Get the full comparison

Resourcely and IaC Scanning Tools

Resourcely Guardrails, Trivy/tfsec, Checkov, and Terrascan all focus on improving the security and compliance of infrastructure as code by detecting misconfigurations and potential vulnerabilities before deployment.

Read the full compareSee policy examples
Resourcely logo, a letter R made out of geometric shapes in pastel colors

Resourcely is a configuration platform in the Terraform ecosystem, featuring policies, templates for deploying Terraform, and assisted remediation.

Terrascan is a static infrastructure as code scanner focusing on vulnerability scanning.

Trivy concentrates on security misconfigurations rather than broader governance. Tfsec is no longer being developed.

Checkov is a static infrastructure as code scanner with many pre-built policies.

Comparing Resourcely and IaC Scanning Tools

Summary
Resourcely
Terrascan
Trivy/tfsec
Checkov
Goal
Streamlining cloud configuration and governance
Policy language for Terraform Enterprise
Policy language for Terraform Enterprise
Policy language for Terraform Enterprise
Static IaC scanning
IaC Policies
CI integration
Customizable Templates for deploying and editing infrastructure
Embedded IDE for designing infrastructure templates and policies
Manage remediation and assist developers with code changes
Primary Interface
UI
CLI
CLI
CLI
Management
Managed offering
Self-hosted
Self-hosted
Self-hosted
Deep Dive
Resourcely
Terrascan
Trivy/tfsec
Checkov
Policy Language
Really (Structured Policy Language)
Rego
Rego or Go
Python or YAML
Policies block during CI
Pull request annotations
Writing custom policies
Easy
Hard
Hard
Hard
Custom blocking behavior
With custom code
IDE for writing and testing policies
Condition policies based on context
Add missing configuration automatically
Tests
Integrated
Write your own
Write your own
Write your own
Supported IaC languages
Terraform
Terraform, Kubernetes, CloudFormation, and more
Terraform, Kubernetes, Docker, CloudFormation, and more
Terraform, CloudFormation, ARM templates
Out-of-the-box policies
Yes, hundreds
Yes, some
Yes, few
Yes, 1,000+
Resourcely
Terrascan
Trivy/tfsec
Checkov
GUARDRAIL "[S3] Bucket should be encrypted at rest"
  WHEN aws_s3_bucket
    REQUIRE server_side_encryption_configuration HAS
      rule.apply_server_side_encryption_by_default.sse_algorithm IN ["aws:kms","AES256"]
package aws.s3.encryption

# Define the valid encryption algorithms.
valid_algos = {"aws:kms", "AES256"}

# Condition 1:
# If the bucket's own configuration explicitly defines an encryption rule,
# ensure its sse_algorithm is one of the valid ones.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  algo := input.config.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
  algo in valid_algos
}

# Condition 2:
# If there is no encryption configuration present in the bucket, we assume
# that the default encryption (SSE-S3 using AES256) is in effect.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  not input.config.server_side_encryption_configuration
  # Additionally, ensure the explicit algorithm field is absent.
  not input.config.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
}

# Condition 3:
# If a connected encryption configuration resource exists,
# then check its encryption rule for a valid algorithm.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  # Assume connected resources are keyed by their resource type.
  encryption := input.connected_resources["aws_s3_bucket_server_side_encryption_configuration"].config.rule.apply_server_side_encryption_by_default.sse_algorithm
  encryption in valid_algos
}

# Deny if none of the above conditions are met.
deny[msg] {
  input.resource_type == "aws_s3_bucket"
  not s3_encrypted
  msg := "Ensure all data stored in the S3 bucket is securely encrypted at rest (CKV_AWS_19)."
}

package aws.s3.encryption

# Define the valid encryption algorithms.
valid_algos = {"aws:kms", "AES256"}

# Condition 1:
# If the bucket's own configuration explicitly defines an encryption rule,
# ensure its sse_algorithm is one of the valid ones.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  algo := input.config.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
  algo in valid_algos
}

# Condition 2:
# If there is no encryption configuration present in the bucket, we assume
# that the default encryption (SSE-S3 using AES256) is in effect.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  not input.config.server_side_encryption_configuration
  # Additionally, ensure the explicit algorithm field is absent.
  not input.config.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
}

# Condition 3:
# If a connected encryption configuration resource exists,
# then check its encryption rule for a valid algorithm.
s3_encrypted {
  input.resource_type == "aws_s3_bucket"
  # Assume connected resources are keyed by their resource type.
  encryption := input.connected_resources["aws_s3_bucket_server_side_encryption_configuration"].config.rule.apply_server_side_encryption_by_default.sse_algorithm
  encryption in valid_algos
}

# Deny if none of the above conditions are met.
deny[msg] {
  input.resource_type == "aws_s3_bucket"
  not s3_encrypted
  msg := "Ensure all data stored in the S3 bucket is securely encrypted at rest (CKV_AWS_19)."
}

metadata:
  name: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
  category: "ENCRYPTION"
  id: "CKV_AWS_19"
definition:
  or:
    - cond_type: attribute
      resource_types:
        - aws_s3_bucket
      attribute: server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
      operator: within
      value:
        - "aws:kms"
        - "AES256"
    - and:
      - cond_type: filter
        attribute: resource_type
        operator: within
        value:
          - aws_s3_bucket
      - cond_type: connection
        resource_types:
          - aws_s3_bucket
        connected_resource_types:
          - aws_s3_bucket_server_side_encryption_configuration
        operator: not_exists
      - cond_type: attribute
        resource_types:
          - aws_s3_bucket
        attribute: server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm
        operator: not_exists # The default for aws_s3_bucket was changed to be encrypted with SSE-S3 which uses AES256
    - and:
      - cond_type: filter
        attribute: resource_type
        operator: within
        value:
          - aws_s3_bucket
      - cond_type: connection
        resource_types:
          - aws_s3_bucket
        connected_resource_types:
          - aws_s3_bucket_server_side_encryption_configuration
        operator: exists
      - cond_type: attribute
        resource_types:
          - aws_s3_bucket_server_side_encryption_configuration
        attribute: rule.apply_server_side_encryption_by_default.sse_algorithm
        operator: within
        value:
          - "aws:kms"
          - "AES256"

Stop struggling to write and maintain IaC rules

Read and write your cloud infrastructure policies in just seconds

Get Resourcely Today

Your CSPM can't fix cloud infrastructure

Learn how Resourcely can improve your cloud posture in days, not quarters