Skip to content

vs cfsec

cfsec uses static analysis of your CloudFormation templates to spot potential security issues. Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec. This section describes the differences between Trivy and cfsec.

Feature Trivy cfsec
Built-in Policies
Custom Policies Rego1
Policy Metadata2
Show Successes
Disable Policies
Show Issue Lines
View Statistics
Filtering by Severity
Supported Formats Dockerfile, JSON, YAML, Terraform, etc. CloudFormation JSON and YAML

cfsec is designed for CloudFormation. People who use only want to scan their CloudFormation templates should use cfsec. People who want to scan a wide range of configuration files should use Trivy.


  1. CloudFormation files are not supported 

  2. To enrich the results such as ID, Title, Description, Severity, etc.