aquasecurity/tfsec

Read more: What is tfsec? How to Install, Config, Ignore Checks

Status: Aqua Security redirected active tfsec development into Trivy starting in 2023. The tfsec CLI still runs, but engineering attention and all new rules now go to Trivy.

tfsec earns a place on this list mainly because many teams already have it wired into older pipelines. If you are starting fresh, go straight to Trivy.

KICS is a free, open-source static-analysis engine designed for Infrastructure as Code (IaC) that inspects your configuration files (Terraform, Kubernetes manifests, CloudFormation, Ansible, Pulumi, Helm charts and more) before deployment to detect misconfigurations, compliance issues and security risks across diverse platforms.

# Scan a directory of Terraform / IaC files with KICS
docker run -v "$(pwd)":/path checkmarx/kics:v2.1.20 scan -p /path -o /path/results

# CLI-only example
kics scan -p ./infrastructure/terraform -o ./scan-output.json --report-formats json

Key features

• Wide platform support & broad rule library: Works with Terraform, CloudFormation, Kubernetes, Pulumi, Dockerfile, Ansible and more, and ships with 2,400+ built-in queries for misconfiguration and compliance detection.
• Extensible query-engine: Every check is defined as a query you can edit, add or disable – enabling customised policies, specialised compliance frameworks and fine-tuned filtering.
• CI/CD / developer-friendly integrations: Easy to embed into pipelines (Docker, CLI, GitHub Actions/VSCode), produce JSON/SARIF/HTML outputs, and shift left IaC security into dev and PR workflows.
  

Official documentation: https://docs.kics.io/latest/getting-started/

Maturity: Maintained by Checkmarx, ~2.6k GitHub stars, 2,400+ built-in queries spanning Terraform, Kubernetes, CloudFormation, Ansible, Pulumi, Helm, and more.

In practice: KICS is the strongest fit when one engine has to cover many IaC formats in the same pipeline. One 2026 caution — the KICS GitHub Action and Docker Hub images were hit by the TeamPCP supply chain attacks in March and April 2026, so pin to verified digests rather than floating tags like @latest.

TFLint is a pluggable linter for Terraform that statically analyzes HCL to catch provider-specific mistakes (e.g., invalid instance types), deprecated syntax, unused declarations, and best-practice drifts.

It works via rule plugins for major clouds (AWS, Azure, GCP) and lets you enable/disable rules or tune behavior in a .tflint.hcl config, with machine-readable outputs like JSON, JUnit, Checkstyle, and SARIF for CI. 

# 1) Configure plugins in .tflint.hcl, then install them
tflint --init

# 2) Lint a Terraform project and emit SARIF for code scanning
tflint . --format sarif

Key features

• Pluggable, cloud-aware rules: Add AWS/Azure/GCP rulesets to validate resource types, parameters, and provider quirks before terraform apply.
• Configurable policy control: Manage which rules run (or are skipped) in .tflint.hcl, with CLI flags like --only, --enable-rule, and --disable-rule to tailor signal to your repo.
• CI-ready outputs: Choose formats including json, checkstyle, junit, compact, and sarif to integrate with code scanning and quality gates.
  

Official documentation: https://github.com/terraform-linters/tflint

Scope: TFLint is a linter, not a security scanner. It catches provider-specific mistakes, deprecated syntax, and unused declarations before terraform apply, but it does not flag security misconfigurations the way Checkov or Trivy do. Most teams run TFLint alongside a security scanner, not instead of one.

Read more: What is TFLint and How to Lint Your Terraform Code

Trivy is a unified open-source security scanner that goes beyond containers. It inspects code repositories, file systems, VM images, Kubernetes clusters, and Infrastructure as Code (IaC) files (Terraform, CloudFormation, ARM, Helm) to spot vulnerabilities and misconfigurations in one workflow. It’s the successor to tfsec for IaC checks.

# Scan a Terraform / IaC directory for misconfigurations and violations
trivy config ./infrastructure/terraform

# Scan with specific checks (vuln + misconfig) and JSON output for CI
trivy fs --scanners vuln,misconfig --format json ./infrastructure

Key features

• All-in-one scanning coverage: Trivy supports IaC misconfigurations, container image vulnerabilities, secrets detection, and software licenses, so you don’t need multiple tools for DevOps security.
• Wide format & platform support: It detects Terraform (“.tf”/”.tfvars”), CloudFormation, Kubernetes YAML/JSON, Helm charts and more; it auto-detects file types and applies the right policies. 
• CI/CD and workflow integration: Lightweight binary, no heavy dependencies, outputs like JSON/SARIF, easily integrates into GitHub Actions, pipelines and IDEs — supports ‘shift left’ security. 

