General Pillar

Best Terraform Security Scanners 2026: A Practitioner's Comparison

Checkov, Trivy, Snyk IaC, AWS Trusted Advisor, and ArchGuard compared side-by-side: how each works, what it actually catches, where it stops, and which tool belongs in which part of your security stack.

May 27, 202616 min read#terraform#security#checkov#trivy#snyk#iac

The Terraform security tooling landscape in 2026 has more options than ever — and more confusion about what each tool actually does. Checkov, Trivy, Snyk IaC, AWS Trusted Advisor: these are all described as “Terraform security scanners,” but they answer fundamentally different questions, operate at different layers, and fail in different ways.

One tool asking “is this S3 bucket encrypted?” is not the same as a tool asking “is this architecture appropriately secured for a HIPAA-scoped workload?” Both questions matter. Neither tool alone answers both. Understanding where each tool operates — and where it stops — is the prerequisite to building a security stack that actually covers your risk surface.

There are also tools you should migrate away from. Terrascan was archived in November 2025. tfsec has been deprecated and absorbed into Trivy since 2023. If your CI pipeline still references either of these, this post covers the migration paths.

This comparison covers six tools: Checkov, Trivy (including the tfsec migration), Snyk IaC, Terrascan, AWS Trusted Advisor, and ArchGuard. For each, we cover how it works technically, what category of findings it produces, its limitations, and who it is built for. The comparison table gives you the quick view; the individual sections give you the depth.

Linters catch the WHAT.
Architecture reviews catch the WHY.
The most effective Terraform security stack combines both — each answering a question the other cannot.

How we evaluated these tools

Each tool was evaluated across six dimensions that matter most to practitioners building a Terraform security workflow:

1.Type — what category of analysis the tool performs: static config linting, runtime advisory, or architectural review.
2.WAF coverage — whether findings are mapped to the AWS Well-Architected Framework pillars, not just to CVE or rule IDs.
3.Terraform native — whether the tool reads Terraform HCL source directly (static analysis) or only evaluates deployed AWS state.
4.CI integration — whether the tool can block pull requests in GitHub Actions, GitLab CI, or similar pipelines.
5.Output — what the tool produces: a CLI exit code, a JSON report, a dashboard, or a structured PDF.
6.Maintenance status — whether the tool is actively maintained and receiving new rules as of 2026.

The comparison at a glance

The table covers the five currently active tools. Terrascan is excluded because it was archived in November 2025 and should not be in any new Terraform security stack. tfsec is not a separate row — it is now Trivy; the migration path is covered in the Trivy section.

Tool	Type	WAF Coverage	TF Native	Output	Price
Checkov	Config linter	No	Yes	CLI / JSON / JUnit XML	Free (OSS)
Trivy	Multi-scanner	No	Yes	CLI / JSON / SARIF	Free (OSS)
Snyk IaC	Config linter	No	Yes	Dashboard / HTML	$25+ / dev / mo
AWS Trusted Advisor	Runtime advisor	Partial — Security + Cost only	No	AWS Console	$100+ / mo (Business Support)
ArchGuard	Architecture review	Yes — All 4 active pillars	Yes	PDF report	$49 – $399 / mo

CI integration: Checkov, Trivy, and Snyk IaC all support blocking PR pipelines. ArchGuard integrates into CI for report generation but is not designed as a PR gate. AWS Trusted Advisor has no CI integration — it reads live account state only.

1. Checkov (Prisma Cloud / Bridgecrew)

Config linter · Open source · Free

Checkov is the most widely adopted static analysis tool for Terraform. It was developed by Bridgecrew and is now maintained under the Prisma Cloud umbrella, though the core tool remains open source under the Apache 2.0 license. As of 2026 it has over 1,000 Terraform-specific rules covering IAM, networking, encryption, logging, and more — the broadest rule library of any Terraform-native scanner.

How it works: Checkov parses your Terraform HCL and evaluates each resource configuration against a library of deterministic rules. Each rule checks a specific attribute or combination of attributes — for example, whether http_tokens = "required" is set in an EC2 instance’s metadata_options block (CKV_AWS_79) or whether a Security Group has ingress rules opening port 22 to 0.0.0.0/0 (CKV_AWS_25). Rules are evaluated per resource in isolation — there is no cross-resource or workload-context analysis.

