feat(misconf): Use updated terminology for misconfiguration checks (#6476)

Signed-off-by: Simar <simar@linux.com>
2025-12-23 07:29:00 -08:00 · 2024-05-02 12:16:17 -06:00
parent cdee7030ac
commit 37da98df45
52 changed files with 1074 additions and 398 deletions
--- a/docs/docs/configuration/cache.md
+++ b/docs/docs/configuration/cache.md
@@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \
 [trivy-db]: ./db.md#vulnerability-database
 [trivy-java-db]: ./db.md#java-index-database
-[misconf-policies]: ../scanner/misconfiguration/policy/builtin.md
+[misconf-policies]: ../scanner/misconfiguration/check/builtin.md
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files
--- a/docs/docs/coverage/iac/helm.md
+++ b/docs/docs/coverage/iac/helm.md
@@ -11,7 +11,7 @@ The following scanners are supported.
 Trivy recursively searches directories and scans all found Helm files.
 It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
-See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
+See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.
 ### Value overrides
 There are a number of options for overriding values in Helm charts.
--- a/docs/docs/references/configuration/cli/trivy_aws.md
+++ b/docs/docs/references/configuration/cli/trivy_aws.md
@@ -69,9 +69,11 @@ trivy aws [flags]
      --account string                    The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
      --arn string                        The AWS ARN to show results for. Useful to filter results once a scan is cached.
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --compliance string                 compliance report to generate (aws-cis-1.2,aws-cis-1.4)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --endpoint string                   AWS Endpoint override
      --exit-code int                     specify exit code when any security issues are found
@@ -91,14 +93,12 @@ trivy aws [flags]
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --region string                     AWS Region to scan
      --report string                     specify a report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --service strings                   Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --skip-policy-update                skip fetching rego policy updates
+      --skip-check-update                 skip fetching rego check updates
      --skip-service strings              Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -12,10 +12,12 @@ trivy config [flags] DIR
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
@@ -36,19 +38,17 @@ trivy config [flags] DIR
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --skip-check-update                 skip fetching rego check updates
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -22,10 +22,12 @@ trivy filesystem [flags] PATH
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -61,8 +63,6 @@ trivy filesystem [flags] PATH
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -71,18 +71,18 @@ trivy filesystem [flags] PATH
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --report string                     specify a compliance report format for the output (all,summary) (default "all")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -36,10 +36,12 @@ trivy image [flags] IMAGE_NAME
 ```
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate (docker-cis)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -81,8 +83,6 @@ trivy image [flags] IMAGE_NAME
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --platform string                   set platform in the form os/arch if image is multi-platform capable
      --podman-host string                unix podman socket path to use for podman scanning
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -92,18 +92,18 @@ trivy image [flags] IMAGE_NAME
      --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
      --report string                     specify a format for the compliance report. (all,summary) (default "summary")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -32,10 +32,12 @@ trivy kubernetes [flags] [CONTEXT]
      --burst int                         specify the maximum burst for throttle (default 10)
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
@@ -76,8 +78,6 @@ trivy kubernetes [flags] [CONTEXT]
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --qps float                         specify the maximum QPS to the master from this client (default 5)
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -87,18 +87,18 @@ trivy kubernetes [flags] [CONTEXT]
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --report string                     specify a report format for the output (all,summary) (default "all")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -22,10 +22,12 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --commit string                     pass the commit hash to be scanned
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -61,8 +63,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -70,18 +70,18 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
      --tag string                        pass the tag name to be scanned
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -25,9 +25,11 @@ trivy rootfs [flags] ROOTDIR
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -63,8 +65,6 @@ trivy rootfs [flags] ROOTDIR
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -72,18 +72,18 @@ trivy rootfs [flags] ROOTDIR
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -23,6 +23,7 @@ trivy vm [flags] VM_IMAGE
      --aws-region string                 AWS region to scan
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
      --custom-headers strings            custom headers in client mode
@@ -56,14 +57,13 @@ trivy vm [flags] VM_IMAGE
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
--- a/docs/docs/scanner/misconfiguration/check/builtin.md
+++ b/docs/docs/scanner/misconfiguration/check/builtin.md
@@ -0,0 +1,21 @@
 # Built-in Checks 
 ## Check Sources
 Built-in checks are mainly written in [Rego][rego] and Go.
 Those checks are managed under [trivy-checks repository][trivy-checks].
 See [here](../../../coverage/iac/index.md) for the list of supported config types.
 For suggestions or issues regarding policy content, please open an issue under the [trivy-checks][trivy-checks] repository.
 ## Check Distribution
 Trivy checks are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
 When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
 Those checks are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 If Trivy is unable to pull down newer checks, it will use the embedded set of checks as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [trivy-checks]: https://github.com/aquasecurity/trivy-checks
 [ghcr]: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
--- a/docs/docs/scanner/misconfiguration/policy/exceptions.md
+++ b/docs/docs/scanner/misconfiguration/policy/exceptions.md
@@ -28,8 +28,6 @@ The `exception` rule must be defined under `namespace.exceptions`.
 This example exempts all built-in policies for Kubernetes.
 For more details, see [an example][ns-example].
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
 Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
@@ -87,12 +85,8 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
    }
    ```
-This exception is applied to [KSV012][ksv012] in trivy-policies.
+This exception is applied to [KSV012][ksv012] in trivy-checks.
-You can get the package names in the [trivy-policies repository][trivy-policies] or the JSON output from Trivy.
+You can get the package names in the [trivy-checks repository][trivy-checks] or the JSON output from Trivy.
-For more details, see [an example][rule-example].
+[ksv012]: https://github.com/aquasecurity/trivy-checks/blob/f36a5b732c4b1293a720c40baab0a7c106ea455e/checks/kubernetes/pss/restricted/3_runs_as_root.rego 
-
+[trivy-checks]: https://github.com/aquasecurity/trivy-checks/
 [ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
 [rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
 [ksv012]: https://github.com/aquasecurity/trivy-policies/blob/main/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego 
 [trivy-policies]: https://github.com/aquasecurity/trivy-policies/
--- a/docs/docs/scanner/misconfiguration/custom/testing.md
+++ b/docs/docs/scanner/misconfiguration/custom/testing.md
@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
    }
    ```
-To write tests for custom policies, you can refer to existing tests under [trivy-policies][trivy-policies].
+To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
-[defsec]: https://github.com/aquasecurity/trivy-policies/tree/main
+[defsec]: https://github.com/aquasecurity/trivy-checks/tree/main
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
--- a/docs/docs/scanner/misconfiguration/policy/builtin.md
+++ b/docs/docs/scanner/misconfiguration/policy/builtin.md
@@ -1,24 +0,0 @@
 # Built-in Policies
 ## Policy Sources
 Built-in policies are mainly written in [Rego][rego] and Go.
 Those policies are managed under [trivy-policies repository][trivy-policies].
