3 open source tools compared. Sorted by stars. Scroll down for our analysis.
| Tool | Stars | Velocity | Score |
|---|---|---|---|
checkov Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. | 8.8k | - | 67 |
tflint A Pluggable Terraform Linter | 5.8k | - | 64 |
kics Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. | 2.7k | - | 61 |
Stay ahead of the category
New tools and momentum shifts, every Wednesday.
Checkov scans your infrastructure-as-code for security and compliance problems before you deploy it. Terraform, CloudFormation, Kubernetes manifests, Helm, ARM, and more get checked against thousands of built-in policies: open ports, missing encryption, over-broad IAM. It's open source and free, and it runs in seconds. It's a Python tool you run locally or in CI, and it fails the build when a check trips. The policy library is huge out of the box, and you can write custom policies in Python or YAML. Because it catches misconfigurations at the code stage, you fix them in a pull request instead of discovering them live in production. Checkov is free. Bridgecrew, now part of Palo Alto's Prisma Cloud, is the commercial platform built around it, adding a dashboard, drift detection, and org-wide policy management. Solo and small teams, the CLI in CI is the whole value. Larger orgs already on Prisma Cloud get Checkov folded into the paid platform. The catch: thousands of policies means a real signal-to-noise problem on day one. A mature Terraform repo can light up with hundreds of findings, many of them things you've consciously accepted. Budget time to tune the ruleset and suppress what doesn't apply, or your team learns to ignore the whole thing.
TFLint catches Terraform mistakes that terraform validate misses: invalid instance types, deprecated syntax, unused declarations, and provider-specific errors that would otherwise blow up at apply time. It's a linter built specifically for Terraform, open source and free. It runs as a single binary, locally or in CI, and it's extensible through plugins, one per cloud provider, that add rules specific to AWS, Azure, or GCP resources. Setup is the binary plus the provider plugin you need. It's fast and focused on correctness and best practices rather than security posture. Fully free, no paid tier. It's not a security scanner, so it complements rather than replaces Checkov or KICS. Run TFLint to catch Terraform errors and style issues, and run a security scanner alongside it for misconfigurations. Together they cover different halves of the problem. The catch: it only knows Terraform. It won't touch your CloudFormation, Kubernetes, or other IaC, and it's not looking for security issues. Scope it correctly: it makes your Terraform cleaner and catches provider errors early, but it's one tool in a larger IaC quality stack.
KICS finds security vulnerabilities and misconfigurations in infrastructure-as-code, in the same family as Checkov. The name stands for Keeping Infrastructure as Code Secure, and it covers Terraform, Kubernetes, Docker, CloudFormation, Ansible, and more against a large library of queries. Open source, maintained by Checkmarx, free. You run it as a binary or container in CI, and it flags issues with a severity and a description of the fix. Queries are written in a rego-like format, so you can extend the ruleset for your own standards. It's stateless and fast, built to gate pull requests. KICS is free and open source. Checkmarx sells a broader commercial application security platform, but KICS stands on its own. In practice the choice is usually Checkov versus KICS: both are strong, Checkov has the larger community and policy library, KICS covers a slightly different set of platforms. Try both against your repos and keep whichever flags more of what you care about. The catch: same noise problem as any IaC scanner. The default ruleset is broad, and an existing codebase will surface plenty of findings you'll want to triage or suppress. The tool is easy; tuning it to your risk tolerance is the actual work.