What it catches well: Individual resource misconfigurations that have a clear right/wrong answer regardless of workload context. S3 buckets without encryption, RDS instances without deletion protection, IAM roles with wildcard actions, Security Groups with overly broad ingress rules — all of these produce consistent Checkov findings across any Terraform codebase.

Where it stops: Checkov evaluates resources individually. It cannot evaluate whether the combination of an EC2 instance, its IAM role, and the S3 buckets that role can access creates an unacceptable blast radius. It does not know whether a resource is in production or development. It does not map findings to AWS Well-Architected Framework pillars or provide remediation context specific to your workload. For these reasons, a clean Checkov run does not mean your architecture would pass a WAF review — it means your individual resources are configured according to the rule library.

CI integration: Checkov has first-class GitHub Actions support via the bridgecrewio/checkov-action and a pre-built GitLab CI template. It can block pull requests on any severity threshold, output to JUnit XML for pipeline reporting, and write SARIF files for GitHub Advanced Security.

Best for: Every Terraform repository. Checkov is a foundational layer of any Terraform security stack — fast enough to run on every pull request, broad enough to catch the most common misconfigurations, and free. The question is not whether to use Checkov but what to use alongside it.

checkov.sh

# Install Checkovpip install checkov# Scan a Terraform directorycheckov -d ./infra# Filter to HIGH and CRITICAL only, output JUnit XML for CIcheckov -d ./infra \  --framework terraform \  --check-threshold HIGH \  --output junitxml \  --output-file-path results/checkov.xml# Run specific checks only (e.g. IAM, S3, EC2 rules)checkov -d ./infra \  --check CKV_AWS_8,CKV_AWS_19,CKV_AWS_57,CKV_AWS_79

Checkov runs in seconds on a typical Terraform repo. The JUnit XML output integrates with most CI dashboard tools.

2. Trivy (and the tfsec migration)

Multi-scanner · Open source · Free

Trivy is an open-source security scanner maintained by Aqua Security. In its IaC mode (trivy config), it evaluates Terraform, CloudFormation, Kubernetes manifests, Dockerfile, and Helm charts. For teams that scan containers and OS packages as well as IaC, Trivy is a practical consolidation: one tool, one output format, one CI step.

If you are still using tfsec: tfsec has been deprecated since 2023 and is now in maintenance mode. Its rules and functionality are part of Trivy. The migration is a single command change: tfsec ./infra becomes trivy config ./infra. Severity flags, output formats, and ignore annotations transfer directly. New security rules are only being added to Trivy — not to the tfsec repository.

How it works: Like Checkov, Trivy in config mode performs static analysis against rule definitions. The rules are written in Rego (OPA policy language) for custom policies, and the built-in library covers the major cloud providers, Kubernetes, and Dockerfile. For Terraform specifically, Trivy’s rule coverage is comparable to tfsec’s original library.

Where Trivy adds value over Checkov: If your deployment pipeline builds container images alongside your Terraform, Trivy can scan both in the same workflow. It detects secrets embedded in IaC files, evaluates container image vulnerabilities, and produces a unified SBOM. For teams where IaC and container security are handled by the same person or team, this consolidation has real operational value.

Where it stops: The same boundary applies as Checkov: individual resource configuration, no WAF pillar mapping, no workload context, no blast radius analysis. Trivy does not evaluate architectural patterns — it evaluates individual resource attributes.

Best for: Teams already using Trivy for container scanning who want a single tool across their full stack. Teams migrating from tfsec. Teams that want SARIF output for GitHub Advanced Security code scanning integration.

trivy.sh

# Install Trivy (macOS)brew install aquasecurity/trivy/trivy# Scan Terraform IaC — replaces tfsec as of Trivy v0.44+trivy config ./infra/# Filter to CRITICAL and HIGH onlytrivy config --severity CRITICAL,HIGH ./infra/# SARIF output for GitHub Advanced Security code scanningtrivy config \  --format sarif \  --output trivy-results.sarif \  ./infra/# Migration note: tfsec commands map directly# tfsec ./infra  →  trivy config ./infra# tfsec --severity HIGH ./infra  →  trivy config --severity HIGH ./infra

Trivy's IaC scanning is a drop-in replacement for tfsec. The migration is a single command change.

