Cfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
It's an ideal companion to testing build time Infrastructure as Code scanning tools, such as Bridgecrew & Checkov
Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
Cfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAMExpect provisioning to take at least 5 minutes.
Multiple stacks can be deployed simultaniously by changing the --stack-name and adding an Environment parameter:
aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM- Where to get help: the Bridgecrew Community Slack
Before you proceed please take a not of these warning:
⚠️ Cfngoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.
- aws cli
- CfnGoat - Vulnerable by design Cloudformation template
- TerraGoat - Vulnerable by design Terraform stack
- CDKGoat - Vulnerable by design CDK application
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Bridgecrew builds and maintains Cfngoat to encourage the adoption of policy-as-code.
If you need direct support you can contact us at [email protected].
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV2_AWS_11 | /jit_iac_misconfiguation_test_file.tf | aws_vpc.dev-vpc | Ensure VPC flow logging is enabled in all VPCs | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging |
| 1 | CKV2_AWS_12 | /jit_iac_misconfiguation_test_file.tf | aws_vpc.dev-vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-4 |
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV_SECRET_2 | /cfngoat.yaml | fc3f784491eba6121c3bfcc1652a2c57d27b16cb | AWS Access Key | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-2 |
| 1 | CKV_SECRET_6 | /cfngoat.yaml | c00f1a6e4b20aa64691d50781b810756d6254b8e | Base64 High Entropy String | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 |
| 2 | CKV_SECRET_2 | /cfngoat.yaml | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-2 |
| 3 | CKV_SECRET_6 | /cfngoat.yaml | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 |
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV2_GHA_1 | /.github/workflows/checkov.yaml | on(build) | Ensure top-level permissions are not set to write-all | |
| 1 | CKV2_GHA_1 | /.github/workflows/main.yaml | on(checkov-scan) | Ensure top-level permissions are not set to write-all |