Checkov
Static analysis for Terraform, CloudFormation, Kubernetes, Docker, and more—hundreds of built-in policy checks.
Why it is included
Broad IaC policy coverage with Prisma-branded backing but open core workflow.
Best for
CI pipelines blocking misconfigs before apply.
Strengths
- Multi-IaC
- Custom policies
- SARIF
Limitations
- Depth vs Terrascan varies by resource type
Good alternatives
Terrascan · Trivy config · OPA
Related tools
Security & Privacy
Terrascan
IaC scanner detecting security issues across Terraform, Kubernetes, Helm, Docker, and cloud APIs via OPA/Rego policies.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
Open Policy Agent (OPA)
General-purpose policy engine with Rego: unify authorization and config decisions across K8s, APIs, Terraform plans, and CI.
Security & Privacy
Kyverno
Kubernetes-native policy engine using YAML (no Rego) for validate, mutate, generate, and image verification rules.
Security & Privacy
Semgrep
Static analysis engine matching AST patterns—rules for OWASP classes, secrets, and custom policies.
Security & Privacy
Grype
Vulnerability scanner for container images and filesystems using Anchore’s vulnerability DB and Syft SBOM input.