github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/compute/no_secrets_in_custom_data.go (about)

     1  package compute
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  	"github.com/owenrumney/squealer/pkg/squealer"
    10  )
    11  
    12  var scanner = squealer.NewStringScanner()
    13  
    14  var CheckNoSecretsInCustomData = rules.Register(
    15  	scan.Rule{
    16  		AVDID:       "AVD-AZU-0037",
    17  		Provider:    providers.AzureProvider,
    18  		Service:     "compute",
    19  		ShortCode:   "no-secrets-in-custom-data",
    20  		Summary:     "Ensure that no sensitive credentials are exposed in VM custom_data",
    21  		Impact:      "Sensitive credentials in custom_data can be leaked",
    22  		Resolution:  "Don't use sensitive credentials in the VM custom_data",
    23  		Explanation: `When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.`,
    24  		Links:       []string{},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformNoSecretsInCustomDataGoodExamples,
    27  			BadExamples:         terraformNoSecretsInCustomDataBadExamples,
    28  			Links:               terraformNoSecretsInCustomDataLinks,
    29  			RemediationMarkdown: terraformNoSecretsInCustomDataRemediationMarkdown,
    30  		},
    31  		Severity: severity.Medium,
    32  	},
    33  	func(s *state.State) (results scan.Results) {
    34  		for _, vm := range s.Azure.Compute.LinuxVirtualMachines {
    35  			if vm.Metadata.IsUnmanaged() {
    36  				continue
    37  			}
    38  			if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound {
    39  				results.Add(
    40  					"Virtual machine includes secret(s) in custom data.",
    41  					vm.CustomData,
    42  				)
    43  			} else {
    44  				results.AddPassed(&vm)
    45  			}
    46  		}
    47  		for _, vm := range s.Azure.Compute.WindowsVirtualMachines {
    48  			if vm.Metadata.IsUnmanaged() {
    49  				continue
    50  			}
    51  			if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound {
    52  				results.Add(
    53  					"Virtual machine includes secret(s) in custom data.",
    54  					vm.CustomData,
    55  				)
    56  			} else {
    57  				results.AddPassed(&vm)
    58  			}
    59  		}
    60  		return
    61  	},
    62  )