 See [here](../../../coverage/iac/index.md) for the list of supported config types.
 For suggestions or issues regarding policy content, please open an issue under the [trivy-policies][trivy-policies] repository.
 ## Policy Distribution
 Trivy policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
 When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
 Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [kubernetes-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/kubernetes/policies
 [docker-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/docker/policies
 [trivy-policies]: https://github.com/aquasecurity/trivy-policies
 [ghcr]: https://github.com/aquasecurity/trivy-policies/pkgs/container/trivy-policies
--- a/docs/tutorials/misconfiguration/custom-checks.md
+++ b/docs/tutorials/misconfiguration/custom-checks.md
@@ -108,4 +108,4 @@ Please replace:
 * [Rego provides a long list of courses](https://academy.styra.com/collections) that can be useful in writing more complex checks
 * [The Rego documentation provides detailed information on the different types, iterations etc.](https://www.openpolicyagent.org/docs/latest/)
-* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-policies/tree/main/checks) for Trivy for inspiration on how to write custom checks.
+* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks) for Trivy for inspiration on how to write custom checks.
--- a/go.mod
+++ b/go.mod
@@ -21,13 +21,13 @@ require (
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
 	github.com/aquasecurity/loading v0.0.5
 	github.com/aquasecurity/table v1.8.0
-	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
+	github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-aws v0.8.0
 	github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240425111126-a549f8de71bb
 	github.com/aquasecurity/trivy-policies v0.10.0
 	github.com/aws/aws-sdk-go-v2 v1.26.1
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
@@ -42,7 +42,7 @@ require (
 	github.com/cheggaaa/pb/v3 v3.1.4
 	github.com/containerd/containerd v1.7.16
 	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/docker v25.0.5+incompatible
+	github.com/docker/docker v26.0.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/fatih/color v1.16.0
 	github.com/go-git/go-git/v5 v5.11.0
@@ -242,7 +242,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/docker/cli v25.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -324,6 +324,7 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
@@ -391,7 +392,6 @@ require (
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/oauth2 v0.18.0 // indirect
--- a/go.sum
+++ b/go.sum
--- a/integration/aws_cloud_test.go
+++ b/integration/aws_cloud_test.go
@@ -25,7 +25,7 @@ func TestAwsCommandRun(t *testing.T) {
 		{
 			name: "fail without region",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 			},
 			envs: map[string]string{
 				"AWS_ACCESS_KEY_ID":     "test",
@@ -39,7 +39,7 @@ func TestAwsCommandRun(t *testing.T) {
 				"AWS_PROFILE": "non-existent-profile",
 			},
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region: "us-east-1",
 				},
--- a/magefiles/magefile.go
+++ b/magefiles/magefile.go
@@ -420,16 +420,19 @@ func installed(cmd string) bool {
 type Schema mg.Namespace
 // Generate generates Cloud Schema for misconfiguration scanning
 func (Schema) Generate() error {
 	return sh.RunWith(ENV, "go", "run", "-tags=mage_schema", "./magefiles", "--", "generate")
 }
 // Verify verifies Cloud Schema for misconfiguration scanning
 func (Schema) Verify() error {
 	return sh.RunWith(ENV, "go", "run", "-tags=mage_schema", "./magefiles", "--", "verify")
 }
 type CloudActions mg.Namespace
 // Generate generates the list of possible cloud actions with AWS
 func (CloudActions) Generate() error {
 	return sh.RunWith(ENV, "go", "run", "-tags=mage_cloudactions", "./magefiles")
 }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -55,8 +55,8 @@ nav:
          - Misconfiguration:
              - Overview: docs/scanner/misconfiguration/index.md
              - Policy:
-                  - Built-in Policies: docs/scanner/misconfiguration/policy/builtin.md
+                  - Built-in Checks: docs/scanner/misconfiguration/check/builtin.md
-                  - Exceptions: docs/scanner/misconfiguration/policy/exceptions.md
+                  - Exceptions: docs/scanner/misconfiguration/check/exceptions.md
              - Custom Policies:
                  - Overview: docs/scanner/misconfiguration/custom/index.md
                  - Data: docs/scanner/misconfiguration/custom/data.md
--- a/pkg/cloud/aws/commands/run.go
+++ b/pkg/cloud/aws/commands/run.go
@@ -3,6 +3,7 @@ package commands
 import (
 	"context"
 	"errors"
 	"sort"
 	"strings"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -161,6 +162,10 @@ func Run(ctx context.Context, opt flag.Options) error {
 	log.DebugContext(ctx, "Writing report to output...")
 	sort.Slice(results, func(i, j int) bool {
 		return results[i].Rule().AVDID < results[j].Rule().AVDID
 	})
 	res := results.GetFailed()
 	if opt.MisconfOptions.IncludeNonFailures {
 		res = results
--- a/pkg/cloud/aws/commands/run_test.go
+++ b/pkg/cloud/aws/commands/run_test.go
@@ -142,30 +142,6 @@ const expectedS3ScanResult = `{
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0091",
@@ -260,6 +236,30 @@ const expectedS3ScanResult = `{
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
@@ -355,7 +355,7 @@ const expectedCustomScanResult = `{
          "Type": "AWS",
          "Title": "Bad input data",
          "Description": "Just failing rule with input data",
-          "Message": "Rego policy resulted in DENY",
+          "Message": "Rego check resulted in DENY",
          "Namespace": "user.whatever",
          "Query": "deny",
          "Severity": "LOW",
@@ -480,30 +480,6 @@ const expectedCustomScanResult = `{
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0091",
@@ -598,6 +574,30 @@ const expectedCustomScanResult = `{
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
@@ -659,10 +659,10 @@ const expectedS3AndCloudTrailResult = `{
          "Type": "AWS",
          "ID": "AVD-AWS-0015",
          "AVDID": "AVD-AWS-0015",
-          "Title": "Cloudtrail should be encrypted at rest to secure access to sensitive trail data",
+          "Title": "CloudTrail should use Customer managed keys to encrypt the logs",
-          "Description": "Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.",
+          "Description": "Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.",
-          "Message": "Trail is not encrypted.",
+          "Message": "CloudTrail does not use a customer managed key to encrypt the logs.",
-          "Resolution": "Enable encryption at rest",
+          "Resolution": "Use Customer managed key",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0015",
