Infra Atlas · Toolbox

Security & Compliance.

The security tools that belong in every CI pipeline — not as optional extras but as gates. Scanning container images for CVEs, catching secrets committed to git, verifying IaC against security policies, and signing artifacts so you know what actually made it to production. ★ marks what runs on every push.

Form
Language
Focus
Picks
Trivy replaces manual CVE checking / separate scanners per surface

The scanner that does everything: container images, filesystems, git repos, IaC files, K8s clusters, SBOMs. One binary, one command format (trivy image nginx:latest), maintained CVE database. The fact that it replaces Clair, Anchore, and a manual IaC review in one install is why it became the default. CNCF project; integrates with GitHub Actions, GitLab CI, ArgoCD, and most container registries.

CLI Go mature images platform
aquasecurity/trivy
Gitleaks replaces accidentally committing AWS keys / tokens

Scans git history and staged changes for secrets — AWS keys, GitHub tokens, private keys, connection strings, anything matching its 140+ built-in rules. Runs as a pre-commit hook, CI gate, or a one-time scan of an existing repo. gitleaks detect --source . on a new repo is a 30-second sanity check every platform team should run before any external access is granted.

CLI Go mature platform
gitleaks/gitleaks
Checkov replaces manual IaC security review

Static analysis for IaC — Terraform, CloudFormation, Kubernetes YAML, Helm, ARM templates, Dockerfiles. 750+ built-in policies covering CIS benchmarks, HIPAA, SOC2, PCI-DSS. checkov -d . in a terraform repo catches the common issues: public S3 buckets, unencrypted EBS, missing audit logging. Works as a pre-merge gate; integrates with most CI systems.

CLI Python mature iac platform
bridgecrewio/checkov
Cosign replaces unsigned container images in production

Signs and verifies container images using the Sigstore infrastructure — no key management required for keyless signing (OIDC-based). cosign sign image:tag in CI; cosign verify at admission. Pairs with Kyverno or OPA Gatekeeper policies to enforce that only signed images reach production. Part of the SLSA supply chain security framework.

CLI Go mature images platform
sigstore/cosign
Grype replaces Trivy for teams that want an Anchore-lineage scanner

Vulnerability scanner for container images and filesystems from Anchore. Pairs naturally with syft (SBOM generation from the same team): generate an SBOM once, scan it multiple times with updated vulnerability databases. Produces structured JSON output well-suited for downstream policy tooling. A solid alternative to Trivy; the two have slightly different CVE database coverage so some teams run both.

CLI Go mature images platform
anchore/grype
Falco replaces manual runtime threat detection

CNCF runtime security engine: installs as a DaemonSet, reads Linux system calls via eBPF or a kernel module, and alerts on suspicious behaviour — shell spawned inside a container, sensitive file read, privilege escalation attempt. The static scanners cover known CVEs; Falco covers the zero-day and misuse patterns that scanners miss. Required reading for any cluster handling sensitive workloads.

daemon Go mature runtime platform
falcosecurity/falco
*

The images tag covers tools that scan or sign container images. The iac tag covers tools that scan infrastructure-as-code. The runtime tag covers tools that monitor running workloads. Trivy overlaps all three but is listed under images since that is the primary use case. Falco is the only daemon-form tool in this department — it needs to run continuously, not just in CI.