github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/add_description_to_security_group_rule.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/add_description_to_security_group_rule.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckAddDescriptionToSecurityGroupRule = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0124",
    14  		Aliases:    []string{"aws-vpc-add-description-to-security-group-rule"},
    15  		Provider:   providers.AWSProvider,
    16  		Service:    "ec2",
    17  		ShortCode:  "add-description-to-security-group-rule",
    18  		Summary:    "Missing description for security group rule.",
    19  		Impact:     "Descriptions provide context for the firewall rule reasons",
    20  		Resolution: "Add descriptions for all security groups rules",
    21  		Explanation: `Security group rules should include a description for auditing purposes.
    22  
    23  Simplifies auditing, debugging, and managing security groups.`,
    24  		Links: []string{
    25  			"https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformAddDescriptionToSecurityGroupRuleGoodExamples,
    29  			BadExamples:         terraformAddDescriptionToSecurityGroupRuleBadExamples,
    30  			Links:               terraformAddDescriptionToSecurityGroupRuleLinks,
    31  			RemediationMarkdown: terraformAddDescriptionToSecurityGroupRuleRemediationMarkdown,
    32  		},
    33  		CloudFormation: &scan.EngineMetadata{
    34  			GoodExamples:        cloudFormationAddDescriptionToSecurityGroupRuleGoodExamples,
    35  			BadExamples:         cloudFormationAddDescriptionToSecurityGroupRuleBadExamples,
    36  			Links:               cloudFormationAddDescriptionToSecurityGroupRuleLinks,
    37  			RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRuleRemediationMarkdown,
    38  		},
    39  		Severity: severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  		for _, group := range s.AWS.EC2.SecurityGroups {
    43  			for _, rule := range append(group.EgressRules, group.IngressRules...) {
    44  				if rule.Description.IsEmpty() {
    45  					results.Add(
    46  						"Security group rule does not have a description.",
    47  						rule.Description,
    48  					)
    49  				} else {
    50  					results.AddPassed(&rule)
    51  				}
    52  			}
    53  
    54  		}
    55  		return
    56  	},
    57  )