173 Undocumented Security Findings in TerraGoat: What Standard IaC Scanners Miss (and Why Post-Quantum Matters)

查看原文 / View Original 编辑 / Edit

173 Undocumented Security Findings in TerraGoat: What Standard IaC Scanners Miss (and Why Post-Quantum Matters)

TerraGoat 中 173 个未记录的安全发现:标准 IaC 扫描器遗漏了什么(以及为什么后量子安全至关重要)

TerraGoat is the canonical vulnerable Terraform repository maintained by Bridgecrew (now Prisma Cloud). It has over 5,000 GitHub stars and is used by security teams worldwide as the benchmark for validating IaC scanners. The premise is straightforward: run your tool against TerraGoat, check how many of the known vulnerabilities it catches. The problem is that the “known vulnerabilities” reference list is incomplete by design — or by oversight. This research quantifies that gap for the first time. TerraGoat 是由 Bridgecrew(现为 Prisma Cloud)维护的权威 Terraform 漏洞存储库。它在 GitHub 上拥有超过 5,000 个星标,被全球安全团队用作验证 IaC(基础设施即代码)扫描器的基准。其前提很简单:针对 TerraGoat 运行你的工具,检查它能捕获多少已知漏洞。问题在于,“已知漏洞”参考列表在设计上(或因疏忽)是不完整的。本研究首次量化了这一差距。

Methodology

方法论

Three tools were run against TerraGoat in isolation, with no tuning or custom rules: 针对 TerraGoat 独立运行了三种工具,且未进行任何调整或自定义规则:

  • Checkov — the official Bridgecrew scanner, the tool TerraGoat was originally built to test
  • Checkov — Bridgecrew 的官方扫描器,也是 TerraGoat 最初构建时用于测试的工具
  • Trivy (Aqua Security) — the industry-standard open source vulnerability scanner with IaC support
  • Trivy (Aqua Security) — 行业标准的开源漏洞扫描器,支持 IaC
  • pq-audit — an open source post-quantum cryptography audit framework built to detect cryptographic exposure that standard scanners do not model
  • pq-audit — 一个开源的后量子密码学审计框架,旨在检测标准扫描器无法建模的加密暴露风险

Each tool produced its raw JSON output. Results were deduplicated per finding identifier and cross-referenced against Bridgecrew’s official TerraGoat documentation to determine which findings had been acknowledged by the maintainers and which had not. Raw data, gap matrix, and per-tool JSON outputs are available in the research repository. 每个工具都生成了原始 JSON 输出。结果按发现标识符进行了去重,并与 Bridgecrew 的官方 TerraGoat 文档进行了交叉比对,以确定哪些发现已被维护者确认,哪些尚未确认。原始数据、差距矩阵和各工具的 JSON 输出均可在研究存储库中获取。

Findings: The Numbers

发现:数据统计

Checkov produced 56 findings. Every single one maps to documented behavior in Bridgecrew’s official documentation. Checkov does exactly what it says. Checkov 产生了 56 个发现。每一个都与 Bridgecrew 官方文档中记录的行为相对应。Checkov 的表现完全符合其说明。

Trivy produced 125 findings against the same codebase. AVD-AWS-* and aws-* identifiers covering real misconfigurations across S3, IAM, EC2, RDS, and networking resources — critical and high severity. None of these 125 findings appear in Bridgecrew’s TerraGoat documentation. Trivy 在同一代码库上产生了 125 个发现。这些发现包含 AVD-AWS-* 和 aws-* 标识符,涵盖了 S3、IAM、EC2、RDS 和网络资源中真实的错误配置,且均为关键和高严重性级别。这 125 个发现中,没有一个出现在 Bridgecrew 的 TerraGoat 文档中。

Total undocumented findings: 173 out of 243. That is 70% of the actual security surface. The implication is direct: if your team selected Checkov as your primary IaC scanner because it is the “official” tool for TerraGoat and Terraform — you are currently seeing 23% of your exposure. Not because Checkov is broken, but because the documentation does not tell you what it does not cover. 未记录的发现总数:243 个中的 173 个。这占实际安全面的 70%。其含义很直接:如果你的团队因为 Checkov 是 TerraGoat 和 Terraform 的“官方”工具而将其选为主要 IaC 扫描器,那么你目前只看到了 23% 的风险暴露。这并不是因为 Checkov 有缺陷,而是因为文档没有告诉你它未覆盖的内容。