          "References": [
@@ -835,30 +835,6 @@ const expectedS3AndCloudTrailResult = `{
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0091",
@@ -953,6 +929,30 @@ const expectedS3AndCloudTrailResult = `{
              "Lines": null
            }
          }
        },
        {
          "Type": "AWS",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "arn:aws:s3:::examplebucket",
            "Provider": "aws",
            "Service": "s3",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
@@ -977,7 +977,7 @@ func Test_Run(t *testing.T) {
 		{
 			name: "succeed with cached infra",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:   "us-east-1",
 					Services: []string{"s3"},
@@ -1005,16 +1005,16 @@ func Test_Run(t *testing.T) {
 				},
 				RegoOptions: flag.RegoOptions{
 					Trace: true,
-					PolicyPaths: []string{
+					CheckPaths: []string{
 						filepath.Join(regoDir, "policies"),
 					},
-					PolicyNamespaces: []string{
+					CheckNamespaces: []string{
 						"user",
 					},
 					DataPaths: []string{
 						filepath.Join(regoDir, "data"),
 					},
-					SkipPolicyUpdate: true,
+					SkipCheckUpdate: true,
 				},
 				MisconfOptions: flag.MisconfOptions{IncludeNonFailures: true},
 			},
@@ -1082,7 +1082,7 @@ deny {
 					Format:       "table",
 					ReportFormat: "summary",
 				},
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 			},
 			cacheContent: "testdata/s3onlycache.json",
 			allServices:  []string{"s3"},
@@ -1098,7 +1098,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "scan an unsupported service",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:   "us-east-1",
 					Account:  "123456789",
@@ -1115,7 +1115,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "scan every service",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:  "us-east-1",
 					Account: "123456789",
@@ -1135,7 +1135,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "skip certain services and include specific services",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:       "us-east-1",
 					Services:     []string{"s3"},
@@ -1158,7 +1158,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "only skip certain services but scan the rest",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region: "us-east-1",
 					SkipServices: []string{
@@ -1183,7 +1183,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "fail - service specified to both include and exclude",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:       "us-east-1",
 					Services:     []string{"s3"},
@@ -1201,7 +1201,7 @@ Summary Report for compliance: my-custom-spec
 		{
 			name: "ignore findings with .trivyignore",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region:   "us-east-1",
 					Services: []string{"s3"},
--- a/pkg/cloud/aws/scanner/scanner.go
+++ b/pkg/cloud/aws/scanner/scanner.go
@@ -72,13 +72,14 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
 	var policyPaths []string
 	var downloadedPolicyPaths []string
 	var err error
-	downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipPolicyUpdate, option.MisconfOptions.PolicyBundleRepository, option.RegistryOpts())
+
 	downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipCheckUpdate, option.MisconfOptions.ChecksBundleRepository, option.RegistryOpts())
 	if err != nil {
-		if !option.SkipPolicyUpdate {
+		if !option.SkipCheckUpdate {
-			s.logger.Error("Falling back to embedded policies", log.Err(err))
+			s.logger.Error("Falling back to embedded checks", log.Err(err))
 		}
 	} else {
-		s.logger.Debug("Policies successfully loaded from disk")
+		s.logger.Debug("Checks successfully loaded from disk")
 		policyPaths = append(policyPaths, downloadedPolicyPaths...)
 		scannerOpts = append(scannerOpts,
 			options.ScannerWithEmbeddedPolicies(false),
@@ -86,7 +87,7 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
 	}
 	var policyFS fs.FS
-	policyFS, policyPaths, err = misconf.CreatePolicyFS(append(policyPaths, option.RegoOptions.PolicyPaths...))
+	policyFS, policyPaths, err = misconf.CreatePolicyFS(append(policyPaths, option.RegoOptions.CheckPaths...))
 	if err != nil {
 		return nil, false, xerrors.Errorf("unable to create policyfs: %w", err)
 	}
@@ -105,7 +106,7 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
 		options.ScannerWithDataFilesystem(dataFS),
 	)
-	scannerOpts = addPolicyNamespaces(option.RegoOptions.PolicyNamespaces, scannerOpts)
+	scannerOpts = addPolicyNamespaces(option.RegoOptions.CheckNamespaces, scannerOpts)
 	if option.Compliance.Spec.ID != "" {
 		scannerOpts = append(scannerOpts, options.ScannerWithSpec(option.Compliance.Spec.ID))
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -1230,10 +1230,10 @@ func showVersion(cacheDir, outputFormat string, w io.Writer) error {
 }
 func validateArgs(cmd *cobra.Command, args []string) error {
-	// '--clear-cache', '--download-db-only', '--download-java-db-only', '--reset' and '--generate-default-config' don't conduct the subsequent scanning
+	// '--clear-cache', '--download-db-only', '--download-java-db-only', '--reset', '--reset-checks-bundle' and '--generate-default-config' don't conduct the subsequent scanning
 	if viper.GetBool(flag.ClearCacheFlag.ConfigName) || viper.GetBool(flag.DownloadDBOnlyFlag.ConfigName) ||
 		viper.GetBool(flag.ResetFlag.ConfigName) || viper.GetBool(flag.GenerateDefaultConfigFlag.ConfigName) ||
-		viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) || viper.GetBool(flag.ResetPolicyBundleFlag.ConfigName) {
+		viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) || viper.GetBool(flag.ResetChecksBundleFlag.ConfigName) {
 		return nil
 	}
--- a/pkg/commands/app_test.go
+++ b/pkg/commands/app_test.go
@@ -43,7 +43,7 @@ Java DB:
  UpdatedAt: 2023-03-14 00:47:02.774253754 +0000 UTC
  NextUpdate: 2023-03-17 00:47:02.774253254 +0000 UTC
  DownloadedAt: 2023-03-14 03:04:55.058541039 +0000 UTC
-Policy Bundle:
+Check Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-02 01:06:08.191725 +0000 UTC
 `,
@@ -81,11 +81,11 @@ Java DB:
  UpdatedAt: 2023-03-14 00:47:02.774253754 +0000 UTC
  NextUpdate: 2023-03-17 00:47:02.774253254 +0000 UTC
  DownloadedAt: 2023-03-14 03:04:55.058541039 +0000 UTC
-Policy Bundle:
+Check Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-02 01:06:08.191725 +0000 UTC
 `
-	jsonOutput := `{"Version":"dev","VulnerabilityDB":{"Version":2,"NextUpdate":"2022-03-02T12:07:07.99504023Z","UpdatedAt":"2022-03-02T06:07:07.99504083Z","DownloadedAt":"2022-03-02T10:03:38.383312Z"},"JavaDB":{"Version":1,"NextUpdate":"2023-03-17T00:47:02.774253254Z","UpdatedAt":"2023-03-14T00:47:02.774253754Z","DownloadedAt":"2023-03-14T03:04:55.058541039Z"},"PolicyBundle":{"Digest":"sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd","DownloadedAt":"2023-03-02T01:06:08.191725Z"}}
