tfsec vs Trivy 2026: Why Aqua Consolidated tfsec Into Trivy

Q: How do I migrate from tfsec to Trivy?

Replace tfsec with trivy config in your CI scripts. The default Terraform ruleset is the same; Trivy ships with the AWS, GCP, Azure, and Kubernetes checksets that tfsec used. If you allowlist specific tfsec rule IDs (AWS001, GCP002, etc), map them to Trivy’s AVD-AWS-XXXX naming. The official tfsec-to-trivy-migration-guide.md in the tfsec repo walks through flag-by-flag equivalents.

Aqua Security announced in February 2023 that tfsec is joining the Trivy family. The tfsec repo still ships dependency bumps but no new checks; misconfiguration rule work now happens in Trivy.
Trivy is the active project. One scanner covers misconfiguration (formerly tfsec), vulnerability (CVE), license, secret, and SBOM scanning across containers, IaC, and source code.
Migrate from tfsec to Trivy with `trivy config <path>`. The same Terraform, CloudFormation, Kubernetes manifests, and Helm charts get scanned, and legacy tfsec rule IDs map to Trivy AVD rule IDs.
Trivy's IaC scope reaches beyond Terraform to CloudFormation, Kubernetes manifests, Helm charts, Dockerfile, and Azure ARM templates. tfsec was Terraform-only at the time of the announcement.
If you are still on tfsec in CI, the migration is small. Replace `tfsec .` with `trivy config .` and map any AWS001 / GCP001 / AZU001 allowlist entries to Trivy's AVD-AWS-XXXX naming.

What Happened: tfsec Joined the Trivy Family

Short answer for tfsec vs Trivy: Use Trivy. Aqua Security consolidated tfsec into the Trivy family in February 2023, and the tfsec repo gets no new misconfiguration checks.

Four-step timeline: 2019 tfsec launches, 2021 Aqua acquires tfsec, Feb 2023 tfsec joins the Trivy family, 2023+ Trivy expands scope across six IaC formats and CVE/secret/license/SBOM

_The four-step path from tfsec's 2019 launch to its 2023 consolidation into Trivy, followed by Trivy expanding far beyond Terraform-only scope._

Switch CI to trivy config <path> and the same Terraform rules keep running, plus CloudFormation, Kubernetes, Helm, Dockerfile, and Azure ARM coverage.

Both tools are maintained by Aqua Security. By 2023, tfsec’s Terraform-focused IaC scanner and Trivy’s broader IaC + containers + source code scanner had overlapping scope.

Aqua decided to consolidate. Engineering attention moved to Trivy, and tfsec’s Terraform check depth was folded into Trivy’s misconfiguration scanner.

The practical impact: if you are searching “tfsec vs Trivy” in 2026, the comparison is a migration question, not a tool selection. Switch CI to trivy config <path> and the same Terraform rules continue to run, plus a wider set covering CloudFormation, Kubernetes, Helm, Dockerfile, and Azure ARM templates.

Key Differences

Dimension	tfsec (deprecated focus)	Trivy (active)
Status	Maintenance only; joined Trivy family Feb 2023	Active, primary Aqua OSS scanner
Scope	Terraform-only IaC	Misconfig (IaC), vulnerability (CVE), license, secret, SBOM
IaC formats	Terraform	Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Azure ARM
Languages / runtimes	Terraform HCL	Container images, source repos, Git history, K8s clusters
Rule format	Custom + Rego (OPA)	Rego (OPA), the same format tfsec used
Output	tfsec text + JSON + JUnit + SARIF	Trivy table, JSON, SARIF, SBOM (CycloneDX/SPDX via convert), JUnit/HTML/ASFF via templates
CI integration	Standalone `tfsec` CLI, GitHub Actions	`trivy` CLI, GitHub Actions, GitLab template, Jenkins, Azure DevOps
Best for	Legacy CI not yet migrated	All current IaC + container scanning needs

Migration Story

Why Aqua consolidated the two

By 2023, tfsec and Trivy were both Aqua-maintained open-source scanners with overlapping IaC scope. tfsec was Terraform-only. Trivy already had a misconfiguration scanner that handled Terraform, CloudFormation, Kubernetes, and more.

