vs tfsec

tfsec uses static analysis of your Terraform templates to spot potential security issues. Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn’t support some features provided by tfsec. This section describes the differences between Trivy and tfsec.

FeatureTrivytfsec
Built-in Policiesvs tfsec - 图1vs tfsec - 图2
Custom PoliciesRego1JSON and YAML
Policy Metadata2vs tfsec - 图3vs tfsec - 图4
Show Successesvs tfsec - 图5vs tfsec - 图6
Disable Policiesvs tfsec - 图7vs tfsec - 图8
Show Issue Linesvs tfsec - 图9vs tfsec - 图10
Support .tfvarsvs tfsec - 图11vs tfsec - 图12
View Statisticsvs tfsec - 图13vs tfsec - 图14
Filtering by Severityvs tfsec - 图15vs tfsec - 图16
Supported FormatsDockerfile, JSON, YAML, Terraform, etc.Terraform

tfsec is designed for Terraform. People who use only Terraform should use tfsec. People who want to scan a wide range of configuration files should use Trivy.

  1. Terraform HCL files are not supported.

  2. To enrich the results such as ID, Title, Description, Severity, etc.