BicepGoat is Bridgecrew's "Vulnerable by Design" Bicep and ARM repository.

BicepGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

BicepGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

BicepGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Where to get help: the Bridgecrew Community Slack

Before you proceed please take a note of these warning:

⚠️ BicepGoat creates intentionally vulnerable Azure resources into your account. DO NOT deploy BicepGoat in a production environment or alongside any sensitive Azure resources.

• BicepGoat - Vulnerable by design Bicep templates
• CDKGoat - Vulnerable by design CDK application
• CfnGoat - Vulnerable by design Cloudformation template
• TerraGoat - Vulnerable by design Terraform stack
• kustomizegoat - Vulnerable by design kustomize deployment

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Bridgecrew builds and maintains BicepGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.