+	jsonOutput := `{"Version":"dev","VulnerabilityDB":{"Version":2,"NextUpdate":"2022-03-02T12:07:07.99504023Z","UpdatedAt":"2022-03-02T06:07:07.99504083Z","DownloadedAt":"2022-03-02T10:03:38.383312Z"},"JavaDB":{"Version":1,"NextUpdate":"2023-03-17T00:47:02.774253254Z","UpdatedAt":"2023-03-14T00:47:02.774253754Z","DownloadedAt":"2023-03-14T03:04:55.058541039Z"},"CheckBundle":{"Digest":"sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd","DownloadedAt":"2023-03-02T01:06:08.191725Z"}}
 `
 	tests := []struct {
 		name      string
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -367,10 +367,10 @@ func (r *runner) initCache(opts flag.Options) error {
 		return SkipScan
 	}
-	if opts.ResetPolicyBundle {
+	if opts.ResetChecksBundle {
-		c, err := policy.NewClient(fsutils.CacheDir(), true, opts.MisconfOptions.PolicyBundleRepository)
+		c, err := policy.NewClient(fsutils.CacheDir(), true, opts.MisconfOptions.ChecksBundleRepository)
 		if err != nil {
-			return xerrors.Errorf("failed to instantiate policy client: %w", err)
+			return xerrors.Errorf("failed to instantiate check client: %w", err)
 		}
 		if err := c.Clear(); err != nil {
 			return xerrors.Errorf("failed to remove the cache: %w", err)
@@ -579,10 +579,11 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		var downloadedPolicyPaths []string
 		var disableEmbedded bool
-		downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipPolicyUpdate, opts.MisconfOptions.PolicyBundleRepository, opts.RegistryOpts())
+
 		downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts())
 		if err != nil {
-			if !opts.SkipPolicyUpdate {
+			if !opts.SkipCheckUpdate {
-				log.Error("Falling back to embedded policies", log.Err(err))
+				log.Error("Falling back to embedded checks", log.Err(err))
 			}
 		} else {
 			log.Debug("Policies successfully loaded from disk")
@@ -591,8 +592,8 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		configScannerOptions = misconf.ScannerOption{
 			Debug:                    opts.Debug,
 			Trace:                    opts.Trace,
-			Namespaces:               append(opts.PolicyNamespaces, rego.BuiltinNamespaces()...),
+			Namespaces:               append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
-			PolicyPaths:              append(opts.PolicyPaths, downloadedPolicyPaths...),
+			PolicyPaths:              append(opts.CheckPaths, downloadedPolicyPaths...),
 			DataPaths:                opts.DataPaths,
 			HelmValues:               opts.HelmValues,
 			HelmValueFiles:           opts.HelmValueFiles,
--- a/pkg/commands/operation/operation.go
+++ b/pkg/commands/operation/operation.go
@@ -149,13 +149,13 @@ func showDBInfo(cacheDir string) error {
 }
 // InitBuiltinPolicies downloads the built-in policies and loads them
-func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool, policyBundleRepository string, registryOpts ftypes.RegistryOptions) ([]string, error) {
+func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool, checkBundleRepository string, registryOpts ftypes.RegistryOptions) ([]string, error) {
 	mu.Lock()
 	defer mu.Unlock()
-	client, err := policy.NewClient(cacheDir, quiet, policyBundleRepository)
+	client, err := policy.NewClient(cacheDir, quiet, checkBundleRepository)
 	if err != nil {
-		return nil, xerrors.Errorf("policy client error: %w", err)
+		return nil, xerrors.Errorf("check client error: %w", err)
 	}
 	needsUpdate := false
@@ -177,11 +177,11 @@ func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate
 	policyPaths, err := client.LoadBuiltinPolicies()
 	if err != nil {
 		if skipUpdate {
-			msg := "No downloadable policies were loaded as --skip-policy-update is enabled"
+			msg := "No downloadable policies were loaded as --skip-check-update is enabled"
 			log.Info(msg)
 			return nil, xerrors.Errorf(msg)
 		}
-		return nil, xerrors.Errorf("policy load error: %w", err)
+		return nil, xerrors.Errorf("check load error: %w", err)
 	}
 	return policyPaths, nil
 }
--- a/pkg/compliance/spec/compliance.go
+++ b/pkg/compliance/spec/compliance.go
@@ -9,7 +9,7 @@ import (
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
-	sp "github.com/aquasecurity/trivy-policies/pkg/spec"
+	sp "github.com/aquasecurity/trivy-checks/pkg/spec"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
--- a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
+++ b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
@@ -33,7 +33,7 @@ func Test_historyAnalyzer_Analyze(t *testing.T) {
 					},
 					History: []v1.History{
 						{
-							// this is fine, see https://github.com/aquasecurity/trivy-policies/pull/60 for details
+							// this is fine, see https://github.com/aquasecurity/trivy-checks/pull/60 for details
 							CreatedBy:  "/bin/sh -c #(nop) ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /",
 							EmptyLayer: false,
 						},
--- a/pkg/fanal/cache/key.go
+++ b/pkg/fanal/cache/key.go
@@ -36,7 +36,7 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
 		return "", xerrors.Errorf("json encode error: %w", err)
 	}
-	// Write policy, data contents and secret config file
+	// Write check, data contents and secret config file
 	paths := append(artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths...)
 	// Check if the secret config exists.
--- a/pkg/flag/misconf_flags.go
+++ b/pkg/flag/misconf_flags.go
@@ -15,10 +15,17 @@ import (
 //	  config-policy: "custom-policy/policy"
 //	  policy-namespaces: "user"
 var (
-	ResetPolicyBundleFlag = Flag[bool]{
+	ResetChecksBundleFlag = Flag[bool]{
 		Name:       "reset-checks-bundle",
 		ConfigName: "misconfiguration.reset-checks-bundle",
 		Usage:      "remove checks bundle",
 		Aliases: []Alias{
 			{
 				Name:       "reset-policy-bundle",
 				ConfigName: "misconfiguration.reset-policy-bundle",
-		Usage:      "remove policy bundle",
+				Deprecated: true,
 			},
 		},
 	}
 	IncludeNonFailuresFlag = Flag[bool]{
 		Name:       "include-non-failures",
@@ -71,11 +78,18 @@ var (
 		ConfigName: "misconfiguration.terraform.exclude-downloaded-modules",
 		Usage:      "exclude misconfigurations for downloaded terraform modules",
 	}
-	PolicyBundleRepositoryFlag = Flag[string]{
+	ChecksBundleRepositoryFlag = Flag[string]{
 		Name:       "checks-bundle-repository",
 		ConfigName: "misconfiguration.checks-bundle-repository",
 		Default:    fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
 		Usage:      "OCI registry URL to retrieve checks bundle from",
 		Aliases: []Alias{
 			{
 				Name:       "policy-bundle-repository",
 				ConfigName: "misconfiguration.policy-bundle-repository",
-		Default:    fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
+				Deprecated: true,
-		Usage:      "OCI registry URL to retrieve policy bundle from",
+			},
 		},
 	}
 	MisconfigScannersFlag = Flag[[]string]{
 		Name:       "misconfig-scanners",
@@ -88,8 +102,8 @@ var (
 // MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.
