Skip to main content
Tool comparison Β· works alongside CDKΒ Nag

Looking to upgrade your CDKΒ Nag setup?See how CDK Insights compares

CDK Insights is a CDK-native security and cost scanner: 100+ rules across 35 AWS services, AI-powered recommendations, and a dashboard β€” free to start via npm. It works alongside CDK Nag, capturing its findings into your reports rather than replacing it.

  • 100+ rules
  • 35 AWS services
  • AI-powered analysis
  • Free via npm
Run your first scanView pricing
At a glance

How the CDK security tools compare

Capability
β˜… Most completeCDK Insights
CDK NagCheckovcfn-lintcfn_nagAWS Config
CDK-native (understands constructs)
Security best-practice rules
Cost optimisation analysis
AI-powered recommendations
Web dashboard & history
Pre-deployment (shift-left)
Free / open-source tierFree tierOSSOSSOSSOSS
Multi-framework (Terraform, K8s)
Actively maintained
IncludedNot available

Comparison maintained by the CDK Insights team. Last updated June 2026. Tools evolve β€” verify specifics against each project's current documentation.

CDK Insights vs CDK Nag

CDK Nag is an open-source CDK Aspect that checks constructs against compliance rule packs (HIPAA, NIST, PCI DSS). It runs during synthesis and, by default, blocks on violations. CDK Insights is a separate tool with 100+ built-in static analysis rules covering security, cost, and operational best practices across 35 AWS services. If you use CDK Nag alongside CDK Insights, the cdk-insights aspect captures CDK Nag findings into your reports β€” without blocking your deploys, even on critical findings β€” so you decide what to fail on. The two tools work well together, and CDK Insights adds AI-powered analysis, a web dashboard, and team collaboration on top.

CDK Insights strengths

  • βœ“Compatible with CDK Nag; surfaces its findings in your reports
  • βœ“AI-powered recommendations that catch architectural issues
  • βœ“Web dashboard with historical tracking
  • βœ“Multiple output formats (JSON, Markdown, Table, Summary)

CDK Nag strengths

  • βœ“Fully open-source (Apache 2.0)
  • βœ“Zero external dependencies
  • βœ“Works in air-gapped environments

CDK Insights vs Checkov

Checkov is a general-purpose infrastructure-as-code scanner from Bridgecrew (Prisma Cloud). It supports Terraform, CloudFormation, Kubernetes, Helm, and more. Because Checkov targets multiple IaC frameworks, its CDK coverage is indirect. It scans the synthesized CloudFormation output rather than understanding CDK constructs natively. CDK Insights is built specifically for AWS CDK, which means it understands construct hierarchies, L2/L3 abstractions, and CDK-specific patterns that a generic scanner misses.

CDK Insights strengths

  • βœ“CDK-native analysis that understands constructs
  • βœ“Findings mapped to CDK code, not just CloudFormation resources
  • βœ“AI recommendations tailored to CDK patterns
  • βœ“Faster setup with zero configuration for CDK projects

Checkov strengths

  • βœ“Supports Terraform, Kubernetes, Helm, and other frameworks
  • βœ“Large community-maintained rule library
  • βœ“Part of the Prisma Cloud ecosystem

CDK Insights vs cfn-lint

cfn-lint (CloudFormation Linter) validates CloudFormation templates against the AWS resource specification. It catches syntax errors, invalid property values, and type mismatches. It is a linter, not a security tool. cfn-lint tells you whether your template is valid CloudFormation; CDK Insights tells you whether your infrastructure is secure, well-architected, and following best practices. The two tools solve different problems and can be used together.

