github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/appservice/require_client_cert.go (about) 1 package appservice 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckRequireClientCert = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0001", 14 Provider: providers.AzureProvider, 15 Service: "appservice", 16 ShortCode: "require-client-cert", 17 Summary: "Web App accepts incoming client certificate", 18 Impact: "Mutual TLS is not being used", 19 Resolution: "Enable incoming certificates for clients", 20 Explanation: `The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformRequireClientCertGoodExamples, 24 BadExamples: terraformRequireClientCertBadExamples, 25 Links: terraformRequireClientCertLinks, 26 RemediationMarkdown: terraformRequireClientCertRemediationMarkdown, 27 }, 28 Severity: severity.Low, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, service := range s.Azure.AppService.Services { 32 if service.Metadata.IsUnmanaged() { 33 continue 34 } 35 if service.EnableClientCert.IsFalse() { 36 results.Add( 37 "App service does not have client certificates enabled.", 38 service.EnableClientCert, 39 ) 40 } else { 41 results.AddPassed(&service) 42 } 43 } 44 return 45 }, 46 )