 type MisconfFlagGroup struct {
 	IncludeNonFailures     *Flag[bool]
-	ResetPolicyBundle      *Flag[bool]
+	ResetChecksBundle      *Flag[bool]
-	PolicyBundleRepository *Flag[string]
+	ChecksBundleRepository *Flag[string]
 	// Values Files
 	HelmValues                 *Flag[[]string]
@@ -106,8 +120,8 @@ type MisconfFlagGroup struct {
 type MisconfOptions struct {
 	IncludeNonFailures     bool
-	ResetPolicyBundle      bool
+	ResetChecksBundle      bool
-	PolicyBundleRepository string
+	ChecksBundleRepository string
 	// Values Files
 	HelmValues              []string
@@ -125,8 +139,8 @@ type MisconfOptions struct {
 func NewMisconfFlagGroup() *MisconfFlagGroup {
 	return &MisconfFlagGroup{
 		IncludeNonFailures:     IncludeNonFailuresFlag.Clone(),
-		ResetPolicyBundle:      ResetPolicyBundleFlag.Clone(),
+		ResetChecksBundle:      ResetChecksBundleFlag.Clone(),
-		PolicyBundleRepository: PolicyBundleRepositoryFlag.Clone(),
+		ChecksBundleRepository: ChecksBundleRepositoryFlag.Clone(),
 		HelmValues:                 HelmSetFlag.Clone(),
 		HelmFileValues:             HelmSetFileFlag.Clone(),
@@ -148,8 +162,8 @@ func (f *MisconfFlagGroup) Name() string {
 func (f *MisconfFlagGroup) Flags() []Flagger {
 	return []Flagger{
 		f.IncludeNonFailures,
-		f.ResetPolicyBundle,
+		f.ResetChecksBundle,
-		f.PolicyBundleRepository,
+		f.ChecksBundleRepository,
 		f.HelmValues,
 		f.HelmValueFiles,
 		f.HelmFileValues,
@@ -170,8 +184,8 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 	return MisconfOptions{
 		IncludeNonFailures:      f.IncludeNonFailures.Value(),
-		ResetPolicyBundle:       f.ResetPolicyBundle.Value(),
+		ResetChecksBundle:       f.ResetChecksBundle.Value(),
-		PolicyBundleRepository:  f.PolicyBundleRepository.Value(),
+		ChecksBundleRepository:  f.ChecksBundleRepository.Value(),
 		HelmValues:              f.HelmValues.Value(),
 		HelmValueFiles:          f.HelmValueFiles.Value(),
 		HelmFileValues:          f.HelmFileValues.Value(),
--- a/pkg/flag/rego_flags.go
+++ b/pkg/flag/rego_flags.go
@@ -7,66 +7,74 @@ package flag
 //	  config-policy: "custom-policy/policy"
 //	  policy-namespaces: "user"
 var (
-	SkipPolicyUpdateFlag = Flag[bool]{
+	SkipCheckUpdateFlag = Flag[bool]{
 		Name:       "skip-check-update",
 		ConfigName: "rego.skip-check-update",
 		Usage:      "skip fetching rego check updates",
 		Aliases: []Alias{
 			{
 				Name:       "skip-policy-update",
-		ConfigName: "rego.skip-policy-update",
+				Deprecated: true,
-		Usage:      "skip fetching rego policy updates",
+			},
 		},
 	}
 	TraceFlag = Flag[bool]{
 		Name:       "trace",
 		ConfigName: "rego.trace",
 		Usage:      "enable more verbose trace output for custom queries",
 	}
-	ConfigPolicyFlag = Flag[[]string]{
+	ConfigCheckFlag = Flag[[]string]{
-		Name:       "config-policy",
+		Name:       "config-check",
-		ConfigName: "rego.policy",
+		ConfigName: "rego.check",
-		Usage:      "specify the paths to the Rego policy files or to the directories containing them, applying config files",
+		Usage:      "specify the paths to the Rego check files or to the directories containing them, applying config files",
 		Aliases: []Alias{
-			{Name: "policy"},
+			{Name: "policy", Deprecated: true},
 			{Name: "config-policy", Deprecated: true},
 		},
 	}
 	ConfigDataFlag = Flag[[]string]{
 		Name:       "config-data",
 		ConfigName: "rego.data",
-		Usage:      "specify paths from which data for the Rego policies will be recursively loaded",
+		Usage:      "specify paths from which data for the Rego checks will be recursively loaded",
 		Aliases: []Alias{
 			{Name: "data"},
 		},
 	}
-	PolicyNamespaceFlag = Flag[[]string]{
+	CheckNamespaceFlag = Flag[[]string]{
-		Name:       "policy-namespaces",
+		Name:       "check-namespaces",
 		ConfigName: "rego.namespaces",
 		Usage:      "Rego namespaces",
 		Aliases: []Alias{
 			{Name: "namespaces"},
 			{Name: "policy-namespaces", Deprecated: true},
 		},
 	}
 )
 // RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
 type RegoFlagGroup struct {
-	SkipPolicyUpdate *Flag[bool]
+	SkipCheckUpdate *Flag[bool]
 	Trace           *Flag[bool]
-	PolicyPaths      *Flag[[]string]
+	CheckPaths      *Flag[[]string]
 	DataPaths       *Flag[[]string]
-	PolicyNamespaces *Flag[[]string]
+	CheckNamespaces *Flag[[]string]
 }
 type RegoOptions struct {
-	SkipPolicyUpdate bool
+	SkipCheckUpdate bool
 	Trace           bool
-	PolicyPaths      []string
+	CheckPaths      []string
 	DataPaths       []string
-	PolicyNamespaces []string
+	CheckNamespaces []string
 }
 func NewRegoFlagGroup() *RegoFlagGroup {
 	return &RegoFlagGroup{
-		SkipPolicyUpdate: SkipPolicyUpdateFlag.Clone(),
+		SkipCheckUpdate: SkipCheckUpdateFlag.Clone(),
 		Trace:           TraceFlag.Clone(),
-		PolicyPaths:      ConfigPolicyFlag.Clone(),
+		CheckPaths:      ConfigCheckFlag.Clone(),
 		DataPaths:       ConfigDataFlag.Clone(),
-		PolicyNamespaces: PolicyNamespaceFlag.Clone(),
+		CheckNamespaces: CheckNamespaceFlag.Clone(),
 	}
 }
@@ -76,11 +84,11 @@ func (f *RegoFlagGroup) Name() string {
 func (f *RegoFlagGroup) Flags() []Flagger {
 	return []Flagger{
-		f.SkipPolicyUpdate,
+		f.SkipCheckUpdate,
 		f.Trace,
-		f.PolicyPaths,
+		f.CheckPaths,
 		f.DataPaths,
-		f.PolicyNamespaces,
+		f.CheckNamespaces,
 	}
 }
@@ -90,10 +98,10 @@ func (f *RegoFlagGroup) ToOptions() (RegoOptions, error) {
 	}
 	return RegoOptions{
-		SkipPolicyUpdate: f.SkipPolicyUpdate.Value(),
+		SkipCheckUpdate: f.SkipCheckUpdate.Value(),
 		Trace:           f.Trace.Value(),
-		PolicyPaths:      f.PolicyPaths.Value(),
+		CheckPaths:      f.CheckPaths.Value(),
 		DataPaths:       f.DataPaths.Value(),
-		PolicyNamespaces: f.PolicyNamespaces.Value(),
+		CheckNamespaces: f.CheckNamespaces.Value(),
 	}, nil
 }
--- a/pkg/iac/rego/embed.go
+++ b/pkg/iac/rego/embed.go
@@ -8,7 +8,7 @@ import (
 	"github.com/open-policy-agent/opa/ast"
-	checks "github.com/aquasecurity/trivy-policies"
+	checks "github.com/aquasecurity/trivy-checks"
 	"github.com/aquasecurity/trivy/pkg/iac/rules"
 )
--- a/pkg/iac/rego/embed_test.go
+++ b/pkg/iac/rego/embed_test.go
@@ -3,7 +3,7 @@ package rego
 import (
 	"testing"
-	rules2 "github.com/aquasecurity/trivy-policies"
+	checks "github.com/aquasecurity/trivy-checks"
 	"github.com/aquasecurity/trivy/pkg/iac/rules"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/stretchr/testify/assert"
@@ -84,7 +84,7 @@ deny[res]{
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			policies, err := LoadPoliciesFromDirs(rules2.EmbeddedLibraryFileSystem, ".")