3. Snyk IaC

Config linter · Commercial · $25+ / dev / mo

Snyk IaC is the infrastructure-as-code component of Snyk’s broader developer security platform. It supports Terraform, CloudFormation, Kubernetes, ARM templates, and Helm. For organisations already using Snyk for open-source vulnerability scanning or container security, adding IaC scanning consolidates findings into a single dashboard — which is its main practical advantage over the free alternatives.

How it works: Snyk IaC performs static analysis against a library of security rules, similar to Checkov and Trivy. It integrates with source control (GitHub, GitLab, Bitbucket) to show findings inline in pull requests and maintains a persistent dashboard of open issues across all repositories. At the organisation level, security engineers can define custom policies and severity overrides that apply across all projects.

Where it adds value: For engineering organisations with multiple teams and repositories, Snyk IaC’s dashboarding and policy management provide visibility that a per-repo CLI tool cannot. Security leads can track which repositories have open HIGH findings, enforce custom severity thresholds across the org, and see trends over time. The report generation is also stronger than Checkov or Trivy for non-technical stakeholders — the HTML reports are readable by engineering managers who are not comfortable reading JUnit XML.

The cost consideration: Snyk IaC is priced per developer, not per scan or repository. At $25+ per developer per month, a 20-person engineering team is looking at $500+/month for IaC scanning alone. For the same functionality at the individual resource level, Checkov and Trivy are free. The Snyk premium is for the dashboard, the policy management, and the unified platform — not for more comprehensive analysis.

Where it stops: Same boundary as Checkov and Trivy: individual resource configuration. Snyk IaC does not evaluate WAF pillars, cross-resource patterns, blast radius, or architectural soundness. Its findings are the same category as Checkov findings — more polished reporting, same analytical depth.

Best for: Engineering organisations already on the Snyk platform for code and container security, where consolidating IaC findings into the same dashboard has real operational value. Not a strong choice for individual teams or startups where Checkov or Trivy cover the same analytical ground for free.

snyk-iac.sh

# Authenticate (one-time)snyk auth# Scan IaC — Terraform, CloudFormation, Kubernetessnyk iac test ./infra/# Filter by severity thresholdsnyk iac test ./infra/ --severity-threshold=high# Generate a shareable HTML report (requires Snyk account)snyk iac test ./infra/ --report

Snyk IaC requires authentication against a Snyk account. The free tier has limited project scans per month.

4. Terrascan — Archived November 2025

Archived · Migrate to Checkov or Trivy

Terrascan was an open-source IaC security scanner developed by Accurics, later acquired by Tenable. It supported Terraform, CloudFormation, Kubernetes, and Helm, and used OPA-based policy definitions. In November 2025, Tenable archived the Terrascan repository — no new rules, no bug fixes, no maintenance.

The migration is not complex. Terrascan’s command-line interface is similar to both Checkov and Trivy — the main effort is replacing the CI step definition and validating that the new scanner catches the same finding categories in your specific Terraform. A parallel run during the migration period (old scanner and new scanner on the same branch) is the safest approach.

5. AWS Trusted Advisor

Runtime advisor · AWS Support required · $100+ / mo

AWS Trusted Advisor is a runtime advisory service built into the AWS console. It evaluates your deployed AWS account against a set of best-practice checks across Security, Reliability, Cost Optimization, Performance, and Service Limits. Full access to all checks requires an AWS Support plan at the Business or Enterprise tier — the Free tier provides access to roughly seven checks.

Why it is not a Terraform scanner: Trusted Advisor does not read Terraform source files. It reads the live deployed state of your AWS account — what is actually running, not what is defined in HCL. This means it cannot be integrated into a CI/CD pipeline to evaluate changes before they deploy. It finds configuration issues that are already in production. By the time Trusted Advisor flags an issue, it has already been deployed and potentially been running for days or weeks.

