checkov VS terratest

GitHub: bridgecrewio/checkov

Policy-as-code as the spec layer. Tools like OPA (Open Policy Agent), Checkov, and HashiCorp Sentinel let you write rules that are both human-readable and machine-enforceable. A Rego policy that says deny[msg] { not input.resource.aws_s3_bucket.encryption } is simultaneously your spec and your test. That's the Specs = Tests convergence in practice. Static analysis tools like tflint and Trivy add another enforcement layer — catching misconfigurations and security issues before anything gets planned or applied.

Documentation Files Setup Guide Deployment Guide Access Guide Cost Optimization Monitoring Setup Technologies Used FastAPI Documentation Terraform AWS Provider Terraform Azure Provider Helm Documentation Kubernetes Documentation Prometheus Documentation Grafana Documentation Tools & Security Trivy Scanner Checkov IaC Scanner GitHub Actions Connect With Me I’d love to hear your feedback, questions, or suggestions!

checkov - Security and compliance scanning

Checkov - IaC Security

Checkov https://www.checkov.io A static analysis tool to scan infrastructure code for misconfigs, secrets, and best practice violations.

PR #6647

terraform validate checks syntax. terraform plan previews changes. Neither tells you whether the infrastructure you deploy actually works. Terratest fills that gap by deploying real infrastructure, running assertions against it, then destroying it — all from Go's standard testing package.

Terratest for integration and behavioral tests. When you need to verify that a deployed VNet actually has the right peering connections, or that an AKS cluster's network policy blocks cross-namespace traffic, Terratest with Go gives you the assertion power you need. Yes, it's a language switch. If your team prefers Python or BDD-style specs, terraform-compliance lets you write Gherkin-syntax tests like Then it must have encryption enabled — which is arguably the closest thing to "specs that are literally tests." Pick the tool that fits your team; the principle stays the same.

Terratest is a Go-based testing framework from Gruntwork that includes first-class Helm support. Unlike helm-unittest, Terratest deploys charts to real clusters and allows programmatic assertions in Go.

Terraform provides a built-in testing framework to validate your project. The testing framework supports both unit and integration tests. It handles unit tests by creating a deployment plan and running the tests against that plan. While Terraform's testing framework allows you to validate basic properties, you may need to write more advanced tests to verify your virtual machines are set up correctly. You can create advanced tests using open source testing tools like Terratest and Kitchen-Terraform.

Before using a module in production, make sure to test it in isolated environments. You can use tools like Terratest to write automated tests for your modules. This ensures they work as expected in different scenarios.

The Terratest Go library leverages this to define a variety of test cases used to test Docker images, cloud infrastructure defined for AWS, Azure, GCP, Kubernetes, and many more.

Terratest is a Go library that provides tools and patterns for testing infrastructure, with first-class support for Terraform, Packer, Docker, Kubernetes, and more. It's used to write automated tests for your infrastructure code.

I think I found it. This is the one right? https://github.com/gruntwork-io/terratest/

What it does in parallel is basically init/plan/show using terratest on every subdirectory on your repository tree or provided paths. The output is either a JSON summary or a custom made Junit XML test file you can ingest into your tests reader. It took it around 8 minutes to map the entirety of our bloated repository.

You could deploy to a separate account (usually dev first), you can use terratest, you could try something like LocalStack. I dare say there’s other methods.