vs Conftest
Conftest is a really nice tool to help you write tests against structured configuration data. Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has. This section describes the differences between Trivy and Conftest.
Feature | Trivy | Conftest |
---|---|---|
Support Rego Language | ||
Built-in Policies | ||
Custom Policies | ||
Custom Data | ||
Combine | ||
Combine per Policy | ||
Policy Input Selector1 | ||
Policy Metadata2 | 3 | |
Filtering by Severity | ||
Rule-based Exceptions | ||
Namespace-based Exceptions | ||
Sharing Policies | ||
Show Successes | ||
Flexible Exit Code | ||
Rego Unit Tests | 4 | |
Go Testing | ||
Verbose Trace | ||
Supported Formats | 6 formats5 | 14 formats6 |
Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies. In other words, Conftest is simpler and lighter.
Conftest is a general testing tool for configuration files, and Trivy is more security-focused. People who need an out-of-the-box misconfiguration scanner should use Trivy. People who don't need built-in policies and write your policies should use Conftest.
-
Pass only the types of configuration file as input, specified in selector ↩
-
To enrich the results such as ID, Title, Description, etc. ↩
-
Conftest supports structured errors in rules, but they are free format and not natively supported by Conftest. ↩
-
Trivy is not able to run
*_test.rego
likeconftest verify
. ↩ -
Dockerfile, HCL, HCL2, JSON, TOML, and YAML ↩
-
CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML ↩