+			policies, err := LoadPoliciesFromDirs(checks.EmbeddedLibraryFileSystem, ".")
 			require.NoError(t, err)
 			newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{
 				ProcessAnnotation: true,
--- a/pkg/iac/rego/load.go
+++ b/pkg/iac/rego/load.go
@@ -173,7 +173,7 @@ func (s *Scanner) fallbackChecks(compiler *ast.Compiler) {
 		}
 		s.debug.Log("Found embedded check: %s", embedded.Package.Location.File)
-		delete(s.policies, loc) // remove bad policy
+		delete(s.policies, loc) // remove bad check
 		s.policies[embedded.Package.Location.File] = embedded
 		delete(s.embeddedChecks, embedded.Package.Location.File) // avoid infinite loop if embedded check contains ref error
 		excludedFiles = append(excludedFiles, e.Location.File)
@@ -228,7 +228,7 @@ func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
 		return err
 	}
 	if custom {
-		s.inputSchema = nil // discard auto detected input schema in favor of policy defined schema
+		s.inputSchema = nil // discard auto detected input schema in favor of check defined schema
 	}
 	compiler := ast.NewCompiler().
--- a/pkg/iac/rego/load_test.go
+++ b/pkg/iac/rego/load_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"
 	"testing/fstest"
-	trivy_policies "github.com/aquasecurity/trivy-policies"
+	checks "github.com/aquasecurity/trivy-checks"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -197,7 +197,7 @@ deny {
 			}
 			fsys := fstest.MapFS(tt.files)
-			trivy_policies.EmbeddedPolicyFileSystem = embeddedChecksFS
+			checks.EmbeddedPolicyFileSystem = embeddedChecksFS
 			err := scanner.LoadPolicies(false, false, fsys, []string{"."}, nil)
 			if tt.expectedErr != "" {
--- a/pkg/iac/rego/result.go
+++ b/pkg/iac/rego/result.go
@@ -67,7 +67,7 @@ func parseResult(raw interface{}) *regoResult {
 	case map[string]interface{}:
 		result = parseCause(val)
 	default:
-		result.Message = "Rego policy resulted in DENY"
+		result.Message = "Rego check resulted in DENY"
 	}
 	return &result
 }
@@ -150,7 +150,7 @@ func (s *Scanner) convertResults(set rego.ResultSet, input Input, namespace, rul
 					regoResult.Filepath = input.Path
 				}
 				if regoResult.Message == "" {
-					regoResult.Message = fmt.Sprintf("Rego policy rule: %s.%s", namespace, rule)
+					regoResult.Message = fmt.Sprintf("Rego check rule: %s.%s", namespace, rule)
 				}
 				regoResult.StartLine += offset
 				regoResult.EndLine += offset
--- a/pkg/iac/rego/result_test.go
+++ b/pkg/iac/rego/result_test.go
@@ -17,7 +17,7 @@ func Test_parseResult(t *testing.T) {
 			input: nil,
 			want: regoResult{
 				Managed: true,
-				Message: "Rego policy resulted in DENY",
+				Message: "Rego check resulted in DENY",
 			},
 		},
 		{
--- a/pkg/iac/rego/scanner.go
+++ b/pkg/iac/rego/scanner.go
@@ -248,7 +248,7 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
 		}
 		if isPolicyWithSubtype(s.sourceType) {
-			// skip if policy isn't relevant to what is being scanned
+			// skip if check isn't relevant to what is being scanned
 			if !isPolicyApplicable(staticMeta, inputs...) {
 				continue
 			}
@@ -326,7 +326,7 @@ func isPolicyApplicable(staticMetadata *StaticMetadata, inputs ...Input) bool {
 					continue
 				}
-				if len(staticMetadata.InputOptions.Selectors) == 0 { // policy always applies if no selectors
+				if len(staticMetadata.InputOptions.Selectors) == 0 { // check always applies if no selectors
 					return true
 				}
--- a/pkg/iac/rego/schemas/dockerfile.json
+++ b/pkg/iac/rego/schemas/dockerfile.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/dockerfile.json",
+  "$id": "https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json",
  "type": "object",
  "properties": {
    "Stages": {
--- a/pkg/iac/rego/schemas/kubernetes.json
+++ b/pkg/iac/rego/schemas/kubernetes.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/kubernetes.json",
+  "$id": "https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json",
  "type": "object",
  "properties": {
    "apiVersion": {
--- a/pkg/iac/rego/schemas/rbac.json
+++ b/pkg/iac/rego/schemas/rbac.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/rbac.json",
+  "$id": "https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/rbac.json",
  "type": "object",
  "properties": {
    "apiVersion": {
--- a/pkg/iac/rules/register.go
+++ b/pkg/iac/rules/register.go
@@ -5,7 +5,7 @@ import (
 	"gopkg.in/yaml.v3"
-	"github.com/aquasecurity/trivy-policies/specs"
+	"github.com/aquasecurity/trivy-checks/specs"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	dftypes "github.com/aquasecurity/trivy/pkg/iac/types"
--- a/pkg/iac/rules/rules.go
+++ b/pkg/iac/rules/rules.go
@@ -1,79 +1,79 @@
 package rules
 import (
-	trules "github.com/aquasecurity/trivy-policies/pkg/rules"
+	trules "github.com/aquasecurity/trivy-checks/pkg/rules"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/accessanalyzer"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/accessanalyzer"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/apigateway"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/apigateway"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/athena"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/athena"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudfront"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudfront"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudtrail"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudtrail"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudwatch"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudwatch"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/codebuild"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/codebuild"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/config"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/config"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/documentdb"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/documentdb"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/dynamodb"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/dynamodb"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ec2"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ec2"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecr"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ecr"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecs"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ecs"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/efs"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/efs"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/eks"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/eks"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticache"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elasticache"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticsearch"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elasticsearch"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elb"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elb"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/emr"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/emr"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/iam"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kinesis"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/kinesis"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kms"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/kms"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/lambda"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/lambda"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/mq"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/mq"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/msk"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/msk"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/neptune"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/neptune"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/rds"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/rds"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/redshift"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/redshift"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/s3"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/s3"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sam"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sam"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sns"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sns"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sqs"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