compliance.tf vs Checkov / Trivy
What each tool solves
compliance.tf prevents non-compliant infrastructure from being expressible in Terraform. Controls are embedded in the module code. When a developer uses a compliance.tf module, configurations like S3 encryption, access logging, and public access blocking are enforced as defaults or validated at terraform plan time. Non-compliance produces an error before any resource is created.
Checkov and Trivy scan infrastructure-as-code for security misconfigurations. They analyze Terraform HCL files or plan JSON output and report findings against a library of built-in checks. They catch problems before terraform apply, but after the code has been written.
Where compliance.tf is stronger
The developer cannot write a non-compliant S3 bucket — the module enforces encryption, logging, and versioning through defaults and input validation. The non-compliant configuration never exists, so there is no scan finding to triage.
This also means no policy rules to write. You don't need custom Checkov policies or a .checkov.yaml for the controls compliance.tf covers. Change the module source URL, run terraform init, and controls are active.
- Framework-specific enforcement. The same module interface serves different control sets depending on the registry endpoint.
soc2.compliance.tfenforces SOC 2 controls;pcidssv40.compliance.tfenforces PCI DSS v4.0. Checkov tags checks with framework references, but the scan output is the same regardless of which framework you need.
Where Checkov / Trivy is stronger
Checkov and Trivy scan every Terraform resource, not just the 34 modules in the compliance.tf catalog. If you use a raw aws_iam_role, aws_security_group, or any resource outside that catalog, these tools catch misconfigurations that compliance.tf has no opinion on. Checkov alone includes 1,000+ built-in checks across IAM, networking, logging, and dozens of AWS services. Trivy covers a similarly broad range.
- Both tools work beyond Terraform. Checkov scans CloudFormation, Kubernetes manifests, Dockerfiles, Helm charts, and ARM templates. Trivy scans container images, filesystems, and git repositories in addition to IaC.
- Established CI/CD integrations. Checkov has native GitHub Actions, GitLab CI templates, IDE plugins, and PR comment bots. Trivy integrates with container registries and CI pipelines. These integrations are mature and widely adopted.
- Free and open source. Checkov (Apache 2.0) and Trivy (Apache 2.0) have no subscription cost and no registry dependency. Compliance.tf is a paid SaaS with a private registry that your Terraform workflow depends on.
- If a developer passes an insecure value to a module variable that compliance.tf does not validate, Checkov can still flag it. Both tools see the full plan output, including resources and configurations that modules do not control.
When to use both together
Use compliance.tf modules for the resources they cover (S3, RDS, ECS, EKS, VPC, Lambda, and 28 more). Compliance controls are enforced automatically — encryption, logging, access restrictions, and framework-specific requirements are built into the module.
Run Checkov or Trivy in your CI pipeline to scan the full Terraform plan. This catches everything compliance.tf does not cover: IAM policies, security groups, raw resources without compliance.tf modules, and misconfigurations in your own code that sits outside module boundaries.
Compliance.tf modules are designed to satisfy the Checkov checks that correspond to their controls. The CI scanning step becomes a verification layer confirming that enforcement is working, plus a safety net for everything outside the module catalog.
Combined architecture: preventive layer (compliance.tf) + detective layer (Checkov/Trivy) = defense in depth.
flowchart TD
Dev["Developer writes Terraform"]
CTF["<b>compliance.tf modules</b><br/>Module source · authoring time<br/>Enforces controls for 34 modules"]
CI["<b>Checkov / Trivy</b><br/>CI pipeline scan<br/>Scans ALL resources"]
Plan["terraform plan"]
Valid["Controls validated<br/>errors on violation"]
Found["Findings reported<br/>for everything outside catalog"]
Apply["terraform apply<br/>compliant deployment"]
Dev --> CTF
Dev --> CI
CTF --> Plan
Plan -->|"outputs plan JSON"| CI
Plan --> Valid
CI --> Found
Valid --> Apply
Found --> ApplySummary
| Dimension | compliance.tf | Checkov / Trivy |
|---|---|---|
| When it acts | Module authoring time | CI/CD scan time |
| What it covers | 34 modules in the catalog | All Terraform resources, plus CloudFormation, K8s, Docker |
| How controls are maintained | Maintained by compliance.tf, upstream-compatible | Community + custom rules; you maintain custom policies |
| Framework-specific enforcement | Yes — different registry endpoint per framework | Partial — framework-tagged checks, but same scan output |
| Catches misconfiguration in user code outside modules | No | Yes |
| Custom policy support | No (controls are fixed per framework) | Yes (custom checks in Python/YAML) |
| Open source | No (paid SaaS registry) | Yes (Apache 2.0) |
| Cost | Paid subscription (free trial available) | Free (open source); paid for Prisma Cloud / Bridgecrew platform |
Need to make the case to your team? Internal advocacy guide.