DEV.co
Open-Source Security · bridgecrewio

terragoat

TerraGoat is an intentionally vulnerable Terraform repository maintained by Bridgecrew, designed for security training and testing policy-as-code frameworks. It demonstrates common misconfigurations across AWS, Azure, and GCP cloud environments.

Source: GitHub — github.com/bridgecrewio/terragoat
1.3k
GitHub stars
5.8k
Forks
HCL
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorybridgecrewio/terragoat
Ownerbridgecrewio
Primary languageHCL
LicenseApache-2.0 — OSI-approved
Stars1.3k
Forks5.8k
Open issues58
Latest releasev0.6.0 (2020-07-08)
Last updated2025-07-13
Sourcehttps://github.com/bridgecrewio/terragoat

What terragoat is

TerraGoat provides HCL-based Terraform templates (v0.12+) containing deliberately vulnerable infrastructure configurations aligned with CIS benchmarks and PCI-DSS standards. It serves as a test baseline for scanning tools like Checkov and policy-as-code solutions.

Quickstart

Get the terragoat source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/bridgecrewio/terragoat.gitcd terragoat# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

DevSecOps Training & Education

Hands-on learning environment for engineers to understand common cloud misconfigurations and practice secure infrastructure-as-code patterns.

Policy-as-Code Framework Validation

Test and validate Checkov, Bridgecrew, or custom scanning policies against known misconfiguration patterns across AWS, Azure, and GCP.

Security Testing in Isolated Environments

Deploy intentionally vulnerable stacks in non-production accounts to verify detection capabilities of existing security controls and linters.

Implementation considerations

  • Requires Terraform ≥0.12.0, AWS CLI, Azure CLI, and GCP Service Account credentials; backend state management (S3, Azure Storage, or GCS) must be configured separately.
  • Deploy in isolated AWS/Azure/GCP accounts only; explicitly document temporary nature and set up automated cleanup (terraform destroy scripts provided).
  • Leverage the environment variable `TF_VAR_environment` to deploy multiple TerraGoat stacks in parallel for scaled testing; requires careful state file management.
  • Integrate with Checkov or Bridgecrew Bridgecrew platform for continuous scanning; hook into pre-commit workflows to validate detection consistency.
  • Map detected findings against provided CIS AWS v1.2, CIS Azure v1.1, CIS GCP v1.1, and PCI-DSS v3.2 badge criteria to measure scanner effectiveness.

When to avoid it — and what to weigh

  • Production or Sensitive Environments — Explicitly documented warning against deployment in production or alongside sensitive resources. Use only in isolated dev/test accounts.
  • Learning Without Remediation Focus — If your team needs to learn how to *fix* vulnerabilities, this repo shows problems but does not provide corrected configurations or remediation paths.
  • Reliance on Current Threat Models — Latest release is v0.6.0 from July 2020; vulnerability coverage may not reflect current AWS/Azure/GCP threat landscape or latest service-specific risks.
  • Minimal Customization Requirements — If your use case requires heavily customized or organization-specific misconfiguration patterns, this generic multi-cloud template may require substantial extension.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimers.

Apache-2.0 permits commercial use. However, TerraGoat is explicitly designed as a training/test repository and **must not be deployed in production environments**. Use in commercial DevSecOps training programs is permitted; deployment of its vulnerable configurations in production is not.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

TerraGoat intentionally creates vulnerable resources; it is a security training tool, not a secure infrastructure baseline. Key considerations: (1) Deployment isolated to dev/test accounts prevents accidental exposure to production; (2) Terraform state contains cloud metadata and must be stored securely (versioning, encryption, access control); (3) Vulnerability patterns cover common misconfigurations (unencrypted storage, overpermissive IAM, insecure network access) but are not a comprehensive threat model; (4) Scanner validation against TerraGoat should not be the sole test of a security scanning tool's effectiveness—custom, organization-specific misconfigurations should also be tested.

Alternatives to consider

Checkov (Open Source)

Complementary tool—Checkov is the scanner that validates policies against TerraGoat; use Checkov directly for policy-as-code without needing a vulnerable test repo, or pair with TerraGoat for end-to-end testing.

CloudGoat (Ermetic/CloudSplit)

Similar intentional-vulnerability training project, but focuses on AWS-specific scenarios; TerraGoat covers AWS, Azure, and GCP, so choose based on cloud platform scope.

Kyverno + Policy Libraries (Kubernetes-centric)

If your use case is Kubernetes/container security rather than cloud infrastructure, Kyverno provides policy-as-code testing; TerraGoat is for Terraform/IaC cloud resources.

Software development agency

Build on terragoat with DEV.co software developers

Deploy TerraGoat in an isolated test account to validate Checkov, policy-as-code frameworks, or custom scanning tools against real-world misconfiguration patterns.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

terragoat FAQ

Can I use TerraGoat in production?
No. Documentation explicitly warns against deploying TerraGoat in production or alongside sensitive resources. Use only in isolated test/dev accounts and destroy after testing.
What misconfigurations does TerraGoat cover?
Documented against CIS AWS v1.2, CIS Azure v1.1, CIS GCP v1.1, and PCI-DSS v3.2. Specific misconfigurations are not detailed in the README; you must examine the Terraform files or cross-reference the compliance badges.
Do I need Bridgecrew or Checkov to use TerraGoat?
TerraGoat is designed to test policy-as-code scanners like Checkov or Bridgecrew platform, but you can deploy it and inspect the vulnerable resources manually. Checkov integration provides automated misconfiguration detection.
Is the project still maintained?
Yes, the repository is active (last push July 2025) and maintained by Bridgecrew. However, the latest release is from July 2020; check the latest commit history for bug fixes or misconfiguration updates not reflected in a formal release.

Custom software development services

Need help beyond evaluating terragoat? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Ready to test your IaC security controls?

Deploy TerraGoat in an isolated test account to validate Checkov, policy-as-code frameworks, or custom scanning tools against real-world misconfiguration patterns.