Infrastructure Scanners 2026: Trivy, Checkov, Terrascan, kube-bench


Introduction





Infrastructure security scanning is essential for catching misconfigurations before they reach production. The landscape of scanners in 2026 offers specialized tools for different layers: container images and filesystems, IaC templates, Kubernetes configurations, and runtime posture. This article covers Trivy, Checkov, Terrascan, and kube-bench.





Trivy





Aqua Security's comprehensive vulnerability scanner covering containers, filesystems, repositories, and IaC:






# Installation


brew install trivy




# Scan container images


trivy image nginx:latest


trivy image --severity HIGH,CRITICAL my-app:latest




# Scan filesystem


trivy fs .




# Scan git repository


trivy repo https://github.com/org/my-repo




# Scan IaC configurations


trivy config ./terraform/


trivy config --severity CRITICAL ./kubernetes/




# Scan Kubernetes cluster


trivy k8s cluster --report summary




# Output formats


trivy image my-app --format json --output results.json


trivy image my-app --format sarif --output results.sarif


trivy image my-app --format html --output report.html




# In CI, fail on critical issues


trivy image --exit-code 1 --severity CRITICAL my-app








# trivy.yaml — configuration file


severity: HIGH,CRITICAL


format: table


exit-code: 1


vulnerability:


ignore-unfixed: true


type: [os, library]


scan:


skip-dirs:


- node_modules


- .git


scanners:


- vuln


- secret


- misconfig







**Key features**: Single binary, comprehensive vulnerability database, IaC scanning (Terraform, K8s, Dockerfile), secret detection, SBOM generation. The most versatile scanner in the ecosystem.





Checkov





Bridgecrew's policy-as-code scanner for IaC:






# Installation


pip install checkov




# Scan Terraform


checkov --directory terraform/




# Scan CloudFormation


checkov -f cloudformation/template.yaml




# Scan Kubernetes manifests


checkov --directory k8s/




# Scan multiple frameworks


checkov --directory . --framework terraform,kubernetes,helm




# Output formats


checkov -d . --output json > results.json


checkov -d . --output junitxml > checkov-junit.xml




# Soft fail (don't exit with error)


checkov -d . --soft-fail




# Skip specific checks


checkov -d . --skip-check CKV_AWS_52,CKV_AWS_79




# External checks directory


checkov -d . --external-checks-dir custom-checks/








# .checkov.yaml


quiet: true


compact: true


skip-check:


- CKV_AWS_52 # S3 bucket encryption (if using external KMS)


- CKV2_AWS_6 # VPC flow logs (if not required)


soft-fail: true


framework:


- terraform


- kubernetes


output: cli







**Custom policies** in YAML:



# custom-checks/custom_policy.yaml


metadata:


id: CUSTOM_AWS_001


name: "EC2 instances must have detailed monitoring"


category: "LOGGING"


definition:


and:


- cond: "not_equals"


resource: "aws_instance"


key: "monitoring[0].enabled"


value: false


- cond: "not_equals"


resource: "aws_launch_template"


key: "monitoring[0].enabled"


value: false







Terrascan





Accurant's static code analyzer for IaC:






# Installation


brew install terrascan




# Scan directory


terrascan scan -d terraform/




# Scan specific IaC type


terrascan scan -d . -i terraform




# Scan Kubernetes


terrascan scan -d k8s/ -i k8s




# Policy categories


terrascan scan -d . --policy-type aws,gcp




# Output formats


terrascan scan -d . -o json


terrascan scan -d . -o yaml


terrascan scan -d . -o sarif




# Use specific policy set


terrascan scan -d . --categories "network,logging"




# Non-recursive scan


terrascan scan -d . --non-recursive







kube-bench





CIS Kubernetes Benchmark validator:






# Installation


# Run as a job in the cluster


kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml




# Or install locally


curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.9.0/kube-bench_0.9.0_linux_amd64.tar.gz | tar xz




# Run benchmark


./kube-bench


./kube-bench --version 1.28 # Specify K8s version




# Run specific checks


./kube-bench --check 1.1.1,1.1.2,1.2.1




# As a Kubernetes job


kubectl get jobs


kubectl logs job/kube-bench








# kube-bench job


apiVersion: batch/v1


kind: Job


metadata:


name: kube-bench


spec:


template:


spec:


hostPID: true


containers:


- name: kube-bench


image: aquasec/kube-bench:latest


command: ["kube-bench"]


volumeMounts:


- name: var-lib


mountPath: /var/lib/etcd


readOnly: true


- name: etc-kubernetes


mountPath: /etc/kubernetes


readOnly: true


restartPolicy: Never


volumes:


- name: var-lib


hostPath:


path: /var/lib/etcd


- name: etc-kubernetes


hostPath:


path: /etc/kubernetes







CI Integration






# .github/workflows/infra-scan.yml


name: Infrastructure Security Scan


on:


pull_request:


paths:


- 'terraform/**'


- 'k8s/**'


- 'Dockerfile'




jobs:


scan:


runs-on: ubuntu-latest


steps:


- uses: actions/checkout@v4




- name: Run Trivy IaC scan


uses: aquasecurity/trivy-action@master


with:


scan-type: 'config'


scan-ref: '.'


exit-code: '1'


severity: 'HIGH,CRITICAL'




- name: Run Checkov


uses: bridgecrewio/checkov-action@master


with:


directory: terraform/


soft_fail: false


framework: terraform




- name: Run Terrascan


uses: tenable/terrascan-action@main


with:


iac_type: 'terraform'


iac_dir: 'terraform'







Comparison





| Feature | Trivy | Checkov | Terrascan | kube-bench |


|---------|-------|---------|-----------|------------|


| Scope | Containers, FS, IaC, K8s | IaC only (multi-cloud) | IaC only | K8s CIS only |


| IaC support | TF, K8s, Dockerfile | TF, CF, K8s, ARM, Helm | TF, K8s, CF | N/A |


| Policy engine | Built-in | Rego + custom YAML | Rego | CIS benchmark |


| Speed | Fast | Moderate | Moderate | Fast |


| False positives | Low | Medium | Medium | Low |





Recommendations




* **Comprehensive scanning**: Use Trivy as your primary scanner covering containers, IaC, and secrets.

* **IaC policy enforcement**: Use Checkov with custom policies for organizational compliance requirements.

* **Multi-cloud IaC**: Use Terrascan for its strong Rego-based policy engine across cloud providers.

* **Kubernetes audit**: Run kube-bench regularly against every cluster for CIS compliance.

* **CI pipeline**: Run all scanners in CI with appropriate severity thresholds. Fail on CRITICAL issues.




The most robust approach runs all four scanners at different points: Trivy on every container build and IaC change, Checkov on Terraform PRs, Terrascan as a compliance check, and kube-bench as a scheduled cluster audit.