Checkov, Terrascan, and KICS are the three major IaC (Infrastructure-as-Code) security scanners used to detect vulnerabilities, misconfigurations, insecure defaults, and compliance issues across Terraform, CloudFormation, Kubernetes, Dockerfiles, Helm charts, and serverless templates. These tools form the core scanning stack in DevSecOps pipelines, ensuring that cloud infrastructure is secure before deployment.
Why These Tools Matter
IaC files define how cloud resources are deployed. One small mistake—like a public S3 bucket or open security group—can expose an entire system. These tools automatically analyze IaC code and enforce security best practices, compliance rules, and governance controls.
Using all three tools together yields maximum detection coverage and reduces blind spots.
Tool Overview
Checkov
Checkov performs deep static analysis on IaC files. It includes hundreds of policies for:
• Terraform
• CloudFormation
• Kubernetes manifests
• ARM templates
• Helm charts
• Dockerfiles
Checkov scans for:
• public resources
• insecure IAM roles
• missing encryption
• open security groups
• disabled logging
• secrets in IaC
It also supports custom policies (YAML or Python).
Terrascan
Terrascan uses Open Policy Agent (OPA) Rego for policy enforcement. This enables advanced governance and custom compliance frameworks. Terrascan scans:
• Terraform
• CloudFormation
• Kubernetes
• Helm charts
• Dockerfiles
• Kustomize
Terrascan highlights:
• insecure defaults
• network exposure
• misconfigured cloud services
• RBAC misconfigurations
• policy violations
It is powerful for enterprise compliance and custom rule-writing.
KICS
KICS (Keeping Infrastructure as Code Secure) is a fast, extensive IaC scanner created by Checkmarx. It supports:
• Terraform
• CloudFormation
• Kubernetes
• Dockerfiles
• Ansible
• Packer
• Pulumi
KICS scans for:
• misconfigurations
• insecure resources
• compliance issues
• portability risks
• secrets in IaC
KICS also provides deep contextual analysis of IaC architecture.
Core Differences Between the Tools
Checkov
• Fast, developer-friendly
• Huge rule library
• Great for CI/CD scanning
• Supports Python/YAML custom policies
Terrascan
• OPA Rego policy-based
• Best for enterprise governance
• Highly customizable rules
• Great alignment with compliance frameworks
KICS
• Broad scope (Ansible/Pulumi etc.)
• Very high speed scanning
• Large rule library
• Easy integration
Using all three ensures maximum coverage.
Installing The Tools
Checkov
pip install checkov
Terrascan
curl -L https://runterrascan.io/install.sh | bash
KICS
curl -sSL https://github.com/Checkmarx/kics/releases/latest/download/kics-linux-x64.tar.gz | tar -xz
Scanning IaC
Checkov Example
checkov -d .
Scan specific file:
checkov -f main.tf
Terrascan Example
terrascan scan -d .
Run with OPA policies:
terrascan scan -p policies/ -d .
KICS Example
kics scan -p . -o results.json
Supports multiple IaC types automatically.
What These Tools Detect
Networking Issues
• 0.0.0.0/0 ingress
• public EC2
• open database ports
• public IP assignment
Storage Risks
• unencrypted S3
• public buckets
• missing KMS keys
• unencrypted EBS/RDS volumes
IAM Problems
• wildcard IAM policies
• no MFA for users
• excessive role privileges
• cross-account exposure
Logging and Monitoring
• CloudTrail disabled
• VPC Flow Logs disabled
• missing WAF logs
• no ELB access logs
Kubernetes Risks
• privileged pods
• missing securityContext
• hostPath access
• no NetworkPolicies
Dockerfile Misconfigurations
• running as root
• exposing secrets
• missing healthchecks
Secrets in IaC
Hardcoded:
• passwords
• API keys
• OAuth tokens
• SSH keys
Full-Length Practical Section
Hands-on exercises will help you master Checkov, Terrascan, and KICS in a real DevSecOps workflow.
