TerraGoat

TerraGoat, developed by Bridgecrew, manages identifying and mitigating common configuration errors in Terraform deployments. This "Vulnerable by Design" repository serves as a learning and training project, demonstrating how easily misconfigurations can slip into production cloud environments.

Technically, TerraGoat is structured as a Terraform repository that intentionally includes a variety of security vulnerabilities and misconfigurations. This allows users to practice and test their security scanning tools, such as Checkov, against real-world scenarios. The repository includes multiple Terraform configurations that simulate various cloud infrastructure setups, each with embedded vulnerabilities like insecure security groups, unencrypted storage, and overly permissive IAM policies.

Operationally, TerraGoat is designed to be deployed in a non-production environment to avoid any potential risks. Users can leverage this tool to test the efficacy of their build-time scanning tools and policy-as-code frameworks. However, it is crucial to note that TerraGoat should never be deployed in a production environment or alongside sensitive resources due to its intentionally vulnerable nature.

From a technical details perspective, TerraGoat supports multiple cloud providers, including AWS, Azure, and GCP, and is written in HCL (HashiCorp Configuration Language). The project is updated regularly to include new vulnerability scenarios, making it a dynamic tool for continuous security training and testing. Users can integrate TerraGoat with CI/CD pipelines to automate the testing of their infrastructure-as-code configurations, ensuring that security best practices are adhered to from the outset.