checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. (by bridgecrewio)
kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. (by Checkmarx)
| checkov | kics | |
|---|---|---|
| 63 | 13 | |
| 7,729 | 2,406 | |
| 2.0% | 4.2% | |
| 9.9 | 9.2 | |
| 2 days ago | 6 days ago | |
| Python | Open Policy Agent | |
| Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
checkov
Posts with mentions or reviews of checkov.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2025-06-19.
-
Ditched Terraform for OpenTofu. Why Devs Everywhere Are Making the Same Move (cheatsheet included)
Checkov https://www.checkov.io A static analysis tool to scan infrastructure code for misconfigs, secrets, and best practice violations.
-
Custom Security Checks for AWS Cloud Control Provider with Checkov
PR #6647
-
DevOps in 2025: the future is automated, git-ified, and kinda scary but fun.
Checkov infrastructure-as-code misconfig detection
-
Boas Práticas de Segurança e Qualidade no Terraform.
Link do repo
-
Top Terraform/OpenTofu tools to Use in 2025
Link: https://github.com/bridgecrewio/checkov
-
Terraform Cookbook: Development Environment Recipe
Checkov: static analysis for IaC
-
Building Web Applications Using Amazon EKS : AWS Project
Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.
-
Automating Snowflake Resource Deployment using Terraform and GitHub Actions
The workflow also includes a step for infrastructure code scan to scan Terraform code. This uses Checkov action against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
-
Cloud Security and Resilience: DevSecOps Tools and Practices
1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.
-
A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0
kics
Posts with mentions or reviews of kics.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2024-04-16.
-
A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
KICS (stands for "Keeping Infrastructure as Code Secure"): Owner/Maintainer: Checkmarx Age: First released on GitHub on November 30th, 2020 License: Apache License 2.0
-
What are the best static analysis security testing tools for Terraform and infrastructure as code?
The ones I remember being alright from a bunch of trials/PoC we did at my job were Snyk https://snyk.io/product/infrastructure-as-code-security/ and The one Gitlab Ultimate uses, https://github.com/Checkmarx/kics
-
Securing the software supply chain in the cloud
KICS – Scan for Infrastructure-as-Code vulnerabilities
- Looking for Tips on Open Sourcing a kubernetes security tool
-
Implement DevSecOps to Secure your CI/CD pipeline
Checkov, Terrascan, and Kics can be used to scan our Infrastructure code. It supports Terraform, Cloudformation, and Azure ARM resources.
-
List of most useful Terraform open-source tools
kics: https://github.com/Checkmarx/kics
Cost:
-
KICS (Keep Infrastructure as Code Secure) community meetings
Details about the meeting on this thread: https://github.com/Checkmarx/kics/discussions/5675
-
Terraform AWS 4.0 Provider migration
We have a request in KICS (Keep IaC secure, https://github.com/Checkmarx/kics) to support AWS 4.0 provider and I wondered how fast did people adopt it and did the required changes.
- Question for the Argo-Verse
What are some alternatives?
When comparing checkov and kics you can also consider the following projects:
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
terrascan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
tflint - A Pluggable Terraform Linter
kube-linter - KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.