In the world of infrastructure-as-code security there are several tools for users to choose from. The goal of this repository is to help compare the different options so that users can choose the tool that best fits their own needs.
| Checkov | Cloudrail | Kics | Snyk | Terrascan | Tfsec | |
|---|---|---|---|---|---|---|
| Vendor | Bridgecrew | Indeni | Checkmarx | Snyk | Accurics | Aqua Security |
| License | OSS | Freemium | OSS | Freemium | OSS | OSS |
| Written in | Python | Python | Rego | Unknown | Rego | Go |
| Custom Rule Support | Yes | Yes | Yes | No | Yes | Yes |
| CI/CD-specific Integrations | CircleCI, GitLab, GitHub | CircleCI, GitLab, GitHub | GitHub | None | CircleCI, GitHub | CircleCI, GitHub |
| Output Formats (for generic CI/CD support) | Text, JSON, JUnit, SARIF | Text, JSON, JUnit, SARIF, GitLab-SAST | Text, JSON, SARIF, HTML | Text, JSON, SARIF, HTML | Text, JSON, JUnit | Text, JSON, JUnit, SARIF |
| Coverage for live environment | Not in OSS, use paid product | Yes, integrated into scans | No | No | Not in OSS, use paid product | Yes via differnet product |
(there are others, anyone can add to this list, sorted A-Z)
For a list of IaC languages supported and the coverage provided by each tool for different CSPs, scroll down to the test case tables.
This repository has a set of test-cases and a main script, called run_all_tools.sh which runs the above-listed tools against each of the test-cases. This allows any potential user to see what the tool can do, and how it compares, before even installing it.
The tables below list test cases included in this repository. For each case, it shows which tools are able to catch it specifically, and which don't. Most test cases originate from the cloud service provider's (CSP's) own recommendations and best practices, as well as the CIS benchmark for that specific CSP.
Last update: 2021-08-27
| Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec | |
|---|---|---|---|---|---|---|
| Tested Version | 2.0.363 | 1.3.385 | 1.4.1 | 1.683.0 | 1.9.0 | 0.58.4 |
| Terraform - AWS | 69% | 93% | 94% | 62% | 73% | 61% |
| Terraform - Azure | 47% | 35% | 23% | 30% | 8% | 18% |
| Terraform - Advanced Language Expressions | 20% | 100% | 20% | 0% | 0% | 0% |
| Total Catch Rate | 59% | 72% | 65% | 48% | 47% | 43% |
test-cases/terraform/aws/best-practices
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| alb_drop_http_headers | β | β | β | β | β | β |
| cloudfront_not_using_waf | β | β | β | β | β | β |
| cloudtrail_enabled_on_multi_region | β | β | β | β | β | β |
| config_aggregator_all_regions | β | β | β | β | β | β |
| deploy_ec2_to_default_vpc | β | β | β | β | β | β |
| deploy_redshift_in_ec2_classic_mode | β | β | β | β | β | β |
| dynamodb_without_recovery_enabled | β | β | β | β | β | β |
| ec2_ebs_not_optimized | β | β | β | β | β | β |
| ecr_make_tags_immutable | β | β | β | β | β | β |
| ecr_use_image_scanning | β | β | β | β | β | β |
| ecs_cluster_container_insights | β | β | β | β | β | β |
| elasticache_automatic_backup | β | β | β | β | β | β |
| kms_uses_rotation | β | β | β | β | β | β |
| rds_retention_period_set | β | β | β | β | β | β |
| security_group_no_description_for_rules | β | β | β | β | β | β |
| security_group_no_description_for_securi.. | β | β | β | β | β | β |
| security_group_no_unused | β | β | β | β | β | β |
| tag_all_items | β | β | β | β | β | β |
| using_public_amis | β | β | β | β | β | β |
| Sub-category Catch Rate | 84% | 84% | 89% | 63% | 63% | 79% |
test-cases/terraform/aws/encryption/at-rest
test-cases/terraform/aws/encryption/in-transit
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| alb_use_http | β | β | β | β | β | β |
