finds.dev← search

// the find

bridgecrewio/terragoat

★ 1,299 · HCL · Apache-2.0 · updated Jul 2025

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

TerraGoat is a deliberately broken Terraform codebase covering AWS, Azure, GCP, Alibaba Cloud, and Oracle — every resource misconfigured on purpose. It exists so you can point Checkov or any other IaC scanner at it and verify the tool actually catches what it claims to catch. If you're evaluating or writing policy-as-code rules, this is the target range.

The vulnerability coverage is genuinely wide: public RDS instances, open security groups on port 22, unencrypted EBS volumes, EKS with a public endpoint, Lambda with hardcoded secrets, IAM wildcards — the full CIS benchmark hit list across four clouds. The auto-generated findings table in the README maps each check ID to the exact file and resource, so you can jump straight to the broken code without hunting. Multi-cloud coverage (AWS, Azure, GCP, Alibaba, Oracle) in a single repo is rare and saves time when you're testing a scanner that claims cross-cloud support. It's actively maintained — last push July 2025 — so provider versions stay close enough to current that the configs actually plan.

It's vendor marketing first, training tool second — every badge and link pushes you toward Bridgecrew/Prisma Cloud, and the support channel is their Slack, not a neutral community. The Terraform version requirement in the README still says 0.12, which is five major versions behind; the actual configs may work with newer versions but nobody updated the docs. There are no explanations of *why* each misconfiguration is dangerous — you get a check ID and a resource name, not the blast radius or the real-world attack path, which limits its value for actual developer education versus just scanner validation. The non-Terraform files (Node packages, a `customer-master.xlsx`, Python requirements) feel like afterthoughts with minimal documentation on what they're for or how they integrate with the IaC scanning workflow.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →