Skip to content

Moving towards configuration scanning with Trivy

Overtime we've taken trivy to be the go-to scanning tool for a variety of things. This also includes terraform scanning.

This section describes some differences between Trivy and tfsec.

Feature Trivy tfsec
Policy Distribution Embedded and Updated via Registry Embedded
Custom Policies Rego Rego, JSON, and YAML
Supported Formats Dockerfile, JSON, YAML, Terraform, CloudFormation etc. Terraform Only

Comparison with examples

Simple scan

With Trivy

$ trivy config <dir>

With tfsec

$ tfsec <dir>

Passing tfvars

With Trivy

$ trivy --tf-vars <vars.tf> <dir>

With tfsec

$ tfsec <dir> --tf-vars-file <vars.tf>

Report formats

With Trivy

$ trivy config --format <format-type> <dir>

With tfsec

$ tfsec <dir> --format <format-type>

We welcome any feedback if you find features that today are not available with Trivy misconfigration scanning that are available in tfsec.