Secrets, SBOM & image overlap
Where scanners meet.
IaC misconfiguration scanning is one facet of a broader static-analysis space that a security program stitches together. Adjacent scanners: secrets detection (finding a committed AWS key or private key — Checkov, Trivy, gitleaks, detect-secrets all do this), SBOM and dependency scanning (what libraries your app ships and their CVEs), and image scanning (the container courses’ Trivy). They answer different questions, and the modern tools increasingly bundle several.
Compose coverage, avoid duplication
Design the program so each question is answered once by a tool you trust: IaC misconfig (Checkov or Trivy config), secrets (one secrets scanner, ideally as a pre-commit hook so they never land), dependencies/SBOM (Trivy fs or a dedicated SCA tool), images (Trivy image at build). Feeding results into one place (SARIF into the code-scanning dashboard) gives a unified view without running everything everywhere. The goal is complete coverage with minimal overlap.
# secrets as a pre-commit hook so they never reach the repo$ checkov -d . --framework secrets$ trivy fs --scanners secret,vuln,misconfig . # three layers, one pass, SARIF out$ trivy fs --scanners secret,vuln,misconfig -f sarif -o results.sarif .