Skip to content

vs cfsec

cfsec uses static analysis of your CloudFormation templates to spot potential security issues. Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec. This section describes the differences between Trivy and cfsec.

Feature Trivy cfsec
Built-in Policies
Custom Policies
Policy Metadata1
Show Successes
Disable Policies
Show Issue Lines
View Statistics
Filtering by Severity
Supported Formats Dockerfile, JSON, YAML, Terraform, CloudFormation etc. CloudFormation JSON and YAML

cfsec is designed for CloudFormation. People who use only want to scan their CloudFormation templates should use cfsec. People who want to scan a wide range of configuration files should use Trivy.

  1. To enrich the results such as ID, Title, Description, Severity, etc.