Conftest is a really nice tool to help you write tests against structured configuration data. Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has. This section describes the differences between Trivy and Conftest.
|Support Rego Language|
|Combine per Policy|
|Policy Input Selector1|
|Filtering by Severity|
|Flexible Exit Code|
|Rego Unit Tests||4|
|Supported Formats||6 formats5||14 formats6|
Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies. In other words, Conftest is simpler and lighter.
Conftest is a general testing tool for configuration files, and Trivy is more security-focused. People who need an out-of-the-box misconfiguration scanner should use Trivy. People who don't need built-in policies and write your policies should use Conftest.
Pass only the types of configuration file as input, specified in selector ↩
To enrich the results such as ID, Title, Description, etc. ↩
Conftest supports structured errors in rules, but they are free format and not natively supported by Conftest. ↩
Trivy is not able to run
conftest verify. ↩
Dockerfile, HCL, HCL2, JSON, TOML, and YAML ↩
CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML ↩