| cloudfront_distribution_not_encrypted | β | β | β | β | β | β |
| cloudfront_protocol_version_is_low | β | β | β | β | β | β |
| ecs_task_definition_not_encrypted_in_tra.. | β | β | β | β | β | β |
| elasticache_replication_group_not_encryp.. | β | β | β | β | β | β |
| elasticsearch_encrypt_node_to_node_disab.. | β | β | β | β | β | β |
| load_balancer_listener_http | β | β | β | β | β | β |
| vpc_has_only_dynamodb_vpce_gw_connection | β | β | β | β | β | β |
| Sub-category Catch Rate | 75% | 100% | 88% | 75% | 88% | 88% |
test-cases/terraform/aws/iam/iam-entities
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| human_users_defined | β | β | β | β | β | β |
| iam_user_inline_policy_attach | β | β | β | β | β | β |
| iam_user_managed_policy_direct_attachmen.. | β | β | β | β | β | β |
| passrole_and_lambda_permissions_cause_pr.. | β | β | β | β | β | β |
| policy-too-broad | β | β | β | β | β | β |
| policy_missing_principal | β | β | β | β | β | β |
| public_and_private_ec2_same_role | β | β | β | β | β | β |
| role_assume_policy_principal_all | β | β | β | β | β | β |
| Sub-category Catch Rate | 50% | 100% | 88% | 38% | 50% | 0% |
test-cases/terraform/aws/iam/resource-authentication
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| rds_without_authentication | β | β | β | β | β | β |
| rest_api_without_authorization | β | β | β | β | β | β |
| Sub-category Catch Rate | 100% | 50% | 100% | 100% | 50% | 0% |
test-cases/terraform/aws/iam/resource-policies
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| cloudwatch_log_destination_insecure_poli.. | β | β | β | β | β | β |
| ecr_not_secure_policy | β | β | β | β | β | β |
| efs_not_secure_policy | β | β | β | β | β | β |
| elasticsearch_domain_not_secure_policy | β | β | β | β | β | β |
| glacier_vault_not_secure_policy | β | β | β | β | β | β |
| glue_data_catalog_not_secure_policy | β | β | β | β | β | β |
| kms_key_not_secure_policy | β | β | β | β | β | β |
| lambda_not_secure_policy | β | β | β | β | β | β |
| rest_api_not_secure_policy | β | β | β | β | β | β |
| s3_bucket_acl_public_all_authenticated_u.. | β | β | β | β | β | β |
| s3_bucket_acl_public_all_users_canned | β | β | β | β | β | β |
| s3_bucket_acl_public_all_users_canned_wi.. | β | β | β | β | β | β |
| s3_bucket_policy_public_to_all_authentic.. | β | β | β | β | β | β |
| secrets_manager_not_secure_policy | β | β | β | β | β | β |
| Sub-category Catch Rate | 21% | 100% | 93% | 21% | 71% | 21% |
test-cases/terraform/aws/logging
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| api_gateway_no_xray | β | β | β | β | β | β |
| cloudfront_distribution_without_logging | β | β | β | β | β | β |
| cloudtrail_file_log_validation_disabled | β | β | β | β | β | β |
| cloudwatch_log_groups_no_retention | β | β | β | β | β | β |
| docdb_audit_logs_missing | β | β | β | β | β | β |
| ec2_without_monitoring | β | β | β | β | β | β |
| eks_logging_disabled | β | β | β | β | β | β |
| elasticsearch_domain_logging_disabled | β | β | β | β | β | β |
| elb_without_access_logs | β | β | β | β | β | β |
| globalaccelerator_accelerator_no_flow_lo.. | β | β | β | β | β | β |
| lambda_without_explicit_log_group | β | β | β | β | β | β |
| lambda_without_xray | β | β | β | β | β | β |
| neptune_cluster_no_logging | β | β | β | β | β | β |
| rds_without_logging | β | β | β | β | β | β |
| redshift_without_logging | β | β | β | β | β | β |
| rest_api_no_access_logging | β | β | β | β | β | β |
| s3_access_logging_disabled | β | β | β | β | β | β |
| Sub-category Catch Rate | 94% | 82% | 94% | 71% | 94% | 59% |
test-cases/terraform/aws/networking/vpc-endpoints
