← All posts
· 5 min read ·
AWSInfrastructureSecurityTerraformCI/CD

IaC Security in 2026: Static Scanning, OpenTofu, and the Drift Problem

tfsec is dead, absorbed into Trivy. Checkov and Trivy are the real choice. But static scanning misses what someone changed in the console last Tuesday. Here is the full picture of IaC security in 2026, including runtime drift detection.

Code matrix showing infrastructure configuration

tfsec was deprecated in 2023 and fully absorbed into Trivy’s IaC scanning engine by the end of 2024. If your CI pipeline still calls tfsec directly, you are running an unmaintained binary against a stale ruleset. The practical choice for Terraform and OpenTofu static analysis is now Checkov or Trivy, and the more interesting 2026 story is what both of them miss.

Checkov vs Trivy for IaC Scanning

These tools address the same problem differently.

Trivy (Aqua Security) is a unified scanner - one binary handles container images, file systems, git repositories, Kubernetes manifests, and IaC files. Its IaC rules are the absorbed tfsec ruleset with ongoing additions. The advantage is a single tool that covers multiple scanning domains in the same CI pipeline step. The limitation: Trivy’s IaC analysis is file-level. It evaluates each resource configuration independently.

Checkov (Bridgecrew/Palo Alto) performs graph-based analysis. It builds a resource graph from the entire Terraform plan and checks cross-resource relationships - “this S3 bucket policy allows public access AND is referenced by this CloudFront distribution AND that CloudFront distribution has no WAF association” is a Checkov check, not a Trivy check. For complex AWS architectures where security depends on the relationship between resources, graph analysis catches what file-level analysis misses.

# Trivy - unified, fast, good for containers + IaC in one pass
trivy config --tf-vars terraform.tfvars .

# Checkov - graph-based, more comprehensive cross-resource checks
checkov -d . --framework terraform --output cli --output json

The OpenTofu consideration: OpenTofu 1.8+ uses .tofu file extensions by convention and has diverged slightly from Terraform’s module graph format. Checkov’s graph engine handles OpenTofu correctly - the maintainers explicitly support the .tofu extension and the module resolution changes introduced in OpenTofu 1.7+. Trivy treats OpenTofu files as Terraform, which works for most configurations but can produce false negatives on OpenTofu-specific provider functions introduced in 1.8.

For a team using OpenTofu as the Terraform replacement (driven by the BSL licence change), Checkov is currently the more reliable choice.

Why Static Scanning Is Not Enough

Both tools share a fundamental limitation: they scan what is in your code repository. They cannot see what is actually deployed in your AWS account.

The gap this creates is called drift - the divergence between IaC-defined state and real cloud state. Drift happens in several ways:

Console changes. An engineer with console access fixes an urgent issue by clicking through the AWS Console. The Terraform state is out of sync immediately. The IaC scan shows a clean configuration. The deployed configuration has an S3 bucket policy that was manually edited at 2am two weeks ago.

Automated remediation. A security tool (GuardDuty, AWS Config, a custom Lambda) modifies a resource in response to a finding. Correct behaviour, but now the resource differs from its IaC definition.

Terraform state drift. Resources deleted outside of Terraform, resources created by other means but managed by Terraform, import errors. terraform plan shows drift; your CI pipeline’s static scan does not.

The security implication is real: Checkov finding zero findings in your repository does not mean your deployed infrastructure is compliant. It means your declared-but-not-necessarily-deployed configuration is compliant.

Runtime Drift Detection

Several tools now provide continuous drift detection - comparing deployed AWS state against IaC definitions and alerting on divergence:

Spacelift and env0 are Terraform/OpenTofu orchestration platforms that run plans on a schedule and surface drift as a first-class UI element. They show you exactly which resources have drifted, what changed, and when. Both integrate with Slack and PagerDuty for alerting.

Pulumi Cloud provides drift detection for Pulumi stacks with a similar model - periodic reconciliation and divergence alerts.

AWS Config handles a narrower but important case: it evaluates specific AWS resource configurations against your defined rules on a continuous basis. For compliance-critical settings (S3 bucket public access blocks, CloudTrail enabled, root MFA), Config provides real-time alerting when the deployed state violates a rule, regardless of whether the change came from Terraform, the console, or an API call.

The AWS Config approach is complementary to Terraform-based drift detection. Config fires on any change via CloudTrail; Terraform drift detection fires when the IaC plan diverges from state. Together they cover both the “someone changed this” and the “someone changed this in a way that Terraform would not fix” cases.

The Practical Pipeline

A complete IaC security pipeline in 2026 has three layers:

Pre-commit: checkov -d . --quiet for fast feedback on common misconfigurations before pushing.

CI gate: Full Checkov scan against terraform plan -out=plan.tfplan output (Checkov can scan the JSON plan, which includes provider-resolved values). Fail the pull request on HIGH and CRITICAL findings. Optionally pipe results to your security platform.

- name: Terraform Plan
  run: terraform plan -out=plan.tfplan && terraform show -json plan.tfplan > plan.json

- name: Checkov scan
  uses: bridgecrewio/checkov-action@v12
  with:
    file: plan.json
    framework: terraform_plan
    soft_fail_on: LOW,MEDIUM
    hard_fail_on: HIGH,CRITICAL

Continuous drift: AWS Config rules for critical security properties (no public S3, CloudTrail enabled, GuardDuty active). Spacelift or env0 scheduled drift detection for full state comparison, alerting to Slack when drift exceeds a configurable threshold.

The CI gate prevents new misconfigurations from being introduced. The continuous drift detection catches the misconfigurations that arrive through every other channel.

OpenTofu’s Role in the 2026 Landscape

OpenTofu 1.8 introduced provider-defined functions - a feature that was on HashiCorp’s Terraform roadmap but was not delivered before the licence change. This has practical IaC security implications: providers can now expose functions that perform validation at plan time rather than apply time, enabling earlier detection of invalid or insecure configurations.

The OpenTofu community is also working on an attestation model for modules - the equivalent of SLSA provenance for Terraform modules, proving that a published module version corresponds to a specific source commit and was not modified after publication. This is directly relevant to the supply chain attack surface that the GitHub Actions and npm ecosystems have demonstrated is real.

For teams currently on Terraform open-source and evaluating the BSL implications, OpenTofu 1.8 is production-ready for the vast majority of use cases. The Checkov and Trivy integrations work. The provider ecosystem is maintained. The operational difference from Terraform is smaller than the licence risk of continuing on BSL without an enterprise contract.

← All posts