Maintaining two codebases for the same checks was duplicated engineering. Aqua announced the consolidation in February 2023 in the tfsec is joining the Trivy family post. Engineering attention shifted to Trivy, and the Terraform rule depth was folded in.

For users, the result was one CLI instead of two and one set of release notes instead of two.

github.com/aquasecurity/tfsec commits view dominated by chore(deps) bump messages from dependabot in May and January 2025, no new misconfiguration rule commits

_The aquasecurity/tfsec commit feed since the consolidation: golangci-lint bumps, dependabot Go module updates, and CVE patches in transitive dependencies. No new misconfiguration checks land here anymore._

What changed for tfsec users

The tfsec binary still works for existing CI pipelines. The repository ships dependency-bump releases (latest v1.28.14, May 2025), but no new misconfiguration rules and no new format support.

Representative tfsec CLI output flagging an S3 public-read ACL and a 0.0.0.0/0 ingress security group, with legacy AWS001 and AWS006 rule IDs

_Representative `tfsec` output. Pipelines still on tfsec see the legacy `AWS001` / `AWS006` rule IDs that need mapping when you migrate to Trivy._

The tfsec rule IDs (AWS001, AWS002, GCP001, AZU001, and so on) map to Trivy’s Aqua Vulnerability Database format: AVD-AWS-XXXX, AVD-GCP-XXXX, AVD-AZURE-XXXX. The official tfsec-to-trivy-migration-guide.md in the tfsec repo documents the flag-by-flag CLI mapping.

avd.aquasec.com page for AVD-AWS-0086 Block Public ACLs, showing CSPM source Trivy/CSPM, the legacy CSPM ID, and Terraform/CloudFormation/Management Console code examples

_Each Trivy finding links to an avd.aquasec.com page like AVD-AWS-0086. The same rule body that drove tfsec's AWS001 now lives at the new ID, with Terraform, CloudFormation, and console remediation snippets side by side._

Custom rules written for tfsec (in the Rego / OPA format) port to Trivy with minimal changes. The rule format is the same.

How to migrate

The smallest change is replacing the CLI invocation:

# Before (deprecated)
tfsec .

# After (active)
trivy config .

Side-by-side comparison: tfsec . (Terraform-only, AWS001/GCP001 IDs, deps-only releases) versus trivy config . (six IaC formats, AVD-AWS-XXXX IDs, active development, same Rego format)

_What changes when you swap one command for the other. Same Rego custom rules carry over; the rule-ID prefix and the format coverage are the visible differences._

For more involved CI scripts:

Replace tfsec <path> with trivy config <path>.
If you parse JSON output, the structure has changed. Switch to trivy config -f json <path> and update any field accessors.
If you allowlist specific rule IDs, map old AWS001 → AVD-AWS-XXXX using Trivy’s documentation.
If you want CloudFormation, Kubernetes, Helm, Dockerfile, or Azure ARM scanning at the same time, drop them into the same trivy config call. No extra steps.
To unify with vulnerability scanning, run trivy fs <path> for source-code SCA + secret scanning alongside.

Representative trivy config CLI output flagging the same Terraform main.tf with AVD-AWS-0086 and AVD-AWS-0107 instead of legacy AWS001 / AWS006

_Representative `trivy config` output: the AWS001 and AWS006 findings from tfsec re-emerge as AVD-AWS-0086 and AVD-AWS-0107, each with an avd.aquasec.com reference link._

Trivy’s broader scope

Beyond replacing tfsec, Trivy covers:

Six-tile diagram of Trivy scan domains: misconfiguration, vulnerability (CVE), secret scanning, license, SBOM, Kubernetes cluster

_Six scan domains, one binary. Misconfiguration replaces tfsec; the other five expand scope into CVE, secret, license, SBOM, and live K8s scanning._

Container image vulnerability scanning: trivy image <image> finds CVEs in OS packages and language libraries.
SBOM generation and scanning: CycloneDX and SPDX output, plus the ability to scan an existing SBOM.
Secret scanning: pre-commit-style detection for hardcoded credentials, with Aqua’s curated rules.
License scanning: surfaces OSS licenses across container images and source repos.
Filesystem scanning: trivy fs <path> runs the full set against any directory or repo.
Kubernetes cluster scanning: trivy k8s <cluster> scans live workloads.

