Checkov
Checkov Checkov is the IaC misconfig hunter that scans Terraform and CloudFormation for risky setups like open S3 buckets or unbound security groups, using YAML policies for custom compliance checks. Run its Python CLI on repos for SARIF outputs, integrating into PRs for shift-left enforcement. Open-source from Bridgecrew, it's the config cop for cloud devs templating secure infra from the ground up.
Explore →Terrascan
Terrascan Terrascan is the multi-cloud IaC scanner that probes YAML/JSON configs for misconfigs like weak IAM or exposed ports, enforcing Rego-based policies across AWS/GCP/Azure. Deploy via Go binary on dirs for quick audits, outputting prioritized fixes for remediation. Open-source from Accurics, it's the policy patroller for architects spotting drifts in templated deployments.
Explore →Kube-bench
Kube-bench Kube-bench is the CIS benchmark runner that audits K8s clusters for misconfigs like RBAC gaps or etcd exposures, generating YAML reports for compliance gaps in kube configs. Run its Go tool on master/worker nodes for scored findings, scripting for automated baselines. Open-source from Aqua Security, it's the cluster clinician for ops templating secure K8s postures.
Explore →Prowler
Prowler Prowler is the AWS misconfig scanner that checks IAM, S3, and EC2 against CIS benchmarks via YAML controls, flagging public buckets or weak access with remediation scripts. Install via pip, run on accounts for JSON outputs, and schedule for ongoing audits. Open-source from prowler-cloud, it's the cloud constable for AWS admins templating compliance checks.
Explore →Lynis
Lynis Lynis is the system auditing tool that detects OS misconfigs like weak SSH or firewall gaps, scoring hardening with YAML profiles for tailored tests on Linux/Unix. Run its bash script on hosts for categorized suggestions, exporting for reports. Open-source from CISOfy, it's the hardening herald for sysadmins templating baseline security audits.
Explore →Scout Suite
Scout Suite Scout Suite is the multi-cloud misconfig inspector that scans AWS/Azure/GCP for IAM over-privs or open storage via YAML rules, outputting HTML dashboards for visual triage. Clone and run its Python CLI on creds for scoped audits, customizing checks for org policies. Open-source from nccgroup, it's the cloud cartographer for security teams mapping misconfigs across providers.
Explore →Inspec
Inspec Inspec is the compliance testing framework with YAML profiles for detecting misconfigs in servers, clouds, or containers against standards like CIS or NIST. Define controls in Ruby DSL, run via CLI for pass/fail reports, and integrate with Chef for automated fixes. Open-source from Chef, it's the control checker for ops templating auditable infrastructures.
Explore →OpenSCAP
OpenSCAP OpenSCAP is the SCAP compliance scanner that evaluates system configs against XML profiles for CVEs and misconfigs, generating XCCDF reports for remediation. Install its C libs, run oscap CLI on profiles for tailored scans, and export ARF for dashboards. Open-source from Red Hat, it's the standard sentinel for admins templating certified security baselines.
Explore →KubeLinter
KubeLinter KubeLinter is the K8s YAML linter that checks manifests for misconfigs like privileged pods or missing limits, enforcing best practices with custom rules in Git workflows. Integrate via Helm or kubectl plugin, scanning PRs for violations with SARIF outputs. Open-source from StackRox, it's the YAML yardstick for K8s devs templating secure deployments early.
Explore →cfn_nag