Getting started with vulnerable by design Terraform project

Brenton Swanepoel
2 min readJun 12, 2022


With the transformation to the cloud, we have seen a lot of great advancements over the past few years, but we have a lot of security issues that come with this milestone. I wanted to understand how to scan cloud misconfigurations before they are actually deployed to production environments.

We will be scanning purposely vulnerable IaC templates with open source tools today. Infrastructure-as-Service (IaC) automates IT infrastructure provisioning. Now developers don’t manually manage and run servers and other elements while they develop, deploy, or test software.

There is a project called Terragoat, created by Bridgecrew that will help us get started with this concept. You can find it over here:

Let’s get started by cloning the project:

git clone terragoat

Then we will look at using an opensource tool checkov which enables us to scan cloud infrastructure configurations and find these misconfigurations we are looking for before the code is deployed.

Checkov uses a common command-line interface to manage and analyze infrastructure as code (IaC) scan results across platforms such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates, and Serverless framework.

To install checkov let’s use pip, there are multiple options to do this though:

pip install checkov

Then to scan TerraGoat simply run the following:

checkov -d terraform

The best way to understand these types of misconfigrations is to actually practice this yourself and have a look at what types of risks are presented. Here is an example of what you would see once you have scanned the TerraGoat project:

Thats it for this blog, in the next one we will be looking at some additional tools for best practice scanning and various ways to scan resources in AWS. In the mean time you can look in the next tool:

TFLint, according to the github page it is a framework and each feature is provided by plugins, the key features are as follows:

  • Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
  • Warn about deprecated syntax, unused declarations.
  • Enforce best practices, naming conventions.

Install it using the following command:

curl -s | bash



Brenton Swanepoel

Excited about OSINT, threat hunting and the general breaking of things