CDK Insights strengths

  • βœ“Security and best practices analysis, not just syntax validation
  • βœ“100+ rules covering security, cost, and operations
  • βœ“AI-powered architectural recommendations
  • βœ“Understands CDK constructs, not just raw CloudFormation

cfn-lint strengths

  • βœ“Catches CloudFormation syntax errors CDK Insights does not check for
  • βœ“Validates against the full AWS resource specification
  • βœ“Useful as a complementary tool alongside CDK Insights

CDK Insights vs cfn_nag

cfn_nag is the predecessor to CDK Nag. It scans raw CloudFormation templates (JSON/YAML) for security issues using a Ruby-based rule engine. It predates CDK and has no awareness of CDK constructs. cfn_nag is no longer actively maintained, and most teams have migrated to CDK Nag or other tools. CDK Insights covers everything cfn_nag checks and significantly more, with active development and CDK-native analysis.

CDK Insights strengths

  • βœ“Actively maintained with regular rule updates
  • βœ“CDK-native analysis with construct awareness
  • βœ“Broader rule coverage (100+ rules vs ~70 in cfn_nag)
  • βœ“AI-powered recommendations beyond static rules

cfn_nag strengths

  • βœ“Works on raw CloudFormation without CDK
  • βœ“Ruby-based, useful if your tooling is Ruby-centric

CDK Insights vs AWS Config

AWS Config monitors your deployed AWS resources and evaluates them against rules in real time. It is a runtime compliance tool that detects drift and policy violations after resources are created. CDK Insights is a pre-deployment tool that catches issues before they reach AWS. The two are complementary: CDK Insights shifts security left into your development workflow, while AWS Config provides ongoing runtime monitoring in production.

CDK Insights strengths

  • βœ“Pre-deployment analysis catches issues before they reach AWS
  • βœ“No AWS costs for scanning (runs locally)
  • βœ“Faster feedback loop during development
  • βœ“Understands CDK constructs and developer intent

AWS Config strengths

  • βœ“Monitors live infrastructure in real time
  • βœ“Detects configuration drift after deployment
  • βœ“Integrates with AWS Systems Manager for auto-remediation

Why Choose CDK Insights?

Built for CDK

CDK Insights understands CDK constructs, L2/L3 abstractions, and construct hierarchies. Findings map to your CDK code, not just raw CloudFormation resources.

Broadest Rule Coverage

100+ built-in rules across 35 AWS services. Compatible with CDK Nag for additional compliance checks. Security, cost optimization, and operational best practices in one tool.

AI-Powered Analysis

Go beyond pattern matching. The AI engine examines your overall architecture and produces context-aware recommendations that static rules cannot catch.

Free Static Analysis

Run unlimited static analysis scans with no account required. The free tier gives you 100+ rules across 35 AWS services, multiple output formats, and CLI integration forever.

CI/CD Ready

The official GitHub Action, CLI tool, and CDK Aspect mode let you integrate analysis wherever it fits your workflow. Block PRs on critical findings automatically.

Dashboard & Collaboration

Track findings over time, compare scans across branches, and assign issues to team members. The web dashboard gives your team visibility into security posture.

CDK security tool FAQs

Is CDK Insights a drop-in replacement for CDK Nag?+

No β€” they are complementary. CDK Nag enforces compliance rule packs (HIPAA, NIST, PCI DSS) during synthesis, while CDK Insights adds 100+ security, cost, and operational rules, AI analysis, and a web dashboard. The cdk-insights aspect can capture CDK Nag findings into your reports without blocking deploys.

What is the best CDK Nag alternative for AWS CDK?+

CDK Insights is the closest CDK-native alternative: it understands constructs, runs 100+ rules across 35 AWS services, and adds AI recommendations and a dashboard. Checkov is worth considering if you also need multi-framework coverage such as Terraform or Kubernetes.

CDK Insights vs Checkov β€” which should I use for CDK?+

Checkov scans synthesized CloudFormation across many IaC frameworks; CDK Insights is built for CDK and maps findings back to your CDK constructs and source. Choose CDK Insights for CDK-native analysis, or Checkov if you also scan Terraform or Kubernetes.

Is CDK Insights free?+

Yes β€” static analysis with 100+ rules is free forever via npm with no account required. Paid Pro and Team plans add AI-powered analysis, a dashboard, and collaboration.

Try CDK Insights for Free

100+ rules, zero configuration, no account required. Run your first scan in under a minute.

Quick Start GuideView Pricing