Maturity:  ~31.7k GitHub stars, actively maintained by Aqua Security. Trivy is the successor to tfsec for IaC checks and now covers misconfigurations, container image vulnerabilities, dependencies, secrets, and Kubernetes from one binary.

Migrating from tfsec: trivy config . on a Terraform directory gives you the coverage tfsec provided, and tfsec inline suppressions carry over. As with KICS, the Trivy GitHub Action was compromised in the March 2026 TeamPCP supply chain incident (CVE-2026-33634), so pin to a known-good commit SHA rather than a mutable tag.

Official documentation: https://trivy.dev/latest/ 

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets you write policy-as-code using a high-level declarative language called Rego and evaluate those policies across your infrastructure, applications, CI/CD pipelines, and cloud environment. 

It decouples the “what-can-happen” questions from the business logic of services, enabling teams to manage and update policies in one place, push changes instantly, and ensure consistent enforcement across multiple systems.

OPA itself is not a Terraform “scanner”, as it evaluates policies. Enforcement is typically wired in via tools like Conftest, CI steps, or platform integrations (e.g., HCP Terraform or Spacelift).

package terraform.safe_resources

import rego.v1

deny contains msg if {
  some change in input.resource_changes
  change.type == "aws_instance"
  not change.change.after.tags["Owner"]
  msg := sprintf("Resource %v missing Owner tag", [change.address])
}

Using the above example, OPA evaluates a Terraform plan (in JSON form) and returns the deny messages if any AWS instances don’t include an Owner tag.

Key features

• Unified policy language across systems: Write Rego once and apply it to Kubernetes, APIs, infrastructure, microservices, and pipelines, avoiding fragmented rule sets.
• Separation of policy decision-making and enforcement: OPA handles the logic, while your services focus on execution, so policy updates don’t require redeploying application code.
• Enterprise-ready auditing and governance: OPA gives you decision logs, reusable policy bundles, and the ability to test policies in isolation, offering transparency and traceability for compliance.

Official documentation: https://www.openpolicyagent.org/docs/

When to reach for it: Use OPA when off-the-shelf rule packs like Checkov or Trivy cannot express the policy you need, for example tag governance, cost guardrails, or approval logic tied to your own data. The tradeoff is that you write and maintain the Rego yourself, so most teams pair OPA with a scanner rather than replacing one.

Read more: How to Use Open Policy Agent (OPA) with Terraform

Security is a core part of the product, so Spacelift embeds security features like policy as code, encryption, single sign-on (SSO), multi-factor authentication (MFA), and private worker pools alongside the scanner integrations above.

A platform like Spacelift can help you and your organization fully manage cloud resources within minutes. Spacelift is an infrastructure management platform that supports tools like OpenTofu, Terraform, Terragrunt, Pulumi, CloudFormation, Ansible, Kubernetes, and more.

You can run scanners in Spacelift via run hooks (before/after init/plan), reusable Contexts (to provide binaries/config), custom runner images, and Rego policies for gating.

Would you like to see this in action? Check out the video below: 

Spacelift includes drift detection capabilities that periodically check your infrastructure for discrepancies compared to your repository’s state. It can then launch reconciliation jobs to restore the correct state, ensuring your infrastructure operates predictably and reliably.

With Spacelift, you get:

• Policies to control what kind of resources engineers can create, what parameters they can have, how many approvals you need for a run, what kind of task you execute, what happens when a pull request is open, and where to send your notifications
• Stack dependencies to build multi-infrastructure automation workflows with dependencies, having the ability to build a workflow that, for example, generates your EC2 instances using Terraform and combines it with Ansible to configure them
• Self-service infrastructure via Blueprints and Templates, enabling your developers to do what matters – developing application code without sacrificing control
• Reusable configuration via Contexts (containers for your environment variables, files, and hooks), and the ability to run arbitrary code
• Drift detection and optional remediation

Read more about integrating security tools with Spacelift. And if you want to learn more about Spacelift, create a free account or book a demo with one of our engineers.

Terraform scanning is about proactive security and reliability, not just about syntax. 

The tools we’ve reviewed in the article automate policy enforcement, catch errors before deployment, and integrate directly into developer workflows. By shifting checks left, they turn security into part of daily coding, helping teams deliver infrastructure faster and safer without manual reviews or last-minute surprises.