sqs"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ssm"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ssm"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/workspaces"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/workspaces"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/appservice"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/appservice"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/authorization"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/authorization"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/container"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/container"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/database"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/database"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datafactory"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/datafactory"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datalake"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/datalake"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/keyvault"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/keyvault"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/monitor"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/monitor"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/network"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/network"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/securitycenter"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/securitycenter"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/storage"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/storage"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/synapse"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/synapse"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/cloudstack/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/cloudstack/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/digitalocean/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/spaces"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/digitalocean/spaces"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/github/actions"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/github/actions"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/github/branch_protections"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/github/branch_protections"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/github/repositories"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/github/repositories"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/bigquery"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/bigquery"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/dns"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/dns"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/gke"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/gke"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/iam"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/iam"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/kms"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/kms"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/sql"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/sql"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/google/storage"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/google/storage"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/computing"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/computing"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/dns"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/dns"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/nas"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/nas"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/network"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/network"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/rdb"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/rdb"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/sslcertificate"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/sslcertificate"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/openstack/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/networking"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/openstack/networking"
-	_ "github.com/aquasecurity/trivy-policies/checks/cloud/oracle/compute"
+	_ "github.com/aquasecurity/trivy-checks/checks/cloud/oracle/compute"
-	_ "github.com/aquasecurity/trivy-policies/checks/kubernetes/network"
+	_ "github.com/aquasecurity/trivy-checks/checks/kubernetes/network"
 )
 func init() {
--- a/pkg/iac/scanners/terraform/module_test.go
+++ b/pkg/iac/scanners/terraform/module_test.go
@@ -18,7 +18,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
 	"github.com/stretchr/testify/require"
-	"github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam"
+	"github.com/aquasecurity/trivy-checks/checks/cloud/aws/iam"
 )
 var badRule = scan.Rule{
--- a/pkg/misconf/scanner.go
+++ b/pkg/misconf/scanner.go
@@ -390,7 +390,7 @@ func CreatePolicyFS(policyPaths []string) (fs.FS, []string, error) {
 		}
 	}
-	// policy paths are no longer needed as fs.FS contains only needed files now.
+	// check paths are no longer needed as fs.FS contains only needed files now.
 	policyPaths = []string{"."}
 	return mfs, policyPaths, nil
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -18,8 +18,8 @@ import (
 )
 const (
-	BundleVersion    = 0 // Latest released MAJOR version for trivy-policies
+	BundleVersion    = 0 // Latest released MAJOR version for trivy-checks
-	BundleRepository = "ghcr.io/aquasecurity/trivy-policies"
+	BundleRepository = "ghcr.io/aquasecurity/trivy-checks"
 	policyMediaType  = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip"
 	updateInterval   = 24 * time.Hour
 )
@@ -46,29 +46,29 @@ func WithClock(c clock.Clock) Option {
 // Option is a functional option
 type Option func(*options)
-// Client implements policy operations
+// Client implements check operations
 type Client struct {
 	*options
 	policyDir       string
-	policyBundleRepo string
+	checkBundleRepo string
 	quiet           bool
 }
-// Metadata holds default policy metadata
+// Metadata holds default check metadata
 type Metadata struct {
 	Digest       string
 	DownloadedAt time.Time
 }
 func (m Metadata) String() string {
-	return fmt.Sprintf(`Policy Bundle:
+	return fmt.Sprintf(`Check Bundle:
  Digest: %s
  DownloadedAt: %s
 `, m.Digest, m.DownloadedAt.UTC())
 }
-// NewClient is the factory method for policy client
+// NewClient is the factory method for check client
-func NewClient(cacheDir string, quiet bool, policyBundleRepo string, opts ...Option) (*Client, error) {
+func NewClient(cacheDir string, quiet bool, checkBundleRepo string, opts ...Option) (*Client, error) {
 	o := &options{
 		clock: clock.RealClock{},
 	}
@@ -77,22 +77,22 @@ func NewClient(cacheDir string, quiet bool, policyBundleRepo string, opts ...Opt
 		opt(o)
 	}
-	if policyBundleRepo == "" {
+	if checkBundleRepo == "" {
-		policyBundleRepo = fmt.Sprintf("%s:%d", BundleRepository, BundleVersion)
+		checkBundleRepo = fmt.Sprintf("%s:%d", BundleRepository, BundleVersion)
 	}
 	return &Client{
 		options:         o,
 		policyDir:       filepath.Join(cacheDir, "policy"),
-		policyBundleRepo: policyBundleRepo,
+		checkBundleRepo: checkBundleRepo,
 		quiet:           quiet,
 	}, nil
 }
 func (c *Client) populateOCIArtifact(registryOpts types.RegistryOptions) error {
 	if c.artifact == nil {
-		log.Debug("Loading policy bundle", log.String("repository", c.policyBundleRepo))
+		log.Debug("Loading check bundle", log.String("repository", c.checkBundleRepo))
-		art, err := oci.NewArtifact(c.policyBundleRepo, c.quiet, registryOpts)
+		art, err := oci.NewArtifact(c.checkBundleRepo, c.quiet, registryOpts)
 		if err != nil {
 			return xerrors.Errorf("OCI artifact error: %w", err)
 		}
@@ -120,7 +120,7 @@ func (c *Client) DownloadBuiltinPolicies(ctx context.Context, registryOpts types
 	// Update metadata.json with the new digest and the current date
 	if err = c.updateMetadata(digest, c.clock.Now()); err != nil {
-		return xerrors.Errorf("unable to update the policy metadata: %w", err)
+		return xerrors.Errorf("unable to update the check metadata: %w", err)
 	}
 	return nil
@@ -140,7 +140,7 @@ func (c *Client) LoadBuiltinPolicies() ([]string, error) {
 	}
 	// If the "roots" field is not included in the manifest it defaults to [""]
-	// which means that ALL data and policy must come from the bundle.
