github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/compute/enable_disk_encryption.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableDiskEncryption = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0038", 14 Provider: providers.AzureProvider, 15 Service: "compute", 16 ShortCode: "enable-disk-encryption", 17 Summary: "Enable disk encryption on managed disk", 18 Impact: "Data could be read if compromised", 19 Resolution: "Enable encryption on managed disks", 20 Explanation: `Manage disks should be encrypted at rest. When specifying the <code>encryption_settings</code> block, the enabled attribute should be set to <code>true</code>.`, 21 Links: []string{ 22 "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformEnableDiskEncryptionGoodExamples, 26 BadExamples: terraformEnableDiskEncryptionBadExamples, 27 Links: terraformEnableDiskEncryptionLinks, 28 RemediationMarkdown: terraformEnableDiskEncryptionRemediationMarkdown, 29 }, 30 Severity: severity.High, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, disk := range s.Azure.Compute.ManagedDisks { 34 if disk.Metadata.IsUnmanaged() { 35 continue 36 } 37 if disk.Encryption.Enabled.IsFalse() { 38 results.Add( 39 "Managed disk is not encrypted.", 40 disk.Encryption.Enabled, 41 ) 42 } else { 43 results.AddPassed(&disk) 44 } 45 } 46 return 47 }, 48 )