I scanned TerraGoat with three different IaC scanners — each found completely different things
This report analyzes the results of scanning the TerraGoat deliberately vulnerable Terraform repository with three different Infrastructure as Code (IaC) security scanners: Checkov, Trivy, and pq-audit. Each scanner identified distinct sets of findings due to differing threat models and coverage areas. Checkov found 56 documented vulnerabilities intended by the TerraGoat benchmark. Trivy identified 243 findings, including 187 not documented by Checkov, covering broader cloud security misconfigurations and container hardening. pq-audit, focusing on post-quantum cryptography risks, found 4 unique vulnerabilities related to cryptographic configurations. All findings were validated as true positives. The research highlights that relying on a single scanner misses significant security issues, especially in cryptographic posture and emerging threat timelines.
AI Analysis
Technical Summary
The research involved scanning the TerraGoat Terraform repository, which is intentionally vulnerable, using three distinct IaC security scanners: Checkov (by Bridgecrew), Trivy (by Aqua Security), and pq-audit (a post-quantum cryptography scanner). Checkov detected 56 known vulnerabilities designed into TerraGoat. Trivy found 243 issues, 77% of which were not documented by Checkov, reflecting a broader security scope including AWS CIS benchmarks, Kubernetes pod security, container hardening, and cloud network exposure. pq-audit identified 4 cryptographic vulnerabilities with no overlap with the other scanners, highlighting risks from both current classical attacks and future quantum computing threats. The findings were confirmed as true positives with zero false positives. The study demonstrates that different scanners encode different threat timelines and security models, and using multiple tools provides a more comprehensive security assessment for Terraform IaC pipelines.
Potential Impact
The impact is that relying solely on one IaC scanner, such as Checkov, can result in missing a substantial portion (up to 77%) of security findings relevant to cloud infrastructure misconfigurations and cryptographic risks. This gap could leave infrastructure exposed to classical attacks (e.g., weak TLS versions, overly permissive ACLs) and future quantum threats (e.g., RSA keys vulnerable to quantum decryption). The validated findings indicate real security weaknesses in the Terraform configurations that could be exploited if not addressed. The research underscores the importance of multi-tool scanning to cover diverse threat models and timelines.
Mitigation Recommendations
This is a research and benchmarking study rather than a vulnerability with a direct patch. There is no single patch or fix applicable. Instead, the mitigation recommendation is to incorporate multiple IaC security scanners with complementary threat models into Terraform security pipelines to achieve comprehensive coverage. Specifically, use Checkov for known benchmark vulnerabilities, Trivy for broader cloud and container misconfigurations, and pq-audit for cryptographic posture assessment including quantum resilience. This layered scanning approach reduces the risk of missing critical security issues. No vendor advisory or official patch applies to this research.
I scanned TerraGoat with three different IaC scanners — each found completely different things
Description
This report analyzes the results of scanning the TerraGoat deliberately vulnerable Terraform repository with three different Infrastructure as Code (IaC) security scanners: Checkov, Trivy, and pq-audit. Each scanner identified distinct sets of findings due to differing threat models and coverage areas. Checkov found 56 documented vulnerabilities intended by the TerraGoat benchmark. Trivy identified 243 findings, including 187 not documented by Checkov, covering broader cloud security misconfigurations and container hardening. pq-audit, focusing on post-quantum cryptography risks, found 4 unique vulnerabilities related to cryptographic configurations. All findings were validated as true positives. The research highlights that relying on a single scanner misses significant security issues, especially in cryptographic posture and emerging threat timelines.
Reddit Discussion
TerraGoat is Bridgecrew/Palo Alto's deliberately vulnerable Terraform repository. I used it as a benchmark to compare how different IaC scanners model security risk.
Setup: Three scanners, same codebase (AWS + Azure + GCP + AliCloud Terraform configs).
Results
Checkov (made by Bridgecrew, same company that made TerraGoat): 56 findings
These are the official documented vulnerabilities. The benchmark the repo was designed around.
Trivy (trivy fs --scanners misconfig): 243 findings
187 of these are NOT in Checkov's documentation. Same code, different scanner, 77% gap.
