Skip to content

vs Conftest

Conftest is a really nice tool to help you write tests against structured configuration data. Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has. This section describes the differences between Trivy and Conftest.

Feature Trivy Conftest
Support Rego Language
Built-in Policies
Custom Policies
Custom Data
Combine
Combine per Policy
Policy Input Selector1
Policy Metadata2 3
Filtering by Severity
Rule-based Exceptions
Namespace-based Exceptions
Sharing Policies
Show Successes
Flexible Exit Code
Rego Unit Tests 4
Go Testing
Verbose Trace
Supported Formats 6 formats5 14 formats6

Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies. In other words, Conftest is simpler and lighter.

Conftest is a general testing tool for configuration files, and Trivy is more security-focused. People who need an out-of-the-box misconfiguration scanner should use Trivy. People who don't need built-in policies and write your policies should use Conftest.


  1. Pass only the types of configuration file as input, specified in selector 

  2. To enrich the results such as ID, Title, Description, etc. 

  3. Conftest supports structured errors in rules, but they are free format and not natively supported by Conftest. 

  4. Trivy is not able to run *_test.rego like conftest verify

  5. Dockerfile, HCL, HCL2, JSON, TOML, and YAML 

  6. CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML