github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/http_not_used.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/http_not_used.go (about)

     1  package elb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/elb"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckHttpNotUsed = rules.Register(
    13  	scan.Rule{
    14  		AVDID:      "AVD-AWS-0054",
    15  		Provider:   providers.AWSProvider,
    16  		Service:    "elb",
    17  		ShortCode:  "http-not-used",
    18  		Summary:    "Use of plain HTTP.",
    19  		Impact:     "Your traffic is not protected",
    20  		Resolution: "Switch to HTTPS to benefit from TLS security features",
    21  		Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
    22  
    23  You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`,
    24  		Links: []string{
    25  			"https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformHttpNotUsedGoodExamples,
    29  			BadExamples:         terraformHttpNotUsedBadExamples,
    30  			Links:               terraformHttpNotUsedLinks,
    31  			RemediationMarkdown: terraformHttpNotUsedRemediationMarkdown,
    32  		},
    33  		Severity: severity.Critical,
    34  	},
    35  	func(s *state.State) (results scan.Results) {
    36  		for _, lb := range s.AWS.ELB.LoadBalancers {
    37  			if !lb.Type.EqualTo(elb.TypeApplication) {
    38  				continue
    39  			}
    40  			for _, listener := range lb.Listeners {
    41  				if !listener.Protocol.EqualTo("HTTP") {
    42  					results.AddPassed(&listener)
    43  					continue
    44  				}
    45  
    46  				var hasRedirect bool
    47  				for _, action := range listener.DefaultActions {
    48  					if action.Type.EqualTo("redirect") {
    49  						hasRedirect = true
    50  						break
    51  					}
    52  				}
    53  				if hasRedirect {
    54  					results.AddPassed(&listener)
    55  					break
    56  				}
    57  
    58  				results.Add(
    59  					"Listener for application load balancer does not use HTTPS.",
    60  					listener.Protocol,
    61  				)
    62  			}
    63  		}
    64  		return
    65  	},
    66  )