ArchGuard alongside Checkov: when to use which
Checkov is the most widely used Terraform security scanner and we recommend it. ArchGuard is not a Checkov replacement and never has been. Here is how the two tools fit together — and when to reach for each.
What Checkov does well
Rule-level scanning of Terraform, CloudFormation, ARM, Kubernetes, and 10+ other formats. Open source. Free. Integrates into CI with SARIF output support for GitHub Advanced Security. Catches “this S3 bucket lacks encryption”, “this security group is open to the world”, “this IAM policy is overly permissive”. Run it on every commit.
What ArchGuard does well
Architecture-level review of an entire Terraform workload. AI reasoning about why a finding matters for the specific workload context — not just whether a rule is violated. A structured PDF deliverable across four Well-Architected pillars. Run it on demand: before a launch, after an infrastructure inheritance, during a due diligence.
| Checkov | ArchGuard | |
|---|---|---|
| Scope | Rule-level attribute checks | Architecture-level workload review |
| Pricing | Free, open-source | $49–$399/mo + Credit Packs |
| Frequency | Every commit (CI) | On-demand (review event) |
| Coverage | Security primarily | All four WAFR pillars |
| Output | CLI / JSON / SARIF | Branded PDF |
| AWS account access | None | None |
| Best for | Continuous scanning in CI | Stakeholder-ready reviews |
How we’d run them together
CI pipeline: Checkov on every PR. Blocks merges on critical findings. This runs automatically alongside — or instead of — tfsec (which is now part of Trivy).
Pre-launch / pre-engagement: ArchGuard review of the workload in scope. Produces the deliverable. Both run.
What if I only had budget for one?
Run Checkov. It’s free, it runs in CI, and it catches the highest-volume class of mistakes. Add ArchGuard when you have a stakeholder-ready review to deliver alongside Checkov — a client engagement, an investor diligence, a launch sign-off.
The two tools running together catch substantially more than either tool alone — they operate at different layers of the stack.
Frequently asked questions
Does ArchGuard replace Checkov?↓
No. ArchGuard is not a Checkov replacement. Checkov catches rule-level misconfigurations in CI — ArchGuard reviews the architecture above the rules. The two are complementary, and we explicitly recommend running both.
Can I use ArchGuard without running Checkov first?↓
You can, but best practice is to run Checkov first and resolve Critical findings before an architectural review. Mixing linter violations with architectural findings in the same report makes prioritisation harder.
Is Checkov free?↓
Yes. Checkov is open-source and free. The commercial Bridgecrew platform adds a dashboard, policy management, and CI/CD integrations — but the core Checkov scanner is free for any use.