⚠️ Correction (May 29, 2026): An earlier version of this article stated 173 undocumented findings. The verified count from the raw evidence files is 187 undocumented Trivy findings (243 total − 56 Checkov-documented = 187) plus 2 additional pq-audit findings (separate cryptographic layer). All numbers in this article have been updated. Reference: commit c1405cd . TerraGoat is the canonical vulnerable Terraform repository maintained by Bridgecrew (now Prisma Cloud). It has over 5,000 GitHub stars and is used by security teams worldwide as the benchmark for validating IaC scanners. The premise is straightforward: run your tool against TerraGoat, check how many of the known vulnerabilities it catches. The problem is that the "known vulnerabilities" reference list is incomplete by design — or by oversight. This research quantifies that gap for the first time.…