+	// which means that ALL data and check must come from the bundle.
 	if manifest.Roots == nil || len(*manifest.Roots) == 0 {
 		return []string{c.contentDir()}, nil
 	}
@@ -153,7 +153,7 @@ func (c *Client) LoadBuiltinPolicies() ([]string, error) {
 	return policyPaths, nil
 }
-// NeedsUpdate returns if the default policy should be updated
+// NeedsUpdate returns if the default check should be updated
 func (c *Client) NeedsUpdate(ctx context.Context, registryOpts types.RegistryOptions) (bool, error) {
 	meta, err := c.GetMetadata()
 	if err != nil {
@@ -182,7 +182,7 @@ func (c *Client) NeedsUpdate(ctx context.Context, registryOpts types.RegistryOpt
 	// Otherwise, if there are no updates in the remote registry,
 	// the digest will be fetched every time even after this.
 	if err = c.updateMetadata(meta.Digest, time.Now()); err != nil {
-		return false, xerrors.Errorf("unable to update the policy metadata: %w", err)
+		return false, xerrors.Errorf("unable to update the check metadata: %w", err)
 	}
 	return false, nil
@@ -203,7 +203,7 @@ func (c *Client) manifestPath() string {
 func (c *Client) updateMetadata(digest string, now time.Time) error {
 	f, err := os.Create(c.metadataPath())
 	if err != nil {
-		return xerrors.Errorf("failed to open a policy manifest: %w", err)
+		return xerrors.Errorf("failed to open a check manifest: %w", err)
 	}
 	defer f.Close()
@@ -222,14 +222,14 @@ func (c *Client) updateMetadata(digest string, now time.Time) error {
 func (c *Client) GetMetadata() (*Metadata, error) {
 	f, err := os.Open(c.metadataPath())
 	if err != nil {
-		log.Debug("Failed to open the policy metadata", log.Err(err))
+		log.Debug("Failed to open the check metadata", log.Err(err))
 		return nil, err
 	}
 	defer f.Close()
 	var meta Metadata
 	if err = json.NewDecoder(f).Decode(&meta); err != nil {
-		log.Warn("Policy metadata decode error", log.Err(err))
+		log.Warn("Check metadata decode error", log.Err(err))
 		return nil, err
 	}
@@ -237,9 +237,9 @@ func (c *Client) GetMetadata() (*Metadata, error) {
 }
 func (c *Client) Clear() error {
-	log.Info("Removing policy bundle...")
+	log.Info("Removing check bundle...")
 	if err := os.RemoveAll(c.policyDir); err != nil {
-		return xerrors.Errorf("failed to remove policy bundle: %w", err)
+		return xerrors.Errorf("failed to remove check bundle: %w", err)
 	}
 	return nil
 }
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -243,7 +243,7 @@ func TestClient_NeedsUpdate(t *testing.T) {
 				},
 			}, nil)
-			// Create a policy directory
+			// Create a check directory
 			err := os.MkdirAll(filepath.Join(tmpDir, "policy"), os.ModePerm)
 			require.NoError(t, err)
--- a/pkg/result/filter_test.go
+++ b/pkg/result/filter_test.go
@@ -570,7 +570,7 @@ func TestFilter(t *testing.T) {
 							Vulnerabilities: []types.DetectedVulnerability{
 								vuln1,
 								vuln2, // ignored by severity
-								vuln3, // ignored by policy
+								vuln3, // ignored by check
 							},
 						},
 					},
@@ -606,7 +606,7 @@ func TestFilter(t *testing.T) {
 							Misconfigurations: []types.DetectedMisconfiguration{
 								misconf1,
 								misconf2,
-								misconf3, // ignored by policy
+								misconf3, // ignored by check
 							},
 						},
 					},
--- a/pkg/rpc/server/listen_test.go
+++ b/pkg/rpc/server/listen_test.go
@@ -306,7 +306,7 @@ func Test_VersionEndpoint(t *testing.T) {
 			UpdatedAt:    time.Date(2023, 7, 20, 12, 11, 37, 696263932, time.UTC),
 			DownloadedAt: time.Date(2023, 7, 25, 7, 1, 41, 239158000, time.UTC),
 		},
-		PolicyBundle: &policy.Metadata{
+		CheckBundle: &policy.Metadata{
 			Digest:       "sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43",
 			DownloadedAt: time.Date(2023, 7, 23, 16, 40, 33, 122462000, time.UTC),
 		},
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -22,7 +22,7 @@ type VersionInfo struct {
 	Version         string             `json:",omitempty"`
 	VulnerabilityDB *metadata.Metadata `json:",omitempty"`
 	JavaDB          *metadata.Metadata `json:",omitempty"`
-	PolicyBundle    *policy.Metadata   `json:",omitempty"`
+	CheckBundle     *policy.Metadata   `json:",omitempty"`
 }
 func formatDBMetadata(title string, meta metadata.Metadata) string {
@@ -42,8 +42,8 @@ func (v *VersionInfo) String() string {
 	if v.JavaDB != nil {
 		output += formatDBMetadata("Java DB", *v.JavaDB)
 	}
-	if v.PolicyBundle != nil {
+	if v.CheckBundle != nil {
-		output += v.PolicyBundle.String()
+		output += v.CheckBundle.String()
 	}
 	return output
 }
@@ -102,6 +102,6 @@ func NewVersionInfo(cacheDir string) VersionInfo {
 		Version:         ver,
 		VulnerabilityDB: dbMeta,
 		JavaDB:          javadbMeta,
-		PolicyBundle:    pbMeta,
+		CheckBundle:     pbMeta,
 	}
 }
--- a/pkg/version/version_test.go
+++ b/pkg/version/version_test.go
@@ -26,7 +26,7 @@ func Test_BuildVersionInfo(t *testing.T) {
 			UpdatedAt:    time.Date(2023, 7, 25, 1, 3, 52, 169192765, time.UTC),
 			DownloadedAt: time.Date(2023, 7, 25, 9, 37, 48, 906152000, time.UTC),
 		},
-		PolicyBundle: &policy.Metadata{
+		CheckBundle: &policy.Metadata{
 			Digest:       "sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43",
 			DownloadedAt: time.Date(2023, 7, 23, 16, 40, 33, 122462000, time.UTC),
 		},
@@ -46,7 +46,7 @@ Java DB:
  UpdatedAt: 2023-07-25 01:03:52.169192765 +0000 UTC
  NextUpdate: 2023-07-28 01:03:52.169192565 +0000 UTC
  DownloadedAt: 2023-07-25 09:37:48.906152 +0000 UTC
-Policy Bundle:
+Check Bundle:
  Digest: sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43
  DownloadedAt: 2023-07-23 16:40:33.122462 +0000 UTC
 `