Practical 1: Scan Terraform With Checkov
Create insecure TF:
resource "aws_s3_bucket" "bad" {
bucket = "mybucket"
acl = "public-read"
}
Run:
checkov -d .
Fix flagged issues.
Practical 2: Scan Security Groups With Terrascan
resource "aws_security_group_rule" "ingress" {
cidr_blocks = ["0.0.0.0/0"]
}
Run:
terrascan scan -d .
Evaluate OPA-driven findings.
Practical 3: Scan Entire IaC Repo With KICS
kics scan -p infra/
Review severity, resource, file, and fix.
Practical 4: Scan Kubernetes Manifests With Checkov
checkov -d k8s/
Fix privileges, capabilities, network settings.
Practical 5: Detect Secrets With KICS
Add:
password = "admin123"
Scan:
kics scan -p .
Detect hardcoded secret.
Practical 6: Write Custom OPA Policy for Terrascan
Rule denying wildcard IAM:
deny[msg] {
input.aws_iam_role_policy.Statement.Action == "*"
msg = "Wildcard IAM permissions not allowed"
}
Run:
terrascan scan -p policies/ -d .
Practical 7: Detect Unencrypted RDS With Checkov
allocated_storage = 20
storage_encrypted = false
Scan and fix.
Practical 8: Kubernetes Policy Scanning With Terrascan
Scan:
terrascan scan -d k8s/
Fix:
• runAsRoot
• privileged containers
• hostNetwork
Practical 9: Scan Dockerfile With KICS
kics scan -p .
Find:
• root user
• secrets
• missing best practices
Practical 10: Validate AWS IAM Roles With cfn-nag + Checkov
Check CloudFormation IAM resources across scanners.
Practical 11: Create IaC Pre-Commit Hook
Add hook:
checkov -d .
terrascan scan -d .
kics scan -p .
Blocks insecure IaC.
Practical 12: Multi-Tool CI Pipeline
GitHub Actions:
- name: KICS Scan
uses: Checkmarx/kics-action@master
- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
- name: Terrascan Scan
uses: tenable/terrascan-action@main
Fail build on high-severity.
Practical 13: Compare Tool Findings
Run all:
checkov -d .
terrascan scan -d .
kics scan -p .
Compare:
• unique findings
• overlaps
• blindspots
Practical 14: Create Baseline for IaC
checkov -d . --output json > baseline.json
Repeat weekly to detect drift.
Practical 15: Validate Helm Charts
checkov -d charts/
terrascan scan -d charts/
kics scan -p charts/
Practical 16: Scan AWS CloudFormation With Multiple Tools
Scan with:
• Checkov
• Terrascan
• KICS
Fix S3, IAM, EC2, RDS, Flow Logs issues.
Practical 17: Scan Azure IaC
Use:
checkov -d arm/
kics scan -p arm/
terrascan scan -d arm/
Practical 18: Secure GCP IaC
Find misconfigs in:
• GCE
• Cloud SQL
• GKE
• Storage Buckets
Practical 19: Create Policy-as-Code Governance Framework
Use Terrascan + OPA + Checkov custom policies.
Practical 20: Build Full IaC Security Architecture
Include:
• Checkov for deep scanning
• Terrascan for OPA governance
• KICS for fast and wide analysis
• Pre-commit hooks
• CI/CD enforcement
• Central policy repository
• Weekly drift detection
• Secrets detection
• Reporting dashboards
This creates an end-to-end IaC security pipeline.
Intel Dump
• Checkov, Terrascan, and KICS are top IaC security tools
• They detect misconfigurations in Terraform, CloudFormation, Kubernetes, Dockerfiles, Helm
• Cover encryption, networking, IAM, logging, secrets, RBAC, resource policies
• Practicals include scanning, custom OPA rules, CI integration, pre-commit hooks, Kubernetes scanning, Dockerfile scanning, and full IaC governance architecture