The PQC Layer: What No Standard Scanner Checks

后量子密码学(PQC)层:标准扫描器无法检查的内容

After the Checkov/Trivy comparison, a second analysis was run using pq-audit, focusing exclusively on cryptographic posture. pq-audit found 2 findings that neither Trivy nor Checkov detected at all: 在 Checkov/Trivy 对比之后,使用 pq-audit 进行了第二次分析,专门关注加密态势。pq-audit 发现了 2 个 Trivy 和 Checkov 完全未检测到的问题:

  • BROKEN_NOW: cryptographic algorithms in active use that are already considered broken under current NIST guidance (not future-state — present-state broken)
  • BROKEN_NOW:当前正在使用但根据 NIST 指南已被视为已破解的加密算法(非未来状态,而是当前状态已破解)
  • SNDL_VULNERABLE: configurations that make data susceptible to “harvest now, decrypt later” attacks — a documented nation-state tactic where encrypted data is archived today for decryption once quantum computing reaches sufficient scale
  • SNDL_VULNERABLE:使数据易受“先截获,后解密”(Harvest Now, Decrypt Later)攻击的配置——这是一种已记录的国家级战术,即在今天存档加密数据,待量子计算达到足够规模后再进行解密
  • PQC readiness gaps: absence of migration paths to NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), or FIPS 205 (SLH-DSA) in encryption configuration defined in IaC
  • PQC 就绪差距:在 IaC 定义的加密配置中,缺乏向 NIST FIPS 203 (ML-KEM)、FIPS 204 (ML-DSA) 或 FIPS 205 (SLH-DSA) 的迁移路径

Standard IaC scanners model misconfigurations against known CVEs and policy rules. They do not model cryptographic lifetime or quantum-era threat exposure. For most teams in 2026, that gap is invisible. 标准 IaC 扫描器根据已知的 CVE 和策略规则对错误配置进行建模。它们不对加密生命周期或量子时代的威胁暴露进行建模。对于 2026 年的大多数团队来说,这种差距是不可见的。

Why This Research Exists

为什么进行这项研究

IaC security tooling is fragmented and documentation is inconsistent. Teams make scanner selection decisions based on vendor marketing, integration convenience, or name recognition — without a clear picture of coverage. This research is not an argument that Checkov is bad or that Trivy is better. Both tools serve their stated purpose. The argument is that comparing tools requires complete data, and that data has not existed publicly until now. IaC 安全工具市场碎片化,文档也不一致。团队在选择扫描器时往往基于供应商营销、集成便利性或品牌知名度,而缺乏对覆盖范围的清晰了解。本研究并非为了证明 Checkov 不好或 Trivy 更好。这两种工具都实现了它们各自宣称的目的。我们的观点是,比较工具需要完整的数据,而这些数据在此之前并未公开。

The gap matrix published here can be used to: 此处发布的差距矩阵可用于:

  • Benchmark scanner coverage before adoption
  • 在采用前对扫描器的覆盖范围进行基准测试
  • Justify multi-tool strategies to security leadership
  • 向安全领导层证明多工具策略的合理性
  • Identify categories of exposure that require manual review regardless of tooling
  • 识别无论使用何种工具都需要人工审查的暴露类别

Conclusions

结论

  • No single IaC scanner covers the full finding surface of even a well-known, intentionally vulnerable repository.
  • 没有单一的 IaC 扫描器能覆盖即使是一个众所周知的、故意设置漏洞的存储库的全部发现面。
  • Documentation gaps are not the same as tool gaps — Trivy finds real issues that simply never got documented upstream.
  • 文档差距不等同于工具差距——Trivy 发现的真实问题只是从未在上游文档中记录过。
  • Post-quantum cryptography exposure in IaC is invisible to current-generation scanners. This is not a theoretical future problem: SNDL attacks against long-lived data are active today.
  • IaC 中的后量子密码学暴露对当前一代扫描器来说是不可见的。这不是一个理论上的未来问题:针对长期数据的 SNDL 攻击在今天已经非常活跃。
  • Multi-tool strategies are not optional for teams with serious security requirements.
  • 对于有严格安全要求的团队来说,多工具策略不是可选项,而是必选项。

Full research, raw data, and methodology: https://github.com/mk-scorpiosec/research/tree/main/terragoat-2026-04 完整研究、原始数据和方法论:https://github.com/mk-scorpiosec/research/tree/main/terragoat-2026-04

← 返回新闻列表 / Back to news list