Teams that adopted tfsec for Terraform pick up the rest of these capabilities by switching the CLI to Trivy. No license cost, no new vendor.

trivy fs CLI output table showing CVE-2023-20863, CVE-2023-20861, CVE-2022-1471 across spring-core and snakeyaml dependencies in pom.xml

_The same CLI that replaces `tfsec .` also runs `trivy fs .` for SCA, surfacing CVE-2023-20863 in spring-core and CVE-2022-1471 in snakeyaml without a second tool._

What To Do Now

If you are on tfsec in CI today

Plan a migration sprint. Replace tfsec invocations with trivy config.
Map any allowlisted rule IDs from the AWS001 / GCP001 / AZU001 naming to Trivy’s AVD-AWS-XXXX.
Update any JSON parsers that consume tfsec output.
Add trivy fs and trivy image to your pipeline if you want vulnerability and secret scanning alongside.

If you are evaluating tfsec for a new project

Skip tfsec. The project joined the Trivy family in 2023 and gets no new checks. Start with Trivy directly.
For Terraform-only projects, trivy config covers what tfsec did.
For broader IaC scope (CloudFormation, Kubernetes, Helm, Azure ARM), Trivy handles all of it in one CLI.

If you want alternatives to Trivy

Checkov : focused IaC-only scanner with strong rule curation.
KICS : broad cloud-provider coverage from Checkmarx.
See the Checkov vs Trivy and Checkov vs KICS comparisons for the live IaC tooling decisions.

Checkov vs Trivy : two active IaC scanners head-to-head.
Checkov vs KICS : IaC-only alternatives to Trivy.
Trivy alternatives : wider field of container and IaC scanners.
Trivy vs Snyk : open-source Trivy vs commercial Snyk Container.

Frequently Asked Questions

Is tfsec still maintained?

Not actively for new rules. Aqua Security announced in February 2023 that tfsec is joining the Trivy family. The tfsec repo still ships dependency-bump releases (latest v1.28.14 in May 2025), but engineering attention has shifted to Trivy and no new checks are being added to tfsec. The migration path is to switch CI to trivy config <path>.

What replaced tfsec?

Trivy’s misconfiguration scanner replaced tfsec after Aqua Security consolidated the two projects in February 2023. It includes every tfsec Terraform check plus rules for CloudFormation, Kubernetes manifests, Helm charts, Dockerfile, and Azure ARM templates. Custom checks reuse the same Rego (OPA) format tfsec supported, so existing policies port over.

How do I migrate from tfsec to Trivy?

Replace tfsec <path> with trivy config <path> in your CI scripts. The default Terraform ruleset is the same; Trivy ships with the AWS, GCP, Azure, and Kubernetes checksets that tfsec used. If you allowlist specific tfsec rule IDs (AWS001, GCP002, etc), map them to Trivy’s AVD-AWS-XXXX naming. The official tfsec-to-trivy-migration-guide.md in the tfsec repo walks through flag-by-flag equivalents.

Why did Aqua decide to consolidate tfsec into Trivy?

tfsec and Trivy were both Aqua-maintained scanners with overlapping IaC scope by 2023. Maintaining two codebases for the same Terraform checks was duplicated engineering. Consolidating gave users one CLI covering misconfiguration, vulnerability, license, secret, and SBOM scanning, and folded tfsec’s Terraform rule depth into Trivy’s broader engine.

Should I use Trivy's IaC scanning or a different tool?

Trivy is the OSS default for IaC misconfiguration scanning after the tfsec consolidation. Checkov and KICS are the main alternatives, both with strong rule sets and active maintenance. Pick Trivy for one CLI across IaC, containers, and source code; pick Checkov for IaC-only depth; pick KICS for broader cloud coverage.

Suphi Cankurt

Founder, AppSec Santa

LinkedIn Twitter

9+ years in application security. Reviews and compares 201 AppSec tools across 12 categories to help teams pick the right solution. More about me →

tfsec vs Trivy