terragoat
TerraGoat is an intentionally vulnerable Terraform repository maintained by Bridgecrew, designed for security training and testing policy-as-code frameworks. It demonstrates common misconfigurations across AWS, Azure, and GCP cloud environments.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | bridgecrewio/terragoat |
| Owner | bridgecrewio |
| Primary language | HCL |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 5.8k |
| Open issues | 58 |
| Latest release | v0.6.0 (2020-07-08) |
| Last updated | 2025-07-13 |
| Source | https://github.com/bridgecrewio/terragoat |
What terragoat is
TerraGoat provides HCL-based Terraform templates (v0.12+) containing deliberately vulnerable infrastructure configurations aligned with CIS benchmarks and PCI-DSS standards. It serves as a test baseline for scanning tools like Checkov and policy-as-code solutions.
Get the terragoat source
Clone the repository and explore it locally.
git clone https://github.com/bridgecrewio/terragoat.gitcd terragoat# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Terraform ≥0.12.0, AWS CLI, Azure CLI, and GCP Service Account credentials; backend state management (S3, Azure Storage, or GCS) must be configured separately.
- Deploy in isolated AWS/Azure/GCP accounts only; explicitly document temporary nature and set up automated cleanup (terraform destroy scripts provided).
- Leverage the environment variable `TF_VAR_environment` to deploy multiple TerraGoat stacks in parallel for scaled testing; requires careful state file management.
- Integrate with Checkov or Bridgecrew Bridgecrew platform for continuous scanning; hook into pre-commit workflows to validate detection consistency.
- Map detected findings against provided CIS AWS v1.2, CIS Azure v1.1, CIS GCP v1.1, and PCI-DSS v3.2 badge criteria to measure scanner effectiveness.
When to avoid it — and what to weigh
- Production or Sensitive Environments — Explicitly documented warning against deployment in production or alongside sensitive resources. Use only in isolated dev/test accounts.
- Learning Without Remediation Focus — If your team needs to learn how to *fix* vulnerabilities, this repo shows problems but does not provide corrected configurations or remediation paths.
- Reliance on Current Threat Models — Latest release is v0.6.0 from July 2020; vulnerability coverage may not reflect current AWS/Azure/GCP threat landscape or latest service-specific risks.
- Minimal Customization Requirements — If your use case requires heavily customized or organization-specific misconfiguration patterns, this generic multi-cloud template may require substantial extension.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimers.
Apache-2.0 permits commercial use. However, TerraGoat is explicitly designed as a training/test repository and **must not be deployed in production environments**. Use in commercial DevSecOps training programs is permitted; deployment of its vulnerable configurations in production is not.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
TerraGoat intentionally creates vulnerable resources; it is a security training tool, not a secure infrastructure baseline. Key considerations: (1) Deployment isolated to dev/test accounts prevents accidental exposure to production; (2) Terraform state contains cloud metadata and must be stored securely (versioning, encryption, access control); (3) Vulnerability patterns cover common misconfigurations (unencrypted storage, overpermissive IAM, insecure network access) but are not a comprehensive threat model; (4) Scanner validation against TerraGoat should not be the sole test of a security scanning tool's effectiveness—custom, organization-specific misconfigurations should also be tested.
Alternatives to consider
Checkov (Open Source)
Complementary tool—Checkov is the scanner that validates policies against TerraGoat; use Checkov directly for policy-as-code without needing a vulnerable test repo, or pair with TerraGoat for end-to-end testing.
CloudGoat (Ermetic/CloudSplit)
Similar intentional-vulnerability training project, but focuses on AWS-specific scenarios; TerraGoat covers AWS, Azure, and GCP, so choose based on cloud platform scope.
Kyverno + Policy Libraries (Kubernetes-centric)
If your use case is Kubernetes/container security rather than cloud infrastructure, Kyverno provides policy-as-code testing; TerraGoat is for Terraform/IaC cloud resources.
Build on terragoat with DEV.co software developers
Deploy TerraGoat in an isolated test account to validate Checkov, policy-as-code frameworks, or custom scanning tools against real-world misconfiguration patterns.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
terragoat FAQ
Can I use TerraGoat in production?
What misconfigurations does TerraGoat cover?
Do I need Bridgecrew or Checkov to use TerraGoat?
Is the project still maintained?
Custom software development services
Need help beyond evaluating terragoat? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Ready to test your IaC security controls?
Deploy TerraGoat in an isolated test account to validate Checkov, policy-as-code frameworks, or custom scanning tools against real-world misconfiguration patterns.