vs cfsec

cfsec uses static analysis of your CloudFormation templates to spot potential security issues. Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn’t support some features provided by cfsec. This section describes the differences between Trivy and cfsec.

FeatureTrivycfsec
Built-in Policiesvs cfsec - 图1vs cfsec - 图2
Custom PoliciesRego1vs cfsec - 图3
Policy Metadata2vs cfsec - 图4vs cfsec - 图5
Show Successesvs cfsec - 图6vs cfsec - 图7
Disable Policiesvs cfsec - 图8vs cfsec - 图9
Show Issue Linesvs cfsec - 图10vs cfsec - 图11
View Statisticsvs cfsec - 图12vs cfsec - 图13
Filtering by Severityvs cfsec - 图14vs cfsec - 图15
Supported FormatsDockerfile, JSON, YAML, Terraform, etc.CloudFormation JSON and YAML

cfsec is designed for CloudFormation. People who use only want to scan their CloudFormation templates should use cfsec. People who want to scan a wide range of configuration files should use Trivy.


  1. CloudFormation files are not supported

  2. To enrich the results such as ID, Title, Description, Severity, etc.