Both are correct — Trivy covers AWS CIS benchmarks, K8s pod security, container hardening, and cloud network exposure beyond what's intentionally documented in TerraGoat.
pq-audit (post-quantum crypto scanner): 4 findings
Zero overlap with Trivy or Checkov. Different threat model entirely.
[BROKEN_NOW] azure/app_service.tf:29 — Min TLS 1.0/1.1 configured [BROKEN_NOW] alicloud/bucket.tf:7 — ACL public-read-write [SNDL_VULNERABLE] azure/key_vault.tf:36 — key_type = "RSA" [SNDL_VULNERABLE] aws/db-app.tf:150 — SG egress 0.0.0.0/0 - BROKEN_NOW: exploitable today with classical attacks. No quantum computer required.
- SNDL_VULNERABLE: Store-Now-Decrypt-Later. The data or keys protected by these configurations can be harvested today and decrypted when Cryptographically Relevant Quantum Computers arrive (~2030s per NIST projections).
All 4 validated with a RAG-powered triage pipeline: 4/4 TRUE_POSITIVE, 0% false positive rate.
The takeaway
None of these scanners is wrong. They encode different threat timelines:
- Checkov: "what's intentionally vulnerable in this benchmark?"
- Trivy: "what's misconfigured by current K8s/cloud hardening standards?"
- pq-audit: "what cryptography will break — either today or when quantum computers arrive?"
If you're building a Terraform security pipeline, running only Checkov misses 77% of what Trivy catches. Running both misses the crypto posture gaps that pq-audit surfaces.
Links
- Full research + findings breakdown: https://github.com/MK-ScorpioSec/research
- pq-audit (Apache 2.0): https://github.com/MK-ScorpioSec/pq-audit
Update note: A v3 re-scan with new cloud patterns added two more findings (Azure Key Vault RSA and AliCloud bucket ACL) that weren't in the original v2 scan. The triage pipeline confirmed all 4 as TRUE_POSITIVE.
Happy to answer questions about methodology or findings.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The research involved scanning the TerraGoat Terraform repository, which is intentionally vulnerable, using three distinct IaC security scanners: Checkov (by Bridgecrew), Trivy (by Aqua Security), and pq-audit (a post-quantum cryptography scanner). Checkov detected 56 known vulnerabilities designed into TerraGoat. Trivy found 243 issues, 77% of which were not documented by Checkov, reflecting a broader security scope including AWS CIS benchmarks, Kubernetes pod security, container hardening, and cloud network exposure. pq-audit identified 4 cryptographic vulnerabilities with no overlap with the other scanners, highlighting risks from both current classical attacks and future quantum computing threats. The findings were confirmed as true positives with zero false positives. The study demonstrates that different scanners encode different threat timelines and security models, and using multiple tools provides a more comprehensive security assessment for Terraform IaC pipelines.
Potential Impact
The impact is that relying solely on one IaC scanner, such as Checkov, can result in missing a substantial portion (up to 77%) of security findings relevant to cloud infrastructure misconfigurations and cryptographic risks. This gap could leave infrastructure exposed to classical attacks (e.g., weak TLS versions, overly permissive ACLs) and future quantum threats (e.g., RSA keys vulnerable to quantum decryption). The validated findings indicate real security weaknesses in the Terraform configurations that could be exploited if not addressed. The research underscores the importance of multi-tool scanning to cover diverse threat models and timelines.
Mitigation Recommendations
This is a research and benchmarking study rather than a vulnerability with a direct patch. There is no single patch or fix applicable. Instead, the mitigation recommendation is to incorporate multiple IaC security scanners with complementary threat models into Terraform security pipelines to achieve comprehensive coverage. Specifically, use Checkov for known benchmark vulnerabilities, Trivy for broader cloud and container misconfigurations, and pq-audit for cryptographic posture assessment including quantum resilience. This layered scanning approach reduces the risk of missing critical security issues. No vendor advisory or official patch applies to this research.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a221955e29bf47b50e96633
Added to database: 6/5/2026, 12:33:25 AM
Last enriched: 6/5/2026, 12:33:31 AM
Last updated: 6/5/2026, 5:02:28 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.