Skip to content
Home IaC Security Tools IaC Security Comparison

Checkov vs Trivy

Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 9, 2026
5 min read
0 Comments
Checkov Checkov
VS
Trivy Trivy

Quick Verdict

Checkov and Trivy are both open-source, Apache 2.0 licensed, and free to use. They overlap in IaC misconfiguration scanning but serve different primary purposes.

Checkov is purpose-built for infrastructure as code security. It has the largest built-in policy library of any open-source IaC scanner at 3,000+ checks, including 800 graph-based policies that verify relationships between resources. If IaC scanning depth is your priority, Checkov is the specialist.

Trivy is a broader security scanner. It handles IaC misconfigurations, container image vulnerabilities, application dependency CVEs, secrets detection, and license compliance in one binary. Its IaC scanning absorbed tfsec and covers the most common checks, but the policy library is smaller than Checkov’s. If you want one tool for multiple security concerns, Trivy minimizes tool sprawl.

Feature Comparison

FeatureCheckovTrivy
LicenseApache 2.0Apache 2.0
Primary focusIaC securityAll-in-one security scanner
Built-in IaC policies3,000+ (2,200 attribute + 800 graph)Inherited tfsec library
Graph-based checksYes (cross-resource relationships)No
TerraformFull supportFull support (absorbed tfsec)
CloudFormationYesYes
Kubernetes manifestsYesYes
Helm chartsYesYes
DockerfilesYesYes
ARM / BicepYesYes (ARM)
AnsibleYesYes
KustomizeYesNo
OpenTofuYesNo
Serverless FrameworkYesNo
Container image scanningNoYes
Dependency scanningNoYes
Kubernetes cluster scanningNoYes (live clusters)
SBOM generationNoYes (CycloneDX, SPDX)
License scanningNoYes
Secrets detectionYes (with API verification)Yes
Custom policy languagePython or YAMLRego (OPA)
Compliance frameworksCIS, SOC 2, HIPAA, PCI DSSCIS
Output formatsJSON, SARIF, JUnit XML, CycloneDX, CSVJSON, SARIF, CycloneDX, SPDX, table
GitHub stars8,500+31,700+
Backed byPalo Alto Networks (Prisma Cloud)Aqua Security

Checkov vs Trivy: Head-to-Head

IaC Policy Coverage

Checkov ships with over 3,000 built-in policies covering AWS, Azure, GCP, and OCI. These break down into 2,200 attribute checks (inspecting individual resource properties) and 800 graph-based checks (verifying relationships between resources).

Graph-based policies are the real differentiator. A standard attribute check verifies that an S3 bucket has encryption enabled. A graph-based check verifies that an EC2 instance connects to a network interface in a VPC-attached subnet. These cross-resource relationship checks catch misconfigurations that single-resource scanners miss entirely.

Trivy inherited tfsec’s Terraform check library and added checks for other IaC frameworks. The policy count is lower than Checkov’s, and Trivy does not support graph-based cross-resource checks. For the most common misconfigurations (unencrypted storage, open security groups, public access) Trivy catches what matters. For deeper checks that span resource relationships, Checkov provides coverage that Trivy cannot match.

IaC Framework Support

Both tools cover the core IaC frameworks: Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfiles, and ARM templates. Checkov extends further with support for Bicep, Kustomize, OpenTofu, Serverless Framework, and AWS CDK. Trivy covers Ansible, which Checkov also supports.

For teams using standard Terraform or CloudFormation, both tools work well. Teams using less common frameworks like OpenTofu, Kustomize, or Serverless Framework will find better support in Checkov.

Beyond IaC: Where Trivy Pulls Ahead

Trivy’s strength is breadth. Beyond IaC scanning, it provides:

  • Container image scanning: Detects vulnerabilities in OS packages and application dependencies within Docker and OCI images.
  • Filesystem and repository scanning: Checks application dependencies (package-lock.json, go.sum, requirements.txt) for known CVEs.
  • Kubernetes cluster scanning: Scans running clusters for vulnerabilities, misconfigurations, and secrets across all workloads.
  • SBOM generation: Produces CycloneDX and SPDX software bill of materials.
  • License scanning: Identifies software licenses in dependencies for compliance.

Checkov does none of these. If you need container scanning or dependency checking, Trivy handles it without adding another tool. If you only need IaC scanning, Checkov provides deeper coverage.

Secrets Detection

Both tools detect hardcoded secrets. Checkov recognizes known credential formats (AWS keys, Azure storage keys, GitHub tokens), uses entropy analysis for randomized secrets, and can verify detected keys against live APIs to reduce false positives. The live verification feature is notable because it confirms whether a found credential is actually active.

