Terraform security scanners - Comparison with grades

	A	B	C	D	E	F	G	H	I	J	K	L	M
1	#	Criteria	Importance		checkov	Grade	Result	tfsec	Grade	Result	KICS	Grade	Result
2	1	is able to perform various security checks on the terraform code for the majority of important AWS services (including custom checks: encryption, IAM, public resources, etc.)	CRITICAL	1	Checkov supports many checks for many different parts of AWS infrastructure. Close second in terms of number of checks. Custom checks are supported.	1	1	tfsec supports many checks for many different parts of AWS infrastructure, but in pure numbers it offers only half as much checks than checkov and KICS. Custom checks are supported.	0.5	0.5	KICS supports many checks for many different parts of AWS infrastructure. In pure numbers it has the largest number of checks available. Custom checks are supported.	1	1
3	2	can be integrated into our development cycle for different repositories via Github Actions	CRITICAL	1	Yes	1	1	Yes	1	1	Yes	1	1
4	3	can be run on self-hosted Github runners	HIGH	0.75	Yes Easily integrates as github workflow.	1	0.75	Yes Easily integrates as github workflow.	1	0.75	Yes They don’t provide compiled executables. Need to build by themselves or use docker image	1	0.75
5	4	has capability to configure different conditions to fail or pass checks (for example severity of the finding)	MEDIUM	0.5	Not really Free version of checkov doesn’t show us the severity of individual findings and does not support ignoring checks based on the severity level. It is possible in the paid version though	0	0	Yes Can be set to ignore checks of specified severity completely	1	0.5	Yes Can be set to ignore checks of specified severity completely	1	0.5
6	5	has capability to suppress findings directly inline in code	HIGH	0.75	Yes Per line, per resource By individual check ID	1	0.75	Yes Per line, per resource By individual check ID	1	0.75	Not really Inline suppression works, but we are unable to suppress individual findings. Marked code line or whole resource will be completely excluded from further scanning. There is also no statistics on suppressed findings in the scan results.	0.5	0.375
7	6	has good readability of the scan results	MEDIUM	0.5	Partially Absence of severity of findings hurts readability For some reason output on Github is not color-coded, although locally it is Scan summary Links to documentation	0.5	0.25	Yes Color-coded output Severity of findings clearly indicated Findings sorted from higher severity to lower No aggregation of findings Scan summary Links to documentation	0.75	0.375	Yes Color-coded output Severity of findings clearly indicated Findings sorted from lower severity to higher Findings from the same security checks are aggregated Scan summary No links to documentation Also, ready-made GHA for KICS supports annotations and PR comments out of the box	1	0.5
8	7	can be integrated into AWS Security Hub or AWS Inspector (or some other centralized view for analysis, like DefectDojo)	LOW	0.25	Partially Tool doesn’t support Security Hub format, but it supports bunch of other formats	0.5	0.125	Partially Tool doesn’t support Security Hub format, but it supports bunch of other formats Also if we switch to the tool from the same vendor - trivy (which is using tfsec for terraform scanning under the hood), its reports support Security Hub format	0.75	0.1875	Yes Supports Security Hub format and bunch of other formats	1	0.25
9	8	has an open source community version	HIGH	0.75	Not really Pricing for their platform (includes not only checkov of course) Community - $0/month For up to 50 resources Standard - $99/month For 150 resources Premium - Starts at $999/month Custom resources However, free version still can do a lot of stuff	0.5	0.375	Yes	1	0.75	Yes	1	0.75
10	9	has good documentation, including mitigation recipes for found misconfigurations	LOW	0.25	Yes Solid database with explanations and suggested fixes for security checks	1	0.25	Yes Solid database with explanations and suggested fixes for security checks	1	0.25	Not really Only spreadsheet with brief descriptions of security checks	0.25	0.0625
11	10	should take as little time as possible to scan target modules	MEDIUM	0.5	Second place, but still fast. Almost no difference on small modules	1	0.5	Fastest tool in the bunch. Probably can be attributed to the smallest number of security checks	1	0.5	Each scan usually takes 30 seconds and it is almost fixed value regardless of the module size. Of course, on huge repos it'll be slower, but in general in our tests when changing multiple modules, we'll get ~30 seconds per scan. Since tool can take comma-separated list of directories/files as targets to scan, it makes it pretty fast	1	0.5
12	11	can scan external terraform modules (local or on Github)	LOW	0.25	Yes --download-external-modules option works	1	0.25	Yes by default	1	0.25	No We can point it to remote repo manually, but it doesn't do it by itself. Official container doesn't even have ssh client installed	0	0
13	12	can scan single files, not only directories	LOW	0.25	No	0	0	No	0	0	Yes That way we can optimize scan time and to make report fairer to a person who made changes (so they wouldn't have to fix whole module after changing just one file)	1	0.25
14	Final grade						5.25			5.8125			5.9375
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100