Checkov + ArchGuard: rules in CI, validation before the audit

Checkov is the most widely used Terraform security scanner and we recommend it. ArchGuard is not a Checkov replacement and never has been. Here is how the two tools fit together — what Checkov does that ArchGuard doesn’t, what ArchGuard adds on top, and when to reach for each.

What Checkov does well

Rule-level scanning of Terraform, CloudFormation, ARM, Kubernetes, and 10+ other formats. Open source. Free. Integrates into CI with SARIF output support for GitHub Advanced Security. Catches “this S3 bucket lacks encryption”, “this security group is open to the world”, “this IAM policy is overly permissive”. Run it on every commit. It is the right tool for that job.

What per-resource rules structurally can’t see

Rule-based scanners evaluate one resource at a time against a predefined policy. They cannot determine whether a security group finding is exploitable given the rest of the network topology. They cannot flag a single-AZ RDS instance as a reliability risk when the application tier spans two AZs — because that requires comparing two resources, not checking one attribute.

They also produce false positives: a rule that flags “no MFA on IAM user” fires identically on a service account that has no console access. Without workload context, every finding looks equally urgent. If false positives are your main pain, start here for a triage framework you can run today.

How ArchGuard validates and extends Checkov output

ArchGuard takes the same Terraform your Checkov run covers and does two things Checkov structurally cannot:

Validates findings: confirms which scanner-flagged issues are real risks in your specific architecture, with blast-radius analysis and a confidence level on every finding. A Checkov HIGH that fires on a resource isolated behind a private VPC looks different from one on a public-facing endpoint — ArchGuard tells you which is which.

Extends coverage: surfaces cross-resource gaps no rule catches — topology mismatches, absent controls, availability blind spots. These are the findings that pass Checkov cleanly but still create real risk.

Every finding is mapped to CIS AWS Foundations v3.0, NIST 800-53, SOC 2, and PCI DSS — making the output useful for audit preparation, not just internal prioritisation.

Checkov vs ArchGuard feature comparison
CheckovArchGuard
ScopeRule-level attribute checksArchitecture-level validation + extension
PricingFree, open-source$49–$399/mo + Credit Packs
FrequencyEvery commit (CI)On-demand (review event)
CoverageSecurity primarilyAll six WAFR pillars
Compliance mappingSARIF / JSON outputCIS, NIST 800-53, SOC 2, PCI DSS
OutputCLI / JSON / SARIFBranded PDF
AWS account accessNoneNone
Best forContinuous scanning in CIValidation + audit-prep deliverable

How to run them together

CI pipeline: Checkov on every PR. Blocks merges on critical findings. This runs automatically alongside — or instead of — tfsec (which is now part of Trivy).

Before an audit, launch, or engagement: ArchGuard review of the workload in scope. Validates which Checkov findings are real, surfaces what rules missed, maps everything to your compliance frameworks. Both tools run. Both add distinct value.

What if I only had budget for one?

Run Checkov. It’s free, it runs in CI, and it catches the highest-volume class of mistakes. Add ArchGuard when you have a stakeholder-ready review to deliver, a compliance conversation to support, or a validation layer you need before a launch or audit — a client engagement, an investor diligence, or a SOC 2 evidence pass.

The two tools running together catch substantially more than either tool alone — they operate at different layers of the stack.

Frequently asked questions

Does ArchGuard replace Checkov?

No. ArchGuard is not a Checkov replacement. Checkov catches rule-level misconfigurations in CI — ArchGuard validates which findings are real in your architecture and surfaces the cross-resource gaps rules can't see. The two are complementary, and we explicitly recommend running both.

Can I use ArchGuard without running Checkov first?

You can, but best practice is to run Checkov first and resolve Critical findings before an architectural review. Mixing linter violations with architectural findings in the same report makes prioritisation harder.

Is Checkov free?

Yes. Checkov is open-source and free. The commercial Bridgecrew platform adds a dashboard, policy management, and CI/CD integrations — but the core Checkov scanner is free for any use.