// the find
bridgecrewio/terragoat
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
TerraGoat is a deliberately broken Terraform codebase covering AWS, Azure, GCP, Alibaba Cloud, and Oracle — every resource misconfigured on purpose. It exists so you can point Checkov or any other IaC scanner at it and verify the tool actually catches what it claims to catch. If you're evaluating or writing policy-as-code rules, this is the target range.
The vulnerability coverage is genuinely wide: public RDS instances, open security groups on port 22, unencrypted EBS volumes, EKS with a public endpoint, Lambda with hardcoded secrets, IAM wildcards — the full CIS benchmark hit list across four clouds. The auto-generated findings table in the README maps each check ID to the exact file and resource, so you can jump straight to the broken code without hunting. Multi-cloud coverage (AWS, Azure, GCP, Alibaba, Oracle) in a single repo is rare and saves time when you're testing a scanner that claims cross-cloud support. It's actively maintained — last push July 2025 — so provider versions stay close enough to current that the configs actually plan.
It's vendor marketing first, training tool second — every badge and link pushes you toward Bridgecrew/Prisma Cloud, and the support channel is their Slack, not a neutral community. The Terraform version requirement in the README still says 0.12, which is five major versions behind; the actual configs may work with newer versions but nobody updated the docs. There are no explanations of *why* each misconfiguration is dangerous — you get a check ID and a resource name, not the blast radius or the real-world attack path, which limits its value for actual developer education versus just scanner validation. The non-Terraform files (Node packages, a `customer-master.xlsx`, Python requirements) feel like afterthoughts with minimal documentation on what they're for or how they integrate with the IaC scanning workflow.