Trivy uses regex patterns to find API keys, passwords, private keys, and cloud credentials. It runs the secret scanner across all target types (images, filesystems, repos). Trivy does not verify secrets against live APIs.

Custom Policies

Checkov supports custom policies written in Python or YAML. Python policies inherit from base check classes and offer full programmatic flexibility. YAML policies use a declarative syntax with operators for attribute checks, connection checks, and filters. Version 3.0 added 36 new operators and JSON path support.

Trivy uses Rego (the Open Policy Agent language) for custom misconfiguration checks. Rego is powerful but has a steeper learning curve than Checkov’s YAML format. Teams already using OPA in their infrastructure will find Rego familiar.

Compliance Framework Mapping

Checkov maps its policies to multiple compliance frameworks: CIS Benchmarks, SOC 2, HIPAA, PCI DSS, and AWS Foundations Benchmark. Running Checkov against a compliance framework generates a report showing which checks passed and failed against that standard.

Trivy maps to CIS Benchmarks but has less extensive compliance framework coverage than Checkov. For teams that need to demonstrate compliance against specific frameworks, Checkov provides more built-in reporting.

CI/CD Integration

Both tools integrate cleanly into CI/CD. Checkov has an official GitHub Action (bridgecrewio/checkov-action), Docker images for GitLab CI and other platforms, and SARIF output for GitHub code scanning. Non-zero exit codes gate merges.

Trivy has an official GitHub Action (aquasecurity/trivy-action), Docker images, and SARIF output. It also supports severity-based gating (--exit-code 1 --severity HIGH,CRITICAL) so you can fail builds only on serious findings.

Both tools work in any CI/CD system through their CLI. The experience is comparable.

When to Choose Checkov

Choose Checkov if:

  • IaC security is your primary concern and you want the deepest policy coverage
  • Graph-based cross-resource checks matter for catching complex misconfigurations
  • You need compliance reporting for SOC 2, HIPAA, PCI DSS, or CIS Benchmarks
  • Your team uses Kustomize, OpenTofu, Serverless Framework, or AWS CDK
  • You want custom policies in Python or YAML rather than Rego
  • Secrets detection with live API key verification is valuable

When to Choose Trivy

Choose Trivy if:

  • You want one tool for IaC scanning, container scanning, dependency scanning, and more
  • Container image vulnerability scanning is a requirement
  • Kubernetes cluster scanning (live workloads) is part of your security program
  • SBOM generation for supply chain compliance is needed
  • You prefer Rego (OPA) for custom policies
  • Minimizing the number of security tools in your pipeline is a priority

Many teams start with Trivy because it covers the most ground in a single binary, then add Checkov when they need deeper IaC-specific policy coverage or graph-based checks. The two tools complement each other well since Checkov goes deep on IaC while Trivy goes broad across security concerns.

Both are IaC security tools. Browse the full category for more options.

Frequently Asked Questions

Which tool has more IaC checks, Checkov or Trivy?
Checkov has significantly more IaC-specific checks at 3,000+ (2,200 attribute checks plus 800 graph-based checks). Trivy inherited tfsec’s check library, which is smaller but covers the most common misconfigurations across Terraform, CloudFormation, Kubernetes, Helm, and Dockerfiles.
Can I use both Checkov and Trivy?
Yes. Some teams run Checkov for deep IaC policy coverage and Trivy for container image and dependency scanning. The tools have different strengths and the overlap in IaC checks means you get broader coverage by running both, though you will need to manage some duplicate findings.
Are both tools free?
Yes. Checkov is Apache 2.0, maintained by Palo Alto Networks (Prisma Cloud). Trivy is Apache 2.0, maintained by Aqua Security. Both work fully without any paid subscription. Commercial platforms (Prisma Cloud, Aqua Platform) offer additional enterprise features on top.
What happened to tfsec?
tfsec was merged into Trivy. All tfsec check IDs work in Trivy’s misconfiguration scanner. The tfsec repository now directs users to Trivy. Running trivy config on Terraform files applies the same checks that tfsec used to run as a standalone tool.
Which tool is better for Kubernetes security?
Trivy has an edge for Kubernetes because it scans running clusters directly (trivy k8s) in addition to static manifest files. It also scans container images used by workloads. Checkov scans Kubernetes manifest files, Helm charts, and Kustomize configurations for misconfigurations but does not scan running clusters or container images.
Suphi Cankurt
Written by
Suphi Cankurt

Suphi Cankurt is an application security enthusiast based in Helsinki, Finland. He reviews and compares 129 AppSec tools across 10 categories on AppSec Santa. Learn more.

Comments

Powered by Giscus — comments are stored in GitHub Discussions.