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| dynamodb-vpce-exist-without-routeassocia.. | β | β | β | β | β | β |
| sqs-vpc-endpoint-without-dns-resolution | β | β | β | β | β | β |
| Sub-category Catch Rate | 0% | 100% | 100% | 0% | 0% | 0% |
test-cases/terraform/azure/best-practices
test-cases/terraform/azure/encryption/at-rest
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| activitylog_storage_account_encryption_n.. | β | β | β | β | β | β |
| sql_encryption_customer_key_not_set | β | β | β | β | β | β |
| storacc_encryption_not_enabled | β | β | β | β | β | β |
| Sub-category Catch Rate | 33% | 0% | 0% | 0% | 0% | 0% |
test-cases/terraform/azure/encryption/in-transit
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| app_service_ftps_unused | β | β | β | β | β | β |
| app_service_use_most_recent_supported_tl.. | β | β | β | β | β | β |
| func_app_ftps_not_required | β | β | β | β | β | β |
| mysql_not_forcing_ssl | β | β | β | β | β | β |
| postgresql_not_forcing_ssl | β | β | β | β | β | β |
| Sub-category Catch Rate | 60% | 80% | 40% | 60% | 40% | 40% |
test-cases/terraform/azure/iam
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| app_service_authentication_missing | β | β | β | β | β | β |
| custom-role-owner-exists | β | β | β | β | β | β |
| func_app_authentication | β | β | β | β | β | β |
| func_app_client_cert_optional | β | β | β | β | β | β |
| functionapp_not_use_managedidentity | β | β | β | β | β | β |
| sql-server-ad-admin-not-set | β | β | β | β | β | β |
| storage_account_public_access_disabled | β | β | β | β | β | β |
| webapp_client_cert_not_enabled | β | β | β | β | β | β |
| webapp_not_use_managedidentity | β | β | β | β | β | β |
| Sub-category Catch Rate | 67% | 33% | 11% | 22% | 0% | 0% |
test-cases/terraform/azure/logging
test-cases/terraform/azure/networking
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| no_unused_nsg | β | β | β | β | β | β |
| public_access_sql_db | β | β | β | β | β | β |
| vm_public_rdp_lb_opened | β | β | β | β | β | β |
| vm_public_rdp_nat_opened | β | β | β | β | β | β |
| vmss_public_rdp_lb_opened | β | β | β | β | β | β |
| Sub-category Catch Rate | 20% | 40% | 0% | 0% | 0% | 20% |
test-cases/terraform/hcl_language_complexity
| Test Case | Checkov | Indeni Cloudrail | Kics | Snyk | Terrascan | Tfsec |
|---|---|---|---|---|---|---|
| using_count_and_ternary_expr | β | β | β | β | β | β |
| using_for_each | β | β | β | β | β | β |
| using_locals | β | β | β | β | β | β |
| using_module_multi | β | β | β | β | β | β |
| using_module_simple | β | β | β | β | β | β |
| Sub-category Catch Rate | 20% | 100% | 20% | 0% | 0% | 0% |
Anyone can contribute to this repository. The main areas of contribution are:
-
Adding an additional tool - simply add the tool to this readme and the
run_all_tools.shscript. Then, execute that script and add all of its results as part of your PR. That's it, you're good to go. -
Adding test-cases - you can add the test case in the correct spot in the tree under test-cases and run the
run_all_tools.shscript against it. Make sure to include all of the tools' results as part of your PR.
NOTE: This repository has been initiated by @yi2020, CEO & Founder of Indeni, the company behind Indeni Cloudrail. While this was initiated by an employee of a vendor in the community, the intention is for this repository to be neutral and truly serve as a non-biased comparison tool of products offered. Contributions that help users make that choice, and are unbiased in nature, are very welcome. The aspiration is that over time all vendors will become equal contributors in this repository.