The scanner landscape
tfsec/Trivy, Terrascan, KICS, Snyk.
Checkov is one of several IaC scanners, and knowing the landscape helps you choose and combine them. tfsec was the popular Terraform-focused scanner; it has been merged into Trivy, which is now a single tool spanning IaC misconfig, image/OS vulnerabilities, secrets, and SBOM. Terrascan (Tenable) uses OPA/Rego under the hood for its policies. KICS (Checkmarx) covers a very wide set of IaC and query types. Snyk IaC is the commercial option with a managed catalog.
Choosing and not over-stacking
Because these tools overlap so much, running all of them multiplies noise and maintenance for little added coverage. Pick one primary IaC scanner (Checkov for breadth and custom policies, or Trivy if you want IaC plus image/secret scanning unified), standardize your team on its findings format and suppression syntax, and only add a second scanner for a specific gap it uniquely fills. Consistency beats coverage-by-accumulation.
# Trivy also scans IaC config (the ex-tfsec engine) — one tool, several jobs$ trivy config . # IaC misconfigurations$ trivy fs --scanners secret . # leaked secrets in the repo$ trivy image registry.internal/app:1.4.2 # image vulnerabilities