What it covers: Trusted Advisor provides partial Well-Architected coverage, primarily across the Security and Cost Optimization pillars. It will flag S3 buckets with public access enabled, IAM users without MFA, EC2 instances that appear underutilised from a cost perspective, and Security Group rules that open ports broadly. It does not provide the architectural context of a WAF review — findings are per-check, not organised by pillar or blast radius.

The access requirement: For most AWS accounts, the relevant Trusted Advisor security and fault tolerance checks require AWS Business Support at $100+/month (or 10% of monthly AWS spend, whichever is higher). For a startup with a $500/month AWS bill, that is a 20% uplift for advisory checks that Checkov and Trivy provide for free against Terraform source.

Best for: Ongoing runtime monitoring as a complement to static analysis — not as a replacement. Teams on Business or Enterprise support who want continuous automated checks against their live account alongside their CI-based static analysis. Not a substitute for pre-deployment IaC scanning.

6. ArchGuard

Architecture review · WAF-aligned · $49–$399 / mo

ArchGuard operates at a different layer from the config linters above. Where Checkov, Trivy, and Snyk IaC ask “is this resource configured correctly?”, ArchGuard asks “is this architecture sound for this workload?” — against the AWS Well-Architected Framework across Security, Reliability, Cost Optimization, and Operational Excellence.

How it works: You upload your Terraform to ArchGuard (or connect it via CI), optionally describe your workload context (production, staging, data sensitivity), and receive a structured PDF report with findings mapped to WAF pillars. Each finding includes the affected resource, severity, blast-radius context, and an HCL remediation example. Unlike config linters, ArchGuard evaluates cross-resource patterns — an EC2 instance, the IAM role it uses, and the S3 resources that role can reach are evaluated as a combined pattern, not as isolated resources.

What it catches that linters miss: The findings that fall into the gap between individual resource compliance and architectural soundness. An EC2 instance with IMDSv2 enforced passes every Checkov check for that resource — but if its IAM role grants unrestricted access to all S3 buckets in the account, the architectural risk is significant regardless of the metadata protection. ArchGuard evaluates the combination. See the code example below.

Output format: ArchGuard produces a PDF report — not a CLI exit code or a JSON file. This is intentional. The output is designed to be readable by CTOs, engineering managers, and compliance reviewers, not just the engineer who ran the scan. The WAF pillar structure maps directly to the format AWS Well-Architected Tool produces, which matters for DD preparation and compliance documentation.

Best for: Production architecture reviews, pre-DD infrastructure preparation, compliance documentation for SOC 2 or ISO 27001, and any context where a CTO or auditor needs a stakeholder-readable report rather than a raw findings list. ArchGuard complements Checkov and Trivy — it is not a replacement for CI-based config linting.

Example: both resources pass all Checkov rules. The architectural review flags the combination.

api-infra.tf

# Checkov passes all three of these resources — each is individually valid.# An architecture review catches the combination: an EC2 instance with# IMDSv2 enforced but a role that grants full S3 read/write to every# bucket in the account. SSRF protection is irrelevant when the role# already has maximum blast radius.# ✓ Checkov CKV_AWS_79 passes — IMDSv2 enforcedresource "aws_instance" "api" {  ami           = "ami-0abcdef1234567890"  instance_type = "t3.large"  metadata_options {    http_endpoint               = "enabled"    http_tokens                 = "required"    http_put_response_hop_limit = 1  }  iam_instance_profile = aws_iam_instance_profile.api.name}# ✓ Checkov passes — actions are not wildcards# Architecture review flags: Resource = "*" gives this role access to# every S3 bucket in the account, not just the application bucket.resource "aws_iam_role_policy" "api_s3" {  policy = jsonencode({    Statement = [{      Effect   = "Allow"      Action   = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket"]      Resource = "*"    }]  })}

Checkov CKV_AWS_79 passes (IMDSv2 enforced). Checkov also passes the IAM policy — the actions are not wildcards. But Resource: "*" grants this role access to every S3 bucket in the account. An architecture review evaluates the combination.

How to use these tools together

These tools are not mutually exclusive — they are complementary layers. The effective Terraform security stack has two layers with different run frequencies and different purposes:

Layer 1 — CI gate (every pull request)

Checkov or Trivy

Catch individual resource misconfigurations before they reach main. Fast (seconds), deterministic, blocks PRs on HIGH findings. For teams already on Snyk for other scanning, Snyk IaC here instead.

Frequency: Every PR targeting infrastructure paths

Layer 2 — Architectural review (scheduled or per-milestone)

ArchGuard

Evaluate the full architecture against WAF pillars: cross-resource patterns, blast radius, reliability across AZs, cost structure, operational readiness. Produces a PDF report for stakeholder review.

Frequency: Pre-launch, pre-DD, quarterly, or on major architectural changes

Layer 3 — Runtime monitoring (continuous)

AWS Trusted Advisor (if on Business/Enterprise support)

Continuous checks against the live deployed account. Catches drift between Terraform-defined state and actual running configuration. Not a substitute for layers 1 or 2.

Frequency: Automated, continuous — review findings weekly

The CI integration below shows layers 1 and 2 in a GitHub Actions workflow. Checkov runs first as a gate — any HIGH or CRITICAL finding fails the PR. ArchGuard runs after the gate passes, generating a WAF-aligned review for the engineering lead’s review process rather than blocking deployment.

.github/workflows/terraform-security.yml

# .github/workflows/terraform-security.ymlname: Terraform Securityon:  pull_request:    paths: ['infra/**']jobs:  # Step 1 — config-level linting (fast, deterministic, blocks PRs)  checkov:    name: Checkov IaC Scan    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4      - name: Run Checkov        uses: bridgecrewio/checkov-action@master        with:          directory: infra/          framework: terraform          soft_fail: false         # Fails the PR on any HIGH/CRITICAL finding          output_format: cli  # Step 2 — container and OS scanning (if you also build Docker images)  trivy:    name: Trivy Full-Stack Scan    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4      - name: Run Trivy on IaC        uses: aquasecurity/trivy-action@master        with:          scan-type: config          scan-ref: ./infra          severity: CRITICAL,HIGH          exit-code: 1

Checkov gates the PR. ArchGuard produces the architectural review. Both run in CI, but on different trigger conditions and with different output expectations.

Which tool should you use?

The right answer depends on what question you are trying to answer:

If:You want to block Terraform PRs with security misconfigurations

→Checkov — broadest rule library, best CI integration, free.

If:You already use Trivy for container scanning

→Trivy config mode — consolidates IaC and container scanning into one tool.

If:You are still running tfsec

→Migrate to Trivy — tfsec is deprecated, no new rules.

If:You are still running Terrascan

→Migrate to Checkov or Trivy — Terrascan was archived November 2025.

If:Your team is already on Snyk for open source and containers

→Snyk IaC — unified dashboard and policy management across your existing Snyk platform.

If:You need WAF-aligned findings for a compliance report, pre-DD data room, or architectural sign-off

→ArchGuard — designed for this use case. Produces a stakeholder-readable PDF mapped to WAF pillars.

If:You want both config-level CI blocking and architectural review

→Checkov (or Trivy) for CI gates + ArchGuard for architecture reviews — complementary layers, not competing tools.

One question that none of the config linters answer — and that architectural review tools are designed to address: which findings matter most for this specific workload? A Checkov scan produces an undifferentiated list of hundreds of findings across all severities. An architect reviewing the same Terraform against the Well-Architected Framework asks: given this workload type, what are the five findings most likely to produce an incident?

That prioritisation — based on workload context, blast radius, and the specific WAF pillar most at risk — is what separates a compliance pass from a meaningful security posture improvement. The Terraform architecture review guide covers the full six-step process for conducting that analysis, including how to prioritise findings across WAF pillars.

Frequently asked questions

What is the best Terraform security scanner in 2026?↓

The right tool depends on what question you are trying to answer. For fast CI-blocking of resource-level misconfigurations, Checkov is the most widely adopted option — open source, 1,000+ Terraform rules, integrates in minutes. For teams that also scan containers and OS packages, Trivy covers all of those from a single tool. Snyk IaC adds commercial dashboard and policy management for larger engineering organisations. None of these three tools evaluate architectural patterns against the AWS Well-Architected Framework. The most robust setup combines a config linter (Checkov or Trivy) in CI for every pull request plus an architectural review for production deployments and compliance documentation.

Is tfsec still maintained in 2026?↓

No. tfsec was deprecated by Aqua Security starting in 2023 and its functionality was absorbed into Trivy. As of 2024, the tfsec repository is in maintenance mode — no new rules or features. The migration path is straightforward: `tfsec ./infra` becomes `trivy config ./infra`. Nearly all tfsec rules are now part of Trivy's Terraform checks. Teams still running tfsec should migrate to Trivy to continue receiving updated rules.

What happened to Terrascan?↓

Terrascan was archived in November 2025 by its maintainer, Tenable (formerly Accurics). The repository is no longer receiving updates. Teams using Terrascan should migrate to either Checkov or Trivy, both of which have comparable or broader Terraform rule coverage and are actively maintained. Checkov has the largest Terraform-specific rule library; Trivy is the better choice for teams that also scan containers and OS packages.

Does Checkov cover the AWS Well-Architected Framework?↓

Not directly. Checkov evaluates whether individual Terraform resource configurations match deterministic security rules — for example, whether an S3 bucket has server-side encryption enabled (CKV_AWS_19) or whether an EC2 instance enforces IMDSv2 (CKV_AWS_79). The AWS Well-Architected Framework operates at a higher level: it evaluates whether an architecture is sound for its workload, considering blast radius, cross-service dependencies, reliability across availability zones, and cost structure. These are architectural judgements that require workload context that Checkov does not have. A clean Checkov scan means your individual resources are configured correctly — not that your architecture would pass a WAF review.

Can I use Checkov and ArchGuard together?↓

Yes — and that is the recommended setup. Checkov runs in CI on every pull request to catch resource-level misconfigurations fast and block them before they merge. ArchGuard runs as a structured architectural review against the Well-Architected Framework, on the full production Terraform, producing a WAF-aligned PDF report with findings across Security, Reliability, Cost Optimization, and Operational Excellence. The two tools answer different questions and cover different failure modes. Checkov catches the WHAT — a misconfigured resource. ArchGuard catches the WHY — a pattern that creates architectural risk for the specific workload, regardless of whether every individual resource passes its config checks.

Does AWS Trusted Advisor scan Terraform?↓

No. AWS Trusted Advisor reads the live deployed state of your AWS account — it does not read Terraform source files or perform static analysis. It requires an AWS Support plan at the Business tier ($100+/month) or higher for most security and fault tolerance checks. It is a useful runtime advisor for ongoing monitoring but it cannot evaluate IaC before deployment, does not integrate into CI/CD pipelines, and does not produce remediatable Terraform output. It is a complement to static IaC scanners, not a replacement.

What does Trivy add over Checkov for Terraform?↓

For Terraform-only teams, the difference is small — both are capable config linters with similar rule coverage for AWS resources. Trivy's main advantage is breadth: if your workflow also builds container images or packages OS software, Trivy scans all of those from a single tool. Trivy also outputs SARIF natively, which integrates with GitHub Advanced Security's code scanning dashboard. For a team focused exclusively on Terraform, Checkov's Terraform-specific rule library is marginally broader. For a team that also manages Dockerfiles and Kubernetes manifests, Trivy's consolidation has real operational value.

Related reading: What Checkov Catches — and What It Misses covers three Terraform patterns that pass all linter checks but carry architectural risk. The Five Terraform Misconfigurations post covers the most common WAF Security pillar failures with HCL before/after examples.

WAF-Aligned Architecture Review

Go Beyond the Linter — Get a Full Architecture Review

Upload your Terraform and get a structured PDF report with findings across all four Well-Architected pillars: Security, Reliability, Cost Optimization, and Operational Excellence. The analysis that sits above what Checkov and Trivy can see.

See Pricing See the Methodology

Complements Checkov, Trivy, and Snyk